h2o · kazuho · Apr 28, 2016 · Apr 19, 2016 · Apr 19, 2016 · Apr 19, 2016
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -432,6 +432,7 @@ IF (NOT WITHOUT_LIBS)
 ENDIF ()
 
 INSTALL(PROGRAMS share/h2o/annotate-backtrace-symbols share/h2o/fastcgi-cgi share/h2o/fetch-ocsp-response share/h2o/kill-on-close share/h2o/setuidgid share/h2o/start_server DESTINATION share/h2o)
+INSTALL(FILES share/h2o/ca-bundle.crt DESTINATION share/h2o)
 INSTALL(FILES share/h2o/status/index.html DESTINATION share/h2o/status)
 INSTALL(DIRECTORY doc/ DESTINATION share/doc/h2o PATTERN "Makefile" EXCLUDE PATTERN "README.md" EXCLUDE)
 INSTALL(DIRECTORY examples/ DESTINATION share/doc/h2o/examples)

diff --git a/deps/ssl-conservatory/.gitattributes b/deps/ssl-conservatory/.gitattributes
@@ -0,0 +1,5 @@
+# These files are text and should be normalized (convert crlf => lf)
+*.c       text  
+*.h       text
+*.txt     text
+*.md      text
diff --git a/deps/ssl-conservatory/.gitignore b/deps/ssl-conservatory/.gitignore
@@ -0,0 +1,34 @@
+# Compiled Object files
+*.slo
+*.lo
+*.o
+
+# Compiled Dynamic libraries
+*.so
+
+# Compiled Static libraries
+*.lai
+*.la
+*.a
+
+# Windows binaries
+*.exe
+
+# Xcode
+.DS_Store
+build/
+*.pbxuser
+!default.pbxuser
+*.mode1v3
+!default.mode1v3
+*.mode2v3
+!default.mode2v3
+*.perspectivev3
+!default.perspectivev3
+*.xcworkspace
+!default.xcworkspace
+xcuserdata
+profile
+*.moved-aside
+DerivedData
+.idea/
diff --git a/deps/ssl-conservatory/LICENSE b/deps/ssl-conservatory/LICENSE
@@ -0,0 +1,19 @@
+Copyright (C) 2012, iSEC Partners.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of 
+this software and associated documentation files (the "Software"), to deal in 
+the Software without restriction, including without limitation the rights to 
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 
+of the Software, and to permit persons to whom the Software is furnished to do 
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all 
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 
+SOFTWARE.
diff --git a/deps/ssl-conservatory/README.md b/deps/ssl-conservatory/README.md
@@ -0,0 +1,28 @@
+The SSL Conservatory
+====================
+
+Correct implementation of SSL is crucial to secure transmission of data
+between clients and servers. However, this crucial task is frequently done
+improperly, due to complex APIs and lack of understanding of SSL fundamentals.
+
+This is intended to be a clearinghouse for well-documented and secure sample
+code to correctly implement SSL clients. Pull requests with examples for
+other languages or frameworks are encouraged.
+
+
+Content
+-------
+
+### openssl/ 
+
+Whitepaper and sample code on how to perform certificate validation within an
+SSL client using the OpenSSL library.
+
+### ios/ 
+SSL certificate pinning implementation for iOS applications.
+
+
+License
+-------
+
+See LICENSE.
diff --git a/deps/ssl-conservatory/ios/README.md b/deps/ssl-conservatory/ios/README.md
@@ -0,0 +1,89 @@
+The SSL Conservatory: iOS Certificate Pinning
+=============================================
+
+
+When an iOS application only needs to communicate to a well-defined set of
+servers over SSL or HTTPS, the security of the app's network communications can
+be improved through SSL pinning. By requiring a specific certificate to be part
+of the server's certificate chain, the threat of a rogue CA or a CA compromise
+is significantly reduced.
+
+
+### The ISPCertificatePinning class
+
+#### Description
+
+This class allows developers to whitelist a list of certificates for a given
+domain in order to require at least one these "pinned" certificates to be part
+of the server's certificate chain received when connecting to the domain over
+SSL or HTTPS.
+
+This gives developers the flexibility to pin the CA/anchor certificate, the
+server/leaf certificate, or any intermediate certificate for a given domain.
+Each option has different advantages and limitations; for example, pinning the
+server/leaf certificate provides the best security but this certificate is going
+to change more often than the CA/anchor certificate.
+
+A change in the certificate presented by the server (for example because the
+previous certificate expired) will result in the application being unable to
+connect to the server until its pinned certificate has been updated as well.
+To address this scenario, multiple certificates can be pinned to a single
+domain. This gives developers the ability to transition from an expiring
+certificate to a new one by releasing a new version of their application that
+pins both certificates to the server's domain.
+
+
+#### API
+
+The ISPCertificatePinning class exposes two methods:
+
+##### +(BOOL)setupSSLPinsUsingDictionnary:(NSDictionary*)domainsAndCertificates
+This method takes a dictionary with domain names as keys and arrays of
+DER-encoded certificates as values, and stores them in a pre-defined location on
+the filesystem. The ability to specify multiple certificates for a single
+domain is useful when transitioning from an expiring certificate to a new one
+
+##### +(BOOL)verifyPinnedCertificateForTrust:(SecTrustRef)trust andDomain:(NSString*)domain
+This method accesses the certificates previously loaded using the
+setupSSLPinsUsingDictionnary: method and inspects the trust object's
+certificate chain in order to find at least one certificate pinned to the
+given domain. SecTrustEvaluate() should always be called before this method to
+ensure that the certificate chain is valid.
+
+
+### Convenience delegate classes for NSURLConnection and NSURLSession
+
+This library also provides convenience classes for connections relying on
+NSURLConnection and NSURLSession. The ISPPinnedNSURLConnectionDelegate and
+ISPPinnedNSURLSessionDelegate implement the connection authentication methods
+within respectively the NSURLConnectionDelegate and NSURLSessionDelegate
+protocols, in order to automatically validate the server's certificate based on
+SSL pins loaded using the setupSSLPinsUsingDictionnary: method.
+
+To implement certificate pinning in their Apps, developers should simply extend
+these classes when creating their own connection delegates.
+
+
+### Sample code
+
+The Xcode unit tests within SSLCertificatePinningTests contain sample code
+demonstrating how to implement certificate pinning when using NSURLConnection
+and NSURLSession.
+
+
+### Changelog
+
+* v3: Turned the Xcode project into a static library.
+      Added certificate pinning delegate class for NSURLSession connections.
+* v2: Added the ability to pin multiple certificates to a single domain.
+* v1: Initial release.
+
+
+### License
+
+See ../LICENSE.
+
+
+### Author
+
+Alban Diquet - https://github.com/nabla-c0d3