I think the authorities and auth_level should be removed from handshake.pike. Having the same variables in handshake.pike and context.pike is confusing and invites bugs.
Good idea, this is done.
- Check that root of the certificate chain is trusted. First issuer should be the subject and issuer of a certificate in the authorites list (those are "self-signed", i.e. subject = issuer).
I'm not sure this is correct, as you could have a second tier authority, in which case your "root authority" isn't self signed. Either way, coding this would just enforce our view of what a valid certificate was based on a very narrow usage scenario. Perhaps it would be better to pass the certificate or issuer to a callback, which would then give a thumbs up or down on the presented certificate (strictly from a "name on the front door sort of way, no validity checks made).
I'm thinking I might be getting in a little too deep, so comments are welcome.
Bill