[erlang-bugs] SSL option fail_if_no_peer_cert has the wrong default value

[Vincent de Phily]

Hi,

I just noticed that fail_if_no_peer_cert defaults to false. This is dangerous, 
as it means that just setting {verify,verify_peer} leaves you open to 
unauthentified connections.

The current default unexpected and undocumented. It is a security hole waiting 
to happen (indeed, it has been present in my software for years).



Thinking about it further, {fail_if_no_peer_cert,false} can only serve some 
very niche unusual usecases ? The docs say that it only has an impact if 
verify_peer is set. It could be that you want to accept (and treat 
differently) both authenticated and non-authenticated connections, but most 
users will either not need authentication (and set verify_none) or will want 
to authenticate every connection.

The absence of a peer cert seems like a poor heuristic for deciding to accept 
unauthentificated connection. What if the peer has a cert you don't know about 
? A better interface would be one that always lets the connection succeed, but 
includes authentication status in its success return.

I'd argue that even explicitly setting {fail_if_no_peer_cert,false} is likely 
to lead to surprises and that people should instead put the logic in 
verify_fun or in post-handshake checks, but that's probably out of scope for a 
bug report.


-- 
Vincent de Phily