[erlang-bugs] SSL option fail_if_no_peer_cert has the wrong default value

Vincent de Phily vincent.dephily@REDACTED
Wed Mar 11 13:31:34 CET 2015 

On Wednesday 11 March 2015 12:15:51 Vincent de Phily wrote:
> On Tuesday 10 March 2015 19:35:28 Ingela Anderton Andin wrote:
> > > In f_i_n_p_c's case, changing the default would probably close more bugs
> > > than it'd open. Importantly, the new bugs would cause a visible failure,
> > > rather than the invisible security hole caused by the current bugs.
> > > It'll
> > > be an annoyance for the minority of people who actually need
> > > f_i_n_p_c=false, but it's a clear win overall.
> > > 
> > > I even think that f_i_n_p_c should be completely deprecated, since it's
> > > niche behavior can be obtained with a custom verify_fun. But it seems
> > > like I'd have a hard time convincing you about that :p
> > 
> > We will think about it. It is not entirely up to me, but my opinion will
> > count.
> 
> Thanks, I hope I provided a good enough argument that the change is worth
> the potential incompatibility.

I did a web search on explicit use of f_i_n_p_c in other projects and was 
surprised at how often it was set to false instead of true, to the point that 
I wonder wether I don't understand the option correctly, or wether users don't 
understand the implications.

My understanding is this:
 * If you want to authenticate the peer (as opposed to just encrypting the
   communication), you set verify_peer. Connection to a peer that fails
   authentification will be refused.
 * You then have the option, using f_i_n_p_c=false, to nevertheless accept the
   connection for a specific case of auth failure (peer didn't send a cert).
 * This only makes sense if you have a fallback method to authenticate the
   peer. Authenticate using ssl certs orelse authenticate using account
   passwords, for example. An authentication that can be trivially bypassed
   (by not sending a cert) might as well not be done at all.

Is that understanding correct, or is there a usecase of f_i_n_p_c=false where 
you don't require an alternate authentication method once the ssl 
authentication has failed ? Can you point at projects that use f_i_n_p_c=false 
properly ?


-- 
Vincent de Phily

More information about the erlang-bugs mailing list