Allow server to use verify_peer and have no cacertfile
jonas
jonas.p@REDACTED
Thu Aug 12 11:34:02 CEST 2010
Hey *,
I wanted to implement a server that can authenticate clients using the
FOAF+SSL protocol (http://esw.w3.org/Foaf+ssl). This protocol uses the
existing TLS infrastructure but does not use a cacert to authenticate
the user. Providing no cacert was just an option for a client, since
they can usually verify the certificate manually. If a server doesn't
provide a cacertfile you get an error. This patch removes this
restriction and allows a server to have no cacert, too.
git fetch git://github.com/jonasp/otp.git foaf_ssl
I didn't delete the testcase "Test server must have cacerts if it
wants to verify client" yet. I can do so if you think that the patch
is fine as it is.
As far as documentation is concerned I am not exactly sure what would
be reasonable to change since the FOAF+SSL usecase is still a bit too
exotic to be referred to. (It is still in the process of being
formally standardized.) And the Erlang man page for ssl just states
that the cacertfile option can be omitted if you do not want to verify
the peer but does not differentiate between client or server as it
actually should at the moment. So I don't think any change is needed
there.
Best regards
Jonas Pollok
More information about the erlang-patches
mailing list