Another SSL question
Thu Feb 6 20:32:37 CET 2003
I am currently working with version 3.0 of Erlang SSL. It is based on
OpenSSL-0.9.7 (the former version were based on the now very obsolete
SSLeay, the package of which OpenSSL developed from).
There will be functions for parsing peer certificates with the aid of code
generated by the Erlang ASN.1 compiler from PKIX ASN.1 modules
PKIX1Explicit88, PKIX1Implicit88, and PKIX1Algorithms88 (in RFCs 3279 and
A certificate will be represented (recursivly) by Erlang records/terms.
You can then extract any information you want (in particular the
distinguished name of the subject).
There will also be documentation about certificates in general, and on
generation of certificates (CA, intermediate CA, and end user) with the
*openssl* command for the Erlang SSL test suites. That will hopefully
provide help in understanding what certificates are and how they work.
In addition the silly restriction that servers and clients have to share
the same set of locally stored trusted certificates will be removed.
Also the very old ssl_socket interface will be removed.
The new Erlang SSL version will be provided as a patch for R9, R8 and R7.
On Thu, 6 Feb 2003, Mikael Karlsson wrote:
> Just want to know before I try to do anything by myself..
> Are there any plans by the OTP team (or others) to add,
> to ssl, functionality to read the contents from a client cert
> after a client verification.
> I would like to check the contents of the client cert in order to
> decide which user it is and set some access restriction based on
> the user id.
> There is support for this in OpenSSL, and since the OTP ssl
> application uses it, I guess it is "just to add a couple of functions".
> Apache for instance can export a number cert values to environment
> variables so that you can do this, and I think this is a common
> procedure in many PKI based internet/intranet applications.
More information about the erlang-questions