enforcing ssl trust chain

Emile Joubert <>
Wed Aug 11 18:59:41 CEST 2010


I read in the latest ssl documentation and SSL 3.10.3 release notes that
an unknown CA is not considered a validation error. What is the
motivation for this default?

In a production environment I want to prevent clients without
certificates signed by a known CA from connecting. Is there any way of
getting this behaviour by using configuration files? The only way I can
find is to set verify_fun to an appropriate function, but this is
unappealing because I want to change my mind without needing to recompile.



More information about the erlang-questions mailing list