[erlang-questions] enforcing ssl trust chain

Ingela Andin <>
Mon Aug 16 14:18:59 CEST 2010


2010/8/11 Emile Joubert <>:
> Hi,
> I read in the latest ssl documentation and SSL 3.10.3 release notes that
> an unknown CA is not considered a validation error. What is the
> motivation for this default?

My personal preference for default value was not to accept any
path-validation errors as default, but the motivation was that it
should be as easy as possible to get an ssl connection up and
running. I am just back from vacation and I do not remember
all the details of the discussion.  We are of course interested in all
user feedback we can get.
So if you have any arguments for or against please let us know.

> In a production environment I want to prevent clients without
> certificates signed by a known CA from connecting. Is there any way of
> getting this behaviour by using configuration files? The only way I can
> find is to set verify_fun to an appropriate function, but this is
> unappealing because I want to change my mind without needing to recompile.

At the moment defining a verify fun would be your option to accomplish this.
We might add some other configuration option if we find that it seems to be
a good thing from a general point of view.

Regards Ingela Erlang/OTP team - Ericsson AB

More information about the erlang-questions mailing list