[erlang-questions] enforcing ssl trust chain

Emile Joubert <>
Mon Aug 23 19:04:10 CEST 2010


On 16/08/10 13:18, Ingela Andin wrote:
> Hi!
> 2010/8/11 Emile Joubert <>:

[...]

>> In a production environment I want to prevent clients without
>> certificates signed by a known CA from connecting. Is there any way of
>> getting this behaviour by using configuration files? The only way I can
>> find is to set verify_fun to an appropriate function, but this is
>> unappealing because I want to change my mind without needing to recompile.
> 
> At the moment defining a verify fun would be your option to accomplish this.
> We might add some other configuration option if we find that it seems to be
> a good thing from a general point of view.

I've tried that, but verify_fun gets called regardless of whether verify
is set to verify_none or verify_peer. My reading of the documentation is
that certificate path validation errors should be ignored if verify_none
is set, regardless of verify_fun. Can you please confirm?

Thanks

Emile



More information about the erlang-questions mailing list