[erlang-questions] SSL verify_fun option
Konrad Kaplita
konrad.kaplita@REDACTED
Fri Sep 2 16:06:02 CEST 2011
Hi all,
I need an advice from some SSL guru here. I want to implement SSL mutual
authentication. I'm using R14B02. During certificate validation I want also
to obtain Common Name value. To do this I try to use verify_fun option but
with no luck.
Documentation states:
> The verify fun will be called during the X509-path validation when an error
> or an extension unknown to the ssl application is encountered. Additionally
> it will be called when a certificate is considered valid by the path
> validation to allow access to each certificate in the path to the user
> application.
My SSL Options tuple looks like this:
> {ssl_opts, [{certfile,
> filename:join([code:priv_dir(ws), "ssl", "server.crt"])},
> {keyfile,
> filename:join([code:priv_dir(ws), "ssl", "server.key"])},
> {verify, verify_peer},
> {cacertfile,
> filename:join([code:priv_dir(ws), "ssl", "ca.crt"])},
> {fail_if_no_peer_cert, true},
> {verify_fun, {fun validate/3, []}}
I expect that my validate fun will be invoked after successfull SSL
handshake, but it's not.
After some digging I discovered that ssl_handshake:certify/6 function has
been changed in this commit:
https://github.com/erlang/otp/commit/4dbf3c9e4ae7cfd19b247353369166d31b8f15e5#diff-0
It basically wraps my verify_fun in it's own, and passes this further to
pubkey_cert:verify_fun/4, and it never invokes my verify_fun, due to the
change introduced by the commit mentioned above (when you have valid
vertificate, your verify_fun is never called, which is in opposite to the
documentation).
Is current behaviour intentional or a bug? Or maybe I'm doing something
wrong along the way?
Kind regards,
Konrad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20110902/329e1285/attachment.htm>
More information about the erlang-questions
mailing list