[erlang-questions] smtp server

Ingela Andin ingela.andin@REDACTED
Fri Feb 3 13:31:03 CET 2012


Hi!

You are correct there is a bug in ssl here is the patch that will be
part of the next release.

diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 371f475..d68b80c 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -188,14 +188,14 @@ certify(#certificate{asn1_certificates =
ASN1Certs}, CertDbHandle, CertDbRef,
     ValidationFunAndState =
        case VerifyFunAndState of
            undefined ->
-               {fun(OtpCert, ExtensionOrError, SslState) ->
+               {fun(OtpCert, ExtensionOrVerifyResult, SslState) ->
                         ssl_certificate:validate_extension(OtpCert,
-
ExtensionOrError, SslState)
+
ExtensionOrVerifyResult, SslState)
                 end, Role};
            {Fun, UserState0} ->
-               {fun(OtpCert, ExtensionOrError, {SslState, UserState}) ->
+               {fun(OtpCert, {extension, _} = Extension, {SslState,
UserState}) ->
                         case ssl_certificate:validate_extension(OtpCert,
-
ExtensionOrError,
+                                                                Extension,
                                                                 SslState) of
                             {valid, NewSslState} ->
                                 {valid, {NewSslState, UserState}};
@@ -204,8 +204,11 @@ certify(#certificate{asn1_certificates =
ASN1Certs}, CertDbHandle, CertDbRef,
                                                SslState);
                             {unknown, _} ->
                                 apply_user_fun(Fun, OtpCert,
-                                               ExtensionOrError,
UserState, SslState)
-                        end
+                                               Extension, UserState, SslState)
+                        end;
+                   (OtpCert, VerifyResult, {SslState, UserState}) ->
+                        apply_user_fun(Fun, OtpCert, VerifyResult, UserState,
+                                       SslState)
                 end, {Role, UserState0}}
        end,


Regards Ingela Erlang/OTP team - Ericsson AB

2012/2/3, Stefan Grundmann <sg2342@REDACTED>:
> On Thu, 2 Feb 2012 18:25:00 +0100
> Ingela Andin <ingela.andin@REDACTED> wrote:
>> We use this test suite to verify our PKIX-path-validation code,
>> granted we do not yet support CRL-handling but that is on its
>> way. Our verify_fun will let you work around the problem that it
>> is not yet supported. (Not so fun for you perhaps but a possible
>> solution for now).
>
> this is unfortunately not the case since for versions that contain
> commit 4dbf3c9e4ae7cfd19b247353369166d31b8f15e5 (it is in R14B04 and
> R15B) the documented behaviour (verify_fun will be called for every
> certificate) is broken: the verify_fun will only be called, if the
> certificate contains unknown extensions.
> it is therefore not useful as a CRL workaround (anymore).
>
> best regards
>
> Stefan Grundmann
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>



More information about the erlang-questions mailing list