[erlang-questions] ssl:peercert returns no_peercert on server, but works on client

Jan.Evangelista <>
Fri Nov 23 14:06:41 CET 2012


---------- Původní zpráva ----------
> Od: Ingela Andin 
> Datum: 23. 11. 2012
> Předmět: Re: Re: [erlang-questions] ssl:peercert returns no_peercert on server, but works on client
> Hi!
> 
> 2012/11/22,  :
> ...
> Why do you not validate the certificate in the veryify_fun as part of
> the path_validation?

I need a client certificate validation only when the client needs to enter a privileged role. The client issues a specific command which enables a privileged extension of the protocol on server. Non-privileged clients may connect with any certificate (no validation is required) or without a any certificate. When I do certificate validation in the verify_fun, I have no way to tell the server which role it is permitted to enter.

> And why do you specify a verify_fun that accepts all stadnard
> certificates path errors
> that is not very safe!

Ah, do you mean that the connection would be established even if CertificateVerify.signature does not match? That would be my big mistake!

What if the verify_fun allowed only {bad_cert, selfsigned_peer}?

  fun
        (_,{bad_cert, selfsigned_peer}, UserState) ->
            {valid, UserState};
        (_,{bad_cert, _} = Reason, _) ->
            {fail, Reason};
        (_,{extension, _}, UserState) ->
             {unknown, UserState};
        (_, valid, UserState) ->
             {valid, UserState};
        (_, valid_peer, UserState) ->
             {valid, UserState}
  end.

Jan



More information about the erlang-questions mailing list