[erlang-questions] SSL verification

Technion <>
Mon Dec 26 00:50:38 CET 2016


Ugh.. I was reading that old document because it was the first hit on Google and I couldn't see a way to get the latest. That said, from the link you provided, here is the current wording under the "client side" heading:


{verify, verify_type()}
In mode verify_none the default behavior is to allow all x509-path validation errors. See also option verify_fun.


I'm still reading that with a strong expectation that if I don't specify "verify_none", there will be verification performed.

There is a discussion under "server side" which I believe is what you are quoting, where it refers to verifying client certificates, but if we are talking about ssl:connect we are not talking about server side.


________________________________
From:  <> on behalf of Kenneth Lakin <>
Sent: Monday, 26 December 2016 1:20 AM
To: 
Subject: Re: [erlang-questions] SSL verification

On 12/24/2016 11:14 PM, Technion wrote:
> I was wondering if someone could clarify what I'm looking at. From the new_ssl page:
>
> http://erlang.org/documentation/doc-5.7.4/lib/ssl-3.10.7/doc/html/new_ssl.html
new_ssl - Erlang<http://erlang.org/documentation/doc-5.7.4/lib/ssl-3.10.7/doc/html/new_ssl.html>
erlang.org
This manual page describes functions that are defined in the ssl module and represents the new ssl implementation that coexists with the old one, as the new ...




Are you using OTP R13* (released ~six years ago)? If you are, then
please disregard the rest of this message.

If you're not, then why are you consulting documentation for ssl 3.10.7?
The current version is 8.1.

The current documentation <http://erlang.org/doc/man/ssl.html> states
Erlang -- ssl<http://erlang.org/doc/man/ssl.html>
erlang.org
This module contains interface functions for the SSL/TLS protocol. For detailed information about the supported standards see ssl(6).



that path validation is only performed when verify is set to verify_peer.

The purpose of new_ssl is described as follows:

"The new implementation is Erlang based and all logic is in Erlang and
only payload encryption calculations are done in C via the crypto
application."

Given that the current ssl application seems to do everything but some
of the crypto in Erlang, it would seem that new_ssl became the default
long ago. Additionally, I can't find any files whose name containins the
substring "new_ssl" in the current Erlang source tree.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20161225/b32c417b/attachment.html>


More information about the erlang-questions mailing list