[erlang-questions] SSL verification

Kenneth Lakin kennethlakin@REDACTED
Mon Dec 26 01:27:58 CET 2016


On 12/25/2016 03:50 PM, Technion wrote:
> Ugh.. I was reading that old document because it was the first hit on
> Google and I couldn't see a way to get the latest.

The pattern for the module documentation is
erlang.org/doc/man/$MODULE.html

Some (most?) of the Erlang applications also have documentation:
erlang.org/doc/man/$APP_app.html

> There is a discussion under "server side" which I believe is what you
> are quoting, where it refers to verifying client certificates, but if
> we are talking about ssl:connect we are not talking about server side.
> ...
> {verify, verify_type()}
> In mode verify_none the default behavior is to allow all
> x509-path validation errors. See also option verify_fun.

AFAIK, the default verify_fun is the same for both server and client
operation. Notice how it's in the "COMMON for SERVER and CLIENT" section.

> I'm still reading that with a strong expectation that if I don't specify 
> "verify_none", there will be verification performed.

Odd. My expectation is that -unless I request it- verification will not
be performed. I expect that I expect this because it seems more likely
than not that your average TLS-equipped server will be using certs that
won't validate (whether they be self-signed, expired, or simply not
valid for the domain you're accessing).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20161225/00348d2b/attachment.bin>


More information about the erlang-questions mailing list