[erlang-questions] SSL 'verify_peer' client option changed between Erlang 19.3/20.1?

Ingela Andin ingela.andin@REDACTED
Fri Nov 3 16:53:42 CET 2017


 {server_name_indication, hostname() | disable}

2017-11-03 16:16 GMT+01:00 Frank Muller <frank.muller.erl@REDACTED>:

> Ingela,
>
> Couldn’t find out how to disable this option.
> Can you point us to it please ?
>
> /Frank
>
> Hi!
>>
>> In OTP 20, TLS client processes will by default call
>> public_key:pkix_verify_hostname/2 to verify the hostname of the
>> connection with the server certificates specified hostname during
>> certificate path validation. The user may explicitly disables it. OTP 19
>> did not perform this check, it was left up to the application to perform it
>> in the verify_fun if they wanted to. It is not really part of the TLS
>> protocol but it is mandated that TLS client perform the check.
>>
>> Regards Ingela Erlang/OTP team - Ericsson AB
>>
>>
>> 2017-11-03 11:47 GMT+01:00 Roger Lipscombe <roger@REDACTED>:
>>
>>> I've got some test code where I connect an Erlang ssl client to an
>>> Erlang ssl server on localhost. On Erlang 19.3, it was passing fine.
>>> On Erlang 20.1, it started failing with
>>> {bad_cert,hostname_check_failed}.
>>>
>>> Investigation reveals that I'm connecting to "localhost", the server
>>> cert has ".../CN=testserver", and I'm passing {verify, verify_peer} in
>>> the client options.
>>>
>>> My question is, basically: why didn't Erlang 19 fail?
>>> _______________________________________________
>>> erlang-questions mailing list
>>> erlang-questions@REDACTED
>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>
>>
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20171103/87cd9b47/attachment.htm>


More information about the erlang-questions mailing list