[erlang-questions] SSL hostname verification
Ingela Andin
ingela.andin@REDACTED
Tue Jan 23 15:59:35 CET 2018
Hi!
Well I forgot you are using distribution over TLS and when specifying the
fun via the configuration file you must use fun <Module>/3 format for funs.
So you need to have a module implementing the function that you want to use
as a fun.
So
-module(my_verify)
-export([verify/3]).
verify(Cert,{bad_cert, hostname_check_failed} = Reason, UserState) ->
case my_hostname_check(Cert, UserState) of
{fail, Reason};
verify(_,{bad_cert, _} = Reason, _) ->
{fail, Reason};
verify(_,{extension, _}, UserState) ->
{unknown, UserState};
verify(_, valid, UserState) ->
{valid, UserState};
verify(_, valid_peer, UserState) ->
{valid, UserState}.
2018-01-23 12:13 GMT+01:00 San Gillis <san.gillis@REDACTED>:
> Hi!
>
> First of all, thank you Dmitry and Ingela for the quick replies.
>
> Yes it disables all hostname checks making you vulnerable to the things
>> they where designed to protect.
>>
>
> Thought so, so I would prefer not to use the disable option.
>
>
>> The way to customize the checks is to handle them in your own verify_fun,
>> why do you think that is convulted?
>>
>
> It just seemed weird to me to write erlang functions inside a
> configuration file. But then again, I didn't understand it could be just a
> short function, which makes it a lot more acceptable.
>
>
>> The verify_fun can be very simple only specifically handling the {bad_cert,
>> hostname_check_failed} then all other checks will behave as before. The
>> verify_fun is not meant to replace the default certiface checks it
>> is for extending the checks and possible ignoring some specific error
>> (even though this is seldom desirable).
>>
>> Something like:
>>
>> {fun(_,{bad_cert, hostname_check_failed}, _) ->
>> %%% Preform own check ...
>> (_,{extension, _}, UserState) ->
>> {unknown, UserState};
>> (_, valid, UserState) ->
>> {valid, UserState};
>> (_, valid_peer, UserState) ->
>> {valid, UserState}
>> end, []}
>>
>>
> I tried this, but the weird thing is that when I explicitly set verify_fun
> to what is described as the default in the documentation:
>
> {fun(_,{bad_cert, _} = Reason, _) ->
> {fail, Reason};
> (_,{extension, _}, UserState) ->
> {unknown, UserState};
> (_, valid, UserState) ->
> {valid, UserState};
> (_, valid_peer, UserState) ->
> {valid, UserState}
> end, []}
>
> I do not get the hostname_check_failed error anymore. I did not expect this.
>
> I believe `ssl_certificate:verify_hostname` is called when I do not explicitly provide verify_fun, because I added some debug statements that got executed.
>
> When I do provide the verify_fun as above the debug statements no longer get executed. But I couldn't find any other occurrences of hostname_check_failed in my copy of the `lib` dir of erlang 20.2.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180123/cb37cac2/attachment.htm>
More information about the erlang-questions
mailing list