[erlang-questions] SSL hostname verification
Ingela Andin
ingela.andin@REDACTED
Tue Jan 23 16:10:26 CET 2018
Hi!
Just ignore my previous mail. Note to self never edit code in
browser-mail-window! ;)
Well I forgot you are using distribution over TLS and when specifying the
fun via the configuration file you must use fun <Module>:<Function>/3
format for funs.
So you need to have a module implementing the function that you want to use
as a fun.
Somethin like:
-module(my_verify)
-export([verify/3]).
verify(Cert,{bad_cert, hostname_check_failed} = Reason, UserState) ->
case my_hostname_check(Cert, UserState) of
true ->
{valid, UserState};
false ->
{fail, Reason}
end;
verify(_,{bad_cert, _}, UserState) ->
{fail, Reason};
verify(_,{bad_cert, _} = Reason, _) ->
{fail, Reason};
verify(_,{extension, _}, UserState) ->
{unknown, UserState};
verify(_, valid, UserState) ->
{valid, UserState};
verify(_, valid_peer, UserState) ->
{valid, UserState}.
And option like: {verify_fun, fun my_verify:verify/3, <UserState>}
This is a limitation for distribution over TLS as unamed funs can not be
handled in files.
Regards Ingela Erlang/OTP -team
2018-01-23 15:59 GMT+01:00 Ingela Andin <ingela.andin@REDACTED>:
> Hi!
>
> Well I forgot you are using distribution over TLS and when specifying the
> fun via the configuration file you must use fun <Module>/3 format for funs.
> So you need to have a module implementing the function that you want to
> use as a fun.
>
> So
>
> -module(my_verify)
>
> -export([verify/3]).
>
> verify(Cert,{bad_cert, hostname_check_failed} = Reason, UserState) ->
> case my_hostname_check(Cert, UserState) of
>
>
> {fail, Reason};
> verify(_,{bad_cert, _} = Reason, _) ->
> {fail, Reason};
> verify(_,{extension, _}, UserState) ->
> {unknown, UserState};
> verify(_, valid, UserState) ->
> {valid, UserState};
> verify(_, valid_peer, UserState) ->
> {valid, UserState}.
>
> 2018-01-23 12:13 GMT+01:00 San Gillis <san.gillis@REDACTED>:
>
>> Hi!
>>
>> First of all, thank you Dmitry and Ingela for the quick replies.
>>
>> Yes it disables all hostname checks making you vulnerable to the things
>>> they where designed to protect.
>>>
>>
>> Thought so, so I would prefer not to use the disable option.
>>
>>
>>> The way to customize the checks is to handle them in your own
>>> verify_fun, why do you think that is convulted?
>>>
>>
>> It just seemed weird to me to write erlang functions inside a
>> configuration file. But then again, I didn't understand it could be just a
>> short function, which makes it a lot more acceptable.
>>
>>
>>> The verify_fun can be very simple only specifically handling the {bad_cert,
>>> hostname_check_failed} then all other checks will behave as before. The
>>> verify_fun is not meant to replace the default certiface checks it
>>> is for extending the checks and possible ignoring some specific error
>>> (even though this is seldom desirable).
>>>
>>> Something like:
>>>
>>> {fun(_,{bad_cert, hostname_check_failed}, _) ->
>>> %%% Preform own check ...
>>> (_,{extension, _}, UserState) ->
>>> {unknown, UserState};
>>> (_, valid, UserState) ->
>>> {valid, UserState};
>>> (_, valid_peer, UserState) ->
>>> {valid, UserState}
>>> end, []}
>>>
>>>
>> I tried this, but the weird thing is that when I explicitly set
>> verify_fun to what is described as the default in the documentation:
>>
>> {fun(_,{bad_cert, _} = Reason, _) ->
>> {fail, Reason};
>> (_,{extension, _}, UserState) ->
>> {unknown, UserState};
>> (_, valid, UserState) ->
>> {valid, UserState};
>> (_, valid_peer, UserState) ->
>> {valid, UserState}
>> end, []}
>>
>> I do not get the hostname_check_failed error anymore. I did not expect this.
>>
>> I believe `ssl_certificate:verify_hostname` is called when I do not explicitly provide verify_fun, because I added some debug statements that got executed.
>>
>> When I do provide the verify_fun as above the debug statements no longer get executed. But I couldn't find any other occurrences of hostname_check_failed in my copy of the `lib` dir of erlang 20.2.
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180123/f6089abd/attachment.htm>
More information about the erlang-questions
mailing list