<div dir="ltr"><br><div><div class="gmail_extra"><br><div class="gmail_quote">2017-01-13 21:27 GMT+01:00 Kenneth Lakin <span dir="ltr"><<a href="mailto:kennethlakin@gmail.com" target="_blank">kennethlakin@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 01/13/2017 10:57 AM, Ingela Andin wrote:<br>
> Yes interop vs security can be a tradeoff. All these needs the user to make<br>
> an active choise.<br>
<br>
</span>Notably, that active choice _doesn't_ include forcing the programmer to<br>
also start the connection in "interop mode". Marking those ssl_options<br>
with Big Red Dire Warnings was (correctly) deemed quite enough notice. :)<br>
<br>
Heck, verify_fun is documented as normal, non-hazardous (that is, it<br>
lacks a Big Red Warning box) API, but can be misused to (accidentally)<br>
seriously compromise one's connection security. verify_fun does _not_<br>
depend on an "enable_hazardous_options" connection flag.<br>
<span class=""><br></span></blockquote><div><br></div><div>verify_fun can be abused (maybe we should add a warning) <br>but it still in a smaller context however ..... <br></div><div><br><br> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
> This to ensure that it is the intent of the connection starter<br>
> that this behaviour should be allowed.<br>
<br>
</span>Given that the caller can bypass this check by pulling the PID out of<br>
the SSLSocket, calling sys:get_state/1 and extracting the<br>
security_parameters, this check seems to be more of an annoyance than<br>
anything else. For instance, how would the author of the (hypothetical)<br>
TLS connection pool library I'm using know that I _never_ will have a<br>
legitimate need to extract the client_random from a connection it<br>
establishes for me?<br>
<br>
<br></blockquote></div><br></div><div class="gmail_extra">... maybe I am being to paranoid ;) Well it seem like a good compromise would<br></div><div class="gmail_extra">be that connection_information will only return these values when explicitly requested<br></div><div class="gmail_extra">along with a warning in the documentation, as we can not protect against a malicious<br></div><div class="gmail_extra">attacker that has access to the node anyway. <br><br><br></div><div class="gmail_extra">Regards Ingela Erlang/OTP team - Ericsson AB <br></div><div class="gmail_extra"><br><br><br></div></div></div>