<div dir="ltr"><br><span class="gmail-code"> {server_name_indication, hostname() | disable}</span></div><div class="gmail_extra"><br><div class="gmail_quote">2017-11-03 16:16 GMT+01:00 Frank Muller <span dir="ltr"><<a href="mailto:frank.muller.erl@gmail.com" target="_blank">frank.muller.erl@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="gmail_quote"><div>Ingela,</div><div dir="auto"><br></div><div dir="auto">Couldn’t find out how to disable this option.</div><div dir="auto">Can you point us to it please ?</div><span class="HOEnZb"><font color="#888888"><div dir="auto"><br></div><div dir="auto">/Frank</div></font></span><div><div class="h5"><div dir="auto"><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>Hi!<br><br>In OTP 20, TLS client processes will by default call
public_key:pkix_verify_<wbr>hostname/2 to verify the hostname
of the connection with the server certificates specified
hostname during certificate path validation. The user may
explicitly disables it. OTP 19 did not perform this check, it was left up to the application to perform it in the verify_fun if they wanted to. It is not really part of the TLS protocol but it is mandated that TLS client perform the check.<br><br></div>Regards Ingela Erlang/OTP team - Ericsson AB <br><br></div><div class="gmail_extra"><br><div class="gmail_quote">2017-11-03 11:47 GMT+01:00 Roger Lipscombe <span><<a href="mailto:roger@differentpla.net" target="_blank">roger@differentpla.net</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I've got some test code where I connect an Erlang ssl client to an<br>
Erlang ssl server on localhost. On Erlang 19.3, it was passing fine.<br>
On Erlang 20.1, it started failing with<br>
{bad_cert,hostname_check_<wbr>failed}.<br>
<br>
Investigation reveals that I'm connecting to "localhost", the server<br>
cert has ".../CN=testserver", and I'm passing {verify, verify_peer} in<br>
the client options.<br>
<br>
My question is, basically: why didn't Erlang 19 fail?<br>
______________________________<wbr>_________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" rel="noreferrer" target="_blank">http://erlang.org/mailman/<wbr>listinfo/erlang-questions</a><br>
</blockquote></div><br></div>
______________________________<wbr>_________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" rel="noreferrer" target="_blank">http://erlang.org/mailman/<wbr>listinfo/erlang-questions</a><br>
</blockquote></div></div></div></div>
</blockquote></div><br></div>