<div dir="ltr"><div>I tried adding {server_name_indication, disable} to my ssl_dist_optfile. (So it is `[{server, ...}, {client, [..., {server_name_indication, disable}]}]`, is that correct?). This doesn't change the error I get.<br><br></div>Also, if I understand the documentation correctly, this disables all hostname checking. Would this leave us vulnerable to MITM attacks?<br></div><div class="gmail_extra"><br><div class="gmail_quote">2018-01-22 16:34 GMT+01:00 Dmitry Kolesnikov <span dir="ltr"><<a href="mailto:dmkolesnikov@gmail.com" target="_blank">dmkolesnikov@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space">Hello,<div><br></div><div>I had a similar problem with plain TLS socket after 19.x to 20.x migration. This is due to SNI feature. I’ve disabled it using following ssl socket option: {server_name_indication, <wbr>disable}</div><div><br></div><div>I think same applies for dist sockets as well. </div><div><br></div><div>Best Regards, </div><div>Dmitry<br><div><br><blockquote type="cite"><div><div class="h5"><div>On 22 Jan 2018, at 17.28, San Gillis <<a href="mailto:san.gillis@truqu.com" target="_blank">san.gillis@truqu.com</a>> wrote:</div><br class="m_-1979495790397265361Apple-interchange-newline"></div></div><div><div><div class="h5"><div dir="ltr"><div><div>Since upgrading to Erlang 20.2 (from 19.3) we've been having issues with using SSL for Erlang distribution.</div></div><div><br></div><div>We used to run our nodes with</div><div>```</div><div>-ssl_dist_opt server_verify verify_peer</div><div>-ssl_dist_opt client_verify verify_peer</div><div>```</div><div>in the vm.args file. Since the upgrade this failed with {bad_cert, hostname_check_failed}.</div><div><br></div><div>I noticed that this hostname check fails because `fun public_key:verify_hostname_<wbr>match_default/2` is receiving `{dns_id, "<a href="mailto:nodename@subdomain.hostname.com" target="_blank">nodename@subdomain.hostname.<wbr>com</a>"}` and `{dNSName,"*.<a href="http://hostname.com/" target="_blank">hostname.com</a>"}` as arguments, which will fail to check.</div><div><br></div><div>I have looked into providing `verify_fun` to do custom verification, but this seems pretty convoluted if I just want to `erl -remsh <a href="mailto:nodename@subdomain.hostname.com" target="_blank">nodename@subdomain.hostname.<wbr>com</a> -ssl_dist_optfile ...` into the given node.</div><div><br></div><div>Did anyone else run into this issue? Are there some better ways to fix this?<br></div></div></div></div>
______________________________<wbr>_________________<br>erlang-questions mailing list<br><a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br><a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/<wbr>listinfo/erlang-questions</a><br></div></blockquote></div><br></div></div></blockquote></div><br></div>