<div dir="ltr">Hi!<div><br></div><div>Well I forgot you are using distribution over TLS and when specifying the fun via the configuration file you must use fun <Module>/3 format for funs.</div><div>So you need to have a module implementing the function that you want to use as a fun.</div><div> </div><div><div class="gmail_extra">So </div><div class="gmail_extra"><br></div><div class="gmail_extra">-module(my_verify)</div><div class="gmail_extra"><br></div><div class="gmail_extra">-export([verify/3]).</div><div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_extra">verify(Cert,{bad_cert, hostname_check_failed} = Reason, UserState) -></div><div class="gmail_extra"><span style="white-space:pre"> </span> case my_hostname_check(Cert, UserState) of</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">{fail, Reason};</div></div><div class="gmail_extra"><div class="gmail_extra">verify(_,{bad_cert, _} = Reason, _) -></div><div class="gmail_extra"><span style="white-space:pre"> </span> {fail, Reason};</div><div class="gmail_extra">verify(_,{extension, _}, UserState) -></div><div class="gmail_extra"><span style="white-space:pre"> </span> {unknown, UserState};</div><div class="gmail_extra">verify(_, valid, UserState) -></div><div class="gmail_extra"><span style="white-space:pre"> </span> {valid, UserState};</div><div class="gmail_extra">verify(_, valid_peer, UserState) -></div><div class="gmail_extra"> {valid, UserState}.</div></div><div class="gmail_extra"><br><div class="gmail_quote">2018-01-23 12:13 GMT+01:00 San Gillis <span dir="ltr"><<a href="mailto:san.gillis@truqu.com" target="_blank">san.gillis@truqu.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi!<br></div><div><br></div><div>First of all, thank you Dmitry and Ingela for the quick replies.<br></div><div class="gmail_extra"><br><div class="gmail_quote"><span class="gmail-"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><span class="gmail-m_4166426748907860736gmail-"><div>Yes it disables all hostname checks making you vulnerable to the things they where designed to protect.</div></span></div></blockquote><div><br></div></span><div>Thought so, so I would prefer not to use the disable option.<br></div><span class="gmail-"><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><span class="gmail-m_4166426748907860736gmail-"><div>The way to customize the checks is to handle them in your own verify_fun, why do you think that is convulted?</div></span></div></blockquote><div><br></div></span><div>It just seemed weird to me to write erlang functions inside a configuration file. But then again, I didn't understand it could be just a short function, which makes it a lot more acceptable.<br></div><span class="gmail-"><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div>The verify_fun can be very simple only specifically handling the <span style="font-size:12.8px"> </span><span style="font-size:12.8px">{bad_cert, hostname_check_failed} then all other checks will behave as before. The verify_fun is not meant to replace the default certiface checks it </span></div><div><span style="font-size:12.8px">is for extending the checks </span><span style="font-size:12.8px">and possible ignoring some specific error (even though this is seldom desirable). </span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Something like:</span></div><div><span style="font-size:12.8px"><br></span></div><div><pre style="font-family:mono,Courier,monospace;margin-top:0px;margin-bottom:0px;color:rgb(56,58,66);font-size:11.2px">{fun(_,{bad_cert, hostname_check_failed}, _) ->
%%% Preform own check ...
(_,{extension, _}, UserState) ->
{unknown, UserState};
(_, valid, UserState) ->
{valid, UserState};
(_, valid_peer, UserState) ->
{valid, UserState}
end, []}</pre></div></div></div></div></blockquote><div><br></div></span><div>I tried this, but the weird thing is that when I explicitly set verify_fun to what is described as the default in the documentation:</div><div><br></div><div><pre>{fun(_,{bad_cert, _} = Reason, _) ->
{fail, Reason};
(_,{extension, _}, UserState) ->
{unknown, UserState};
(_, valid, UserState) ->
{valid, UserState};
(_, valid_peer, UserState) ->
{valid, UserState}
end, []}<br><br></pre><pre><font face="arial,helvetica,sans-serif">I do not get the hostname_check_failed error anymore. I did not expect this.<br><br></font></pre><pre><font face="arial,helvetica,sans-serif">I believe `ssl_certificate:verify_<wbr>hostname` is called when I do not explicitly provide verify_fun, because I added some debug statements that got executed.<br></font></pre><pre><font face="arial,helvetica,sans-serif">When I do provide the verify_fun as above the debug statements no longer get executed. But I couldn't find any other occurrences of hostname_check_failed in my copy of the `lib` dir of erlang 20.2. <br></font></pre></div></div><br></div></div>
</blockquote></div><br></div></div></div>