<div dir="ltr"><div>Hi!</div><div><br></div><div>Just ignore my previous mail. Note to self never edit code in browser-mail-window! ;)</div><div><br></div><div><div style="font-size:12.8px">Well I forgot you are using distribution over TLS and when specifying the fun via the configuration file you must use fun <Module>:<Function>/3 format for funs.</div><div style="font-size:12.8px">So you need to have a module implementing the function that you want to use as a fun.</div></div><div><br></div><div>Somethin like:</div><div><br></div><div>-module(my_verify)</div><div><br></div><div>-export([verify/3]).</div><div><br></div><div>verify(Cert,{bad_cert, hostname_check_failed} = Reason, UserState) -></div><div><span style="white-space:pre"> </span> case my_hostname_check(Cert, UserState) of</div><div> true -></div><div> {valid, UserState};</div><div> false -></div><div><div> {fail, Reason}</div><div> end;</div><div><br></div><div>verify(_,{bad_cert, _}, UserState) -></div></div><div> {fail, Reason};<br></div><div>verify(_,{bad_cert, _} = Reason, _) -></div><div><span style="white-space:pre"> </span> {fail, Reason};</div><div>verify(_,{extension, _}, UserState) -></div><div><span style="white-space:pre"> </span> {unknown, UserState};</div><div>verify(_, valid, UserState) -></div><div><span style="white-space:pre"> </span> {valid, UserState};</div><div>verify(_, valid_peer, UserState) -></div><div> {valid, UserState}.</div><div><br></div><div><br></div><div>And option like: {verify_fun, fun my_verify:verify/3, <UserState>}</div><div><br></div><div>This is a limitation for distribution over TLS as unamed funs can not be handled in files.</div><div><br></div><div>Regards Ingela Erlang/OTP -team</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2018-01-23 15:59 GMT+01:00 Ingela Andin <span dir="ltr"><<a href="mailto:ingela.andin@gmail.com" target="_blank">ingela.andin@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi!<div><br></div><div>Well I forgot you are using distribution over TLS and when specifying the fun via the configuration file you must use fun <Module>/3 format for funs.</div><div>So you need to have a module implementing the function that you want to use as a fun.</div><div> </div><div><div class="gmail_extra">So </div><div class="gmail_extra"><br></div><div class="gmail_extra">-module(my_verify)</div><div class="gmail_extra"><br></div><div class="gmail_extra">-export([verify/3]).</div><div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_extra">verify(Cert,{bad_cert, hostname_check_failed} = Reason, UserState) -></div><div class="gmail_extra"><span style="white-space:pre-wrap"> </span> case my_hostname_check(Cert, UserState) of</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">{fail, Reason};</div></div><div class="gmail_extra"><div class="gmail_extra">verify(_,{bad_cert, _} = Reason, _) -></div><div class="gmail_extra"><span style="white-space:pre-wrap"> </span> {fail, Reason};</div><div class="gmail_extra">verify(_,{extension, _}, UserState) -></div><div class="gmail_extra"><span style="white-space:pre-wrap"> </span> {unknown, UserState};</div><div class="gmail_extra">verify(_, valid, UserState) -></div><div class="gmail_extra"><span style="white-space:pre-wrap"> </span> {valid, UserState};</div><div class="gmail_extra">verify(_, valid_peer, UserState) -></div><div class="gmail_extra"> {valid, UserState}.</div></div><div><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">2018-01-23 12:13 GMT+01:00 San Gillis <span dir="ltr"><<a href="mailto:san.gillis@truqu.com" target="_blank">san.gillis@truqu.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi!<br></div><div><br></div><div>First of all, thank you Dmitry and Ingela for the quick replies.<br></div><div class="gmail_extra"><br><div class="gmail_quote"><span class="m_7532680968603613151gmail-"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><span class="m_7532680968603613151gmail-m_4166426748907860736gmail-"><div>Yes it disables all hostname checks making you vulnerable to the things they where designed to protect.</div></span></div></blockquote><div><br></div></span><div>Thought so, so I would prefer not to use the disable option.<br></div><span class="m_7532680968603613151gmail-"><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><span class="m_7532680968603613151gmail-m_4166426748907860736gmail-"><div>The way to customize the checks is to handle them in your own verify_fun, why do you think that is convulted?</div></span></div></blockquote><div><br></div></span><div>It just seemed weird to me to write erlang functions inside a configuration file. But then again, I didn't understand it could be just a short function, which makes it a lot more acceptable.<br></div><span class="m_7532680968603613151gmail-"><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div>The verify_fun can be very simple only specifically handling the <span style="font-size:12.8px"> </span><span style="font-size:12.8px">{bad_cert, hostname_check_failed} then all other checks will behave as before. The verify_fun is not meant to replace the default certiface checks it </span></div><div><span style="font-size:12.8px">is for extending the checks </span><span style="font-size:12.8px">and possible ignoring some specific error (even though this is seldom desirable). </span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Something like:</span></div><div><span style="font-size:12.8px"><br></span></div><div><pre style="font-family:mono,Courier,monospace;margin-top:0px;margin-bottom:0px;color:rgb(56,58,66);font-size:11.2px">{fun(_,{bad_cert, hostname_check_failed}, _) ->
%%% Preform own check ...
(_,{extension, _}, UserState) ->
{unknown, UserState};
(_, valid, UserState) ->
{valid, UserState};
(_, valid_peer, UserState) ->
{valid, UserState}
end, []}</pre></div></div></div></div></blockquote><div><br></div></span><div>I tried this, but the weird thing is that when I explicitly set verify_fun to what is described as the default in the documentation:</div><div><br></div><div><pre>{fun(_,{bad_cert, _} = Reason, _) ->
{fail, Reason};
(_,{extension, _}, UserState) ->
{unknown, UserState};
(_, valid, UserState) ->
{valid, UserState};
(_, valid_peer, UserState) ->
{valid, UserState}
end, []}<br><br></pre><pre><font face="arial,helvetica,sans-serif">I do not get the hostname_check_failed error anymore. I did not expect this.<br><br></font></pre><pre><font face="arial,helvetica,sans-serif">I believe `ssl_certificate:verify_hostna<wbr>me` is called when I do not explicitly provide verify_fun, because I added some debug statements that got executed.<br></font></pre><pre><font face="arial,helvetica,sans-serif">When I do provide the verify_fun as above the debug statements no longer get executed. But I couldn't find any other occurrences of hostname_check_failed in my copy of the `lib` dir of erlang 20.2. <br></font></pre></div></div><br></div></div>
</blockquote></div><br></div></div></div></div></div>
</blockquote></div><br></div>