[erlang-questions] enforcing ssl trust chain

[Ingela Anderton Andin]

Hi!

Emile Joubert wrote:
>
>>> In a production environment I want to prevent clients without
>>> certificates signed by a known CA from connecting. Is there any way of
>>> getting this behaviour by using configuration files? The only way I can
>>> find is to set verify_fun to an appropriate function, but this is
>>> unappealing because I want to change my mind without needing to recompile.
>>>       
>> At the moment defining a verify fun would be your option to accomplish this.
>> We might add some other configuration option if we find that it seems to be
>> a good thing from a general point of view.
>>     
>
> I've tried that, but verify_fun gets called regardless of whether verify
> is set to verify_none or verify_peer. My reading of the documentation is
> that certificate path validation errors should be ignored if verify_none
> is set, regardless of verify_fun. Can you please confirm?
>
>   
Humm ... that might be a bug, proably in the public_key path validation. 
I am looking into that now.

It should work as:

If verify_none all possible path validation errors will be passed to the 
the verify fun and it will
be up to the verify fun if the connection should fail or succeed. At the 
moment this option
is only relevant for the client side as the server will never send a 
certificate request in  verify_none
mode. ( It is possible that we want this to be possible and we are 
looking in to that now).

If verify_peer any path validation error should make the connection fail 
we should never
get to the branch using the verify fun, the public_key path validation 
should return {error, Reason}.

Regards Ingela Erlang/OTP team - Ericsson AB