[erlang-questions] SSL verify_fun option

Konrad Kaplita konrad.kaplita@REDACTED
Fri Sep 2 16:06:02 CEST 2011


Hi all,

I need an advice from some SSL guru here. I want to implement SSL mutual
authentication. I'm using R14B02. During certificate validation I want also
to obtain Common Name value. To do this I try to use verify_fun option but
with no luck.

Documentation states:

> The verify fun will be called during the X509-path validation when an error
> or an extension unknown to the ssl application is encountered. Additionally
> it will be called when a certificate is considered valid by the path
> validation to allow access to each certificate in the path to the user
> application.


My SSL Options tuple looks like this:

>                     {ssl_opts, [{certfile,
> filename:join([code:priv_dir(ws), "ssl", "server.crt"])},
>                                   {keyfile,
> filename:join([code:priv_dir(ws), "ssl", "server.key"])},
>                                   {verify, verify_peer},
>                                   {cacertfile,
> filename:join([code:priv_dir(ws), "ssl", "ca.crt"])},
>                                   {fail_if_no_peer_cert, true},
>                                   {verify_fun, {fun validate/3, []}}


I expect that my validate fun will be invoked after successfull SSL
handshake, but it's not.

After some digging I discovered that ssl_handshake:certify/6 function has
been changed in this commit:
https://github.com/erlang/otp/commit/4dbf3c9e4ae7cfd19b247353369166d31b8f15e5#diff-0

It basically wraps my verify_fun in it's own, and passes this further to
pubkey_cert:verify_fun/4, and it never invokes my verify_fun, due to the
change introduced by the commit mentioned above (when you have valid
vertificate, your verify_fun is never called, which is in opposite to the
documentation).

Is current behaviour intentional or a bug? Or maybe I'm doing something
wrong along the way?

Kind regards,
Konrad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20110902/329e1285/attachment.htm>


More information about the erlang-questions mailing list