[erlang-questions] SSL verify_fun option

Ingela Andin ingela@REDACTED
Mon Sep 5 10:00:35 CEST 2011


This commit will have the effect that your verify_fun will not be called
with the "extended_key_usage-extension" as a unknown extension that
has not been verified, as it
has been verified by  the ssl application.
However your verify_fun should be called with the whole certificate
giving you the chance to verify
this extension further if you so desire.  I am referring to one of the clause:

(Cert, valid, UserState) ->  ...

(Cert, valid_peer, UserState) -> ...

Regards Ingela Erlang/OTP team - Ericsson AB

2011/9/2 Konrad Kaplita <konrad.kaplita@REDACTED>:
> Hi all,
> I need an advice from some SSL guru here. I want to implement SSL mutual
> authentication. I'm using R14B02. During certificate validation I want also
> to obtain Common Name value. To do this I try to use verify_fun option but
> with no luck.
> Documentation states:
>> The verify fun will be called during the X509-path validation when an
>> error or an extension unknown to the ssl application is encountered.
>> Additionally it will be called when a certificate is considered valid by the
>> path validation to allow access to each certificate in the path to the user
>> application.
> My SSL Options tuple looks like this:
>>                     {ssl_opts, [{certfile,
>> filename:join([code:priv_dir(ws), "ssl", "server.crt"])},
>>                                   {keyfile,
>> filename:join([code:priv_dir(ws), "ssl", "server.key"])},
>>                                   {verify, verify_peer},
>>                                   {cacertfile,
>> filename:join([code:priv_dir(ws), "ssl", "ca.crt"])},
>>                                   {fail_if_no_peer_cert, true},
>>                                   {verify_fun, {fun validate/3, []}}
> I expect that my validate fun will be invoked after successfull SSL
> handshake, but it's not.
> After some digging I discovered that ssl_handshake:certify/6 function has
> been changed in this
> commit: https://github.com/erlang/otp/commit/4dbf3c9e4ae7cfd19b247353369166d31b8f15e5#diff-0
> It basically wraps my verify_fun in it's own, and passes this further to
> pubkey_cert:verify_fun/4, and it never invokes my verify_fun, due to the
> change introduced by the commit mentioned above (when you have valid
> vertificate, your verify_fun is never called, which is in opposite to the
> documentation).
> Is current behaviour intentional or a bug? Or maybe I'm doing something
> wrong along the way?
> Kind regards,
> Konrad
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions

More information about the erlang-questions mailing list