[erlang-questions] SSL Client CA Certs/chain validation

Geoff Cant nem@REDACTED
Thu Jul 23 01:35:40 CEST 2015


Hi all, I’m wondering if anyone has written a guide (or can link to example code) showing how they use OTP’s SSL library to connect to arbitrary TLS servers on the internet with x.509 cert chain validation.

I know the default SSL library option is ‘verify_none’, and that there is a ‘cacertfile’ option, but a) it’s 2015 and you should verify cert chains, and b) are people really bundling all the standard public CA certs into a single giant cacertfile? If you are bundling say all of ubuntu’s /etc/certs, do you have any tooling for this (cat /etc/certs/*.pem >> get_me_everyone.cacerts)? Am I missing something and OTP automatically uses the contents of /etc/certs ?

Also, are people writing utility libraries/code to wrap ssl:* in order to setup the connect/listen options they use? (I know I wrote one to do certificate pinning)


I’m generally curious about your OTP ssl client use - particularly around cert chain validation.

Cheers,
-Geoff


More information about the erlang-questions mailing list