[erlang-questions] SSL Client CA Certs/chain validation

Kaiduan Xie kaiduanx@REDACTED
Thu Jul 23 02:28:56 CEST 2015


The following articles explain thing very clearly,

http://security.stackexchange.com/questions/59566/ssl-certificate-chain-verification

http://security.stackexchange.com/questions/56389/ssl-certificate-framework-101-how-does-the-browser-actually-verify-the-validity

/Kaiduan

On Wed, Jul 22, 2015 at 7:35 PM, Geoff Cant <nem@REDACTED> wrote:
> Hi all, I’m wondering if anyone has written a guide (or can link to example code) showing how they use OTP’s SSL library to connect to arbitrary TLS servers on the internet with x.509 cert chain validation.
>
> I know the default SSL library option is ‘verify_none’, and that there is a ‘cacertfile’ option, but a) it’s 2015 and you should verify cert chains, and b) are people really bundling all the standard public CA certs into a single giant cacertfile? If you are bundling say all of ubuntu’s /etc/certs, do you have any tooling for this (cat /etc/certs/*.pem >> get_me_everyone.cacerts)? Am I missing something and OTP automatically uses the contents of /etc/certs ?
>
> Also, are people writing utility libraries/code to wrap ssl:* in order to setup the connect/listen options they use? (I know I wrote one to do certificate pinning)
>
>
> I’m generally curious about your OTP ssl client use - particularly around cert chain validation.
>
> Cheers,
> -Geoff
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions



More information about the erlang-questions mailing list