[erlang-questions] SSL 'verify_peer' client option changed between Erlang 19.3/20.1?

Ingela Andin ingela.andin@REDACTED
Fri Nov 3 15:43:38 CET 2017


Hi!

In OTP 20, TLS client processes will by default call
public_key:pkix_verify_hostname/2 to verify the hostname of the connection
with the server certificates specified hostname during certificate path
validation. The user may explicitly disables it. OTP 19 did not perform
this check, it was left up to the application to perform it in the
verify_fun if they wanted to. It is not really part of the TLS protocol but
it is mandated that TLS client perform the check.

Regards Ingela Erlang/OTP team - Ericsson AB


2017-11-03 11:47 GMT+01:00 Roger Lipscombe <roger@REDACTED>:

> I've got some test code where I connect an Erlang ssl client to an
> Erlang ssl server on localhost. On Erlang 19.3, it was passing fine.
> On Erlang 20.1, it started failing with
> {bad_cert,hostname_check_failed}.
>
> Investigation reveals that I'm connecting to "localhost", the server
> cert has ".../CN=testserver", and I'm passing {verify, verify_peer} in
> the client options.
>
> My question is, basically: why didn't Erlang 19 fail?
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20171103/143b5449/attachment.htm>


More information about the erlang-questions mailing list