[erlang-questions] SSL 'verify_peer' client option changed between Erlang 19.3/20.1?

Frank Muller frank.muller.erl@REDACTED
Fri Nov 3 16:16:03 CET 2017


Ingela,

Couldn’t find out how to disable this option.
Can you point us to it please ?

/Frank

Hi!
>
> In OTP 20, TLS client processes will by default call
> public_key:pkix_verify_hostname/2 to verify the hostname of the connection
> with the server certificates specified hostname during certificate path
> validation. The user may explicitly disables it. OTP 19 did not perform
> this check, it was left up to the application to perform it in the
> verify_fun if they wanted to. It is not really part of the TLS protocol but
> it is mandated that TLS client perform the check.
>
> Regards Ingela Erlang/OTP team - Ericsson AB
>
>
> 2017-11-03 11:47 GMT+01:00 Roger Lipscombe <roger@REDACTED>:
>
>> I've got some test code where I connect an Erlang ssl client to an
>> Erlang ssl server on localhost. On Erlang 19.3, it was passing fine.
>> On Erlang 20.1, it started failing with
>> {bad_cert,hostname_check_failed}.
>>
>> Investigation reveals that I'm connecting to "localhost", the server
>> cert has ".../CN=testserver", and I'm passing {verify, verify_peer} in
>> the client options.
>>
>> My question is, basically: why didn't Erlang 19 fail?
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20171103/3bea1d9d/attachment.htm>


More information about the erlang-questions mailing list