[erlang-questions] SSL hostname verification
Dmitry Kolesnikov
dmkolesnikov@REDACTED
Mon Jan 22 16:34:42 CET 2018
Hello,
I had a similar problem with plain TLS socket after 19.x to 20.x migration. This is due to SNI feature. I’ve disabled it using following ssl socket option: {server_name_indication, disable}
I think same applies for dist sockets as well.
Best Regards,
Dmitry
> On 22 Jan 2018, at 17.28, San Gillis <san.gillis@REDACTED> wrote:
>
> Since upgrading to Erlang 20.2 (from 19.3) we've been having issues with using SSL for Erlang distribution.
>
> We used to run our nodes with
> ```
> -ssl_dist_opt server_verify verify_peer
> -ssl_dist_opt client_verify verify_peer
> ```
> in the vm.args file. Since the upgrade this failed with {bad_cert, hostname_check_failed}.
>
> I noticed that this hostname check fails because `fun public_key:verify_hostname_match_default/2` is receiving `{dns_id, "nodename@REDACTED <mailto:nodename@REDACTED>"}` and `{dNSName,"*.hostname.com <http://hostname.com/>"}` as arguments, which will fail to check.
>
> I have looked into providing `verify_fun` to do custom verification, but this seems pretty convoluted if I just want to `erl -remsh nodename@REDACTED <mailto:nodename@REDACTED> -ssl_dist_optfile ...` into the given node.
>
> Did anyone else run into this issue? Are there some better ways to fix this?
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180122/dc924295/attachment.htm>
More information about the erlang-questions
mailing list