[erlang-questions] SSL hostname verification

[San Gillis]

I tried adding {server_name_indication, disable} to my ssl_dist_optfile.
(So it is `[{server, ...}, {client, [..., {server_name_indication,
disable}]}]`, is that correct?). This doesn't change the error I get.

Also, if I understand the documentation correctly, this disables all
hostname checking. Would this leave us vulnerable to MITM attacks?

2018-01-22 16:34 GMT+01:00 Dmitry Kolesnikov <dmkolesnikov@REDACTED>:

> Hello,
>
> I had a similar problem with plain TLS socket after 19.x to 20.x
> migration. This is due to SNI feature. I’ve disabled it using following ssl
> socket option: {server_name_indication, disable}
>
> I think same applies for dist sockets as well.
>
> Best Regards,
> Dmitry
>
> On 22 Jan 2018, at 17.28, San Gillis <san.gillis@REDACTED> wrote:
>
> Since upgrading to Erlang 20.2 (from 19.3) we've been having issues with
> using SSL for Erlang distribution.
>
> We used to run our nodes with
> ```
> -ssl_dist_opt server_verify verify_peer
> -ssl_dist_opt client_verify verify_peer
> ```
> in the vm.args file. Since the upgrade this failed with {bad_cert,
> hostname_check_failed}.
>
> I noticed that this hostname check fails because `fun
> public_key:verify_hostname_match_default/2` is receiving `{dns_id, "
> nodename@REDACTED"}` and `{dNSName,"*.hostname.com"}` as
> arguments, which will fail to check.
>
> I have looked into providing `verify_fun` to do custom verification, but
> this seems pretty convoluted if I just want to `erl -remsh
> nodename@REDACTED -ssl_dist_optfile ...` into the given
> node.
>
> Did anyone else run into this issue? Are there some better ways to fix
> this?
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180122/1ec4fad3/attachment.htm>