[erlang-questions] SSL hostname verification

Ingela Andin ingela.andin@REDACTED
Mon Jan 22 21:29:00 CET 2018


2018-01-22 16:55 GMT+01:00 San Gillis <san.gillis@REDACTED>:

> I tried adding {server_name_indication, disable} to my ssl_dist_optfile.
> (So it is `[{server, ...}, {client, [..., {server_name_indication,
> disable}]}]`, is that correct?). This doesn't change the error I get.
Looks right  .... it is a pretty new feature so we will look into if it is
tested well enough or if you just missed some little detail!

> Also, if I understand the documentation correctly, this disables all
> hostname checking. Would this leave us vulnerable to MITM attacks?

Yes it disables all hostname checks making you vulnerable to the things
they where designed to protect. The way to customize the checks is to
handle them in your own verify_fun, why do you think that is convulted?
The verify_fun can be very simple only specifically handling the  {bad_cert,
hostname_check_failed} then all other checks will behave as before. The
verify_fun is not meant to  replace the default certiface checks it
is for extending the checks and possible ignoring some specific error (even
though this is seldom desirable).

Something like:

{fun(_,{bad_cert, hostname_check_failed}, _) ->
	 %%% Preform own check ...
    (_,{extension, _}, UserState) ->
	 {unknown, UserState};
    (_, valid, UserState) ->
	 {valid, UserState};
    (_, valid_peer, UserState) ->
         {valid, UserState}
 end, []}

Initial UserStae is []

Regards Ingela Erlang/OTP team - Ericsson AB

> 2018-01-22 16:34 GMT+01:00 Dmitry Kolesnikov <dmkolesnikov@REDACTED>:
>> Hello,
>> I had a similar problem with plain TLS socket after 19.x to 20.x
>> migration. This is due to SNI feature. I’ve disabled it using following ssl
>> socket option: {server_name_indication, disable}
>> I think same applies for dist sockets as well.
>> Best Regards,
>> Dmitry
>> On 22 Jan 2018, at 17.28, San Gillis <san.gillis@REDACTED> wrote:
>> Since upgrading to Erlang 20.2 (from 19.3) we've been having issues with
>> using SSL for Erlang distribution.
>> We used to run our nodes with
>> ```
>> -ssl_dist_opt server_verify verify_peer
>> -ssl_dist_opt client_verify verify_peer
>> ```
>> in the vm.args file. Since the upgrade this failed with {bad_cert,
>> hostname_check_failed}.
>> I noticed that this hostname check fails because `fun
>> public_key:verify_hostname_match_default/2` is receiving `{dns_id, "
>> nodename@REDACTED"}` and `{dNSName,"*.hostname.com"}` as
>> arguments, which will fail to check.
>> I have looked into providing `verify_fun` to do custom verification, but
>> this seems pretty convoluted if I just want to `erl -remsh
>> nodename@REDACTED -ssl_dist_optfile ...` into the given
>> node.
>> Did anyone else run into this issue? Are there some better ways to fix
>> this?
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180122/8850c8fa/attachment.htm>

More information about the erlang-questions mailing list