[erlang-questions] SSL hostname verification

Ingela Andin ingela.andin@REDACTED
Mon Jan 22 21:45:36 CET 2018


Hoops did not mean du remove the default fail on cert error clause ....


{fun(_,{bad_cert, hostname_check_failed}, _) ->
	 %%% Preform own check ...

    (_,{bad_cert, _} = Reason, _) ->
	 {fail, Reason};

    (_,{extension, _}, UserState) ->

	 {unknown, UserState};
    (_, valid, UserState) ->
	 {valid, UserState};
    (_, valid_peer, UserState) ->
         {valid, UserState}
 end, []}


Regards Ingela


2018-01-22 21:29 GMT+01:00 Ingela Andin <ingela.andin@REDACTED>:

>
> Hi!
>
> 2018-01-22 16:55 GMT+01:00 San Gillis <san.gillis@REDACTED>:
>
>> I tried adding {server_name_indication, disable} to my ssl_dist_optfile.
>> (So it is `[{server, ...}, {client, [..., {server_name_indication,
>> disable}]}]`, is that correct?). This doesn't change the error I get.
>>
>>
> Looks right  .... it is a pretty new feature so we will look into if it is
> tested well enough or if you just missed some little detail!
>
>
>> Also, if I understand the documentation correctly, this disables all
>> hostname checking. Would this leave us vulnerable to MITM attacks?
>>
>
>
> Yes it disables all hostname checks making you vulnerable to the things
> they where designed to protect. The way to customize the checks is to
> handle them in your own verify_fun, why do you think that is convulted?
> The verify_fun can be very simple only specifically handling the  {bad_cert,
> hostname_check_failed} then all other checks will behave as before. The
> verify_fun is not meant to  replace the default certiface checks it
> is for extending the checks and possible ignoring some specific error
> (even though this is seldom desirable).
>
> Something like:
>
> {fun(_,{bad_cert, hostname_check_failed}, _) ->
> 	 %%% Preform own check ...
>     (_,{extension, _}, UserState) ->
> 	 {unknown, UserState};
>     (_, valid, UserState) ->
> 	 {valid, UserState};
>     (_, valid_peer, UserState) ->
>          {valid, UserState}
>  end, []}
>
>
> Initial UserStae is []
>
> Regards Ingela Erlang/OTP team - Ericsson AB
>
>
>> 2018-01-22 16:34 GMT+01:00 Dmitry Kolesnikov <dmkolesnikov@REDACTED>:
>>
>>> Hello,
>>>
>>> I had a similar problem with plain TLS socket after 19.x to 20.x
>>> migration. This is due to SNI feature. I’ve disabled it using following ssl
>>> socket option: {server_name_indication, disable}
>>>
>>> I think same applies for dist sockets as well.
>>>
>>> Best Regards,
>>> Dmitry
>>>
>>> On 22 Jan 2018, at 17.28, San Gillis <san.gillis@REDACTED> wrote:
>>>
>>> Since upgrading to Erlang 20.2 (from 19.3) we've been having issues with
>>> using SSL for Erlang distribution.
>>>
>>> We used to run our nodes with
>>> ```
>>> -ssl_dist_opt server_verify verify_peer
>>> -ssl_dist_opt client_verify verify_peer
>>> ```
>>> in the vm.args file. Since the upgrade this failed with {bad_cert,
>>> hostname_check_failed}.
>>>
>>> I noticed that this hostname check fails because `fun
>>> public_key:verify_hostname_match_default/2` is receiving `{dns_id, "
>>> nodename@REDACTED"}` and `{dNSName,"*.hostname.com"}` as
>>> arguments, which will fail to check.
>>>
>>> I have looked into providing `verify_fun` to do custom verification, but
>>> this seems pretty convoluted if I just want to `erl -remsh
>>> nodename@REDACTED -ssl_dist_optfile ...` into the given
>>> node.
>>>
>>> Did anyone else run into this issue? Are there some better ways to fix
>>> this?
>>> _______________________________________________
>>> erlang-questions mailing list
>>> erlang-questions@REDACTED
>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>
>>>
>>>
>>
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180122/27f861c9/attachment.htm>


More information about the erlang-questions mailing list