[erlang-questions] SSL hostname verification

San Gillis san.gillis@REDACTED
Tue Jan 23 12:13:37 CET 2018


Hi!

First of all, thank you Dmitry and Ingela for the quick replies.

Yes it disables all hostname checks making you vulnerable to the things
> they where designed to protect.
>

Thought so, so I would prefer not to use the disable option.


> The way to customize the checks is to handle them in your own verify_fun,
> why do you think that is convulted?
>

It just seemed weird to me to write erlang functions inside a configuration
file. But then again, I didn't understand it could be just a short
function, which makes it a lot more acceptable.


> The verify_fun can be very simple only specifically handling the  {bad_cert,
> hostname_check_failed} then all other checks will behave as before. The
> verify_fun is not meant to  replace the default certiface checks it
> is for extending the checks and possible ignoring some specific error
> (even though this is seldom desirable).
>
> Something like:
>
> {fun(_,{bad_cert, hostname_check_failed}, _) ->
> 	 %%% Preform own check ...
>     (_,{extension, _}, UserState) ->
> 	 {unknown, UserState};
>     (_, valid, UserState) ->
> 	 {valid, UserState};
>     (_, valid_peer, UserState) ->
>          {valid, UserState}
>  end, []}
>
>
I tried this, but the weird thing is that when I explicitly set verify_fun
to what is described as the default in the documentation:

{fun(_,{bad_cert, _} = Reason, _) ->
	 {fail, Reason};
    (_,{extension, _}, UserState) ->
	 {unknown, UserState};
    (_, valid, UserState) ->
	 {valid, UserState};
    (_, valid_peer, UserState) ->
         {valid, UserState}
 end, []}

I do not get the hostname_check_failed error anymore. I did not expect this.

I believe `ssl_certificate:verify_hostname` is called when I do not
explicitly provide verify_fun, because I added some debug statements
that got executed.

When I do provide the verify_fun as above the debug statements no
longer get executed. But I couldn't find any other occurrences of
hostname_check_failed in my copy of the `lib` dir of erlang 20.2.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180123/20ad811e/attachment.htm>


More information about the erlang-questions mailing list