SSL 'verify_peer' client option changed between Erlang 19.3/20.1?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL 'verify_peer' client option changed between Erlang 19.3/20.1?

Roger Lipscombe-2
I've got some test code where I connect an Erlang ssl client to an
Erlang ssl server on localhost. On Erlang 19.3, it was passing fine.
On Erlang 20.1, it started failing with
{bad_cert,hostname_check_failed}.

Investigation reveals that I'm connecting to "localhost", the server
cert has ".../CN=testserver", and I'm passing {verify, verify_peer} in
the client options.

My question is, basically: why didn't Erlang 19 fail?
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: SSL 'verify_peer' client option changed between Erlang 19.3/20.1?

Ingela Andin
Hi!

In OTP 20, TLS client processes will by default call public_key:pkix_verify_hostname/2 to verify the hostname of the connection with the server certificates specified hostname during certificate path validation. The user may explicitly disables it. OTP 19 did not perform this check, it was left up to the application to perform it in the verify_fun if they wanted to. It is not really part of the TLS protocol but it is mandated that TLS client perform the check.

Regards Ingela Erlang/OTP team - Ericsson AB


2017-11-03 11:47 GMT+01:00 Roger Lipscombe <[hidden email]>:
I've got some test code where I connect an Erlang ssl client to an
Erlang ssl server on localhost. On Erlang 19.3, it was passing fine.
On Erlang 20.1, it started failing with
{bad_cert,hostname_check_failed}.

Investigation reveals that I'm connecting to "localhost", the server
cert has ".../CN=testserver", and I'm passing {verify, verify_peer} in
the client options.

My question is, basically: why didn't Erlang 19 fail?
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: SSL 'verify_peer' client option changed between Erlang 19.3/20.1?

Frank Muller
Ingela,

Couldn’t find out how to disable this option.
Can you point us to it please ?

/Frank

Hi!

In OTP 20, TLS client processes will by default call public_key:pkix_verify_hostname/2 to verify the hostname of the connection with the server certificates specified hostname during certificate path validation. The user may explicitly disables it. OTP 19 did not perform this check, it was left up to the application to perform it in the verify_fun if they wanted to. It is not really part of the TLS protocol but it is mandated that TLS client perform the check.

Regards Ingela Erlang/OTP team - Ericsson AB


2017-11-03 11:47 GMT+01:00 Roger Lipscombe <[hidden email]>:
I've got some test code where I connect an Erlang ssl client to an
Erlang ssl server on localhost. On Erlang 19.3, it was passing fine.
On Erlang 20.1, it started failing with
{bad_cert,hostname_check_failed}.

Investigation reveals that I'm connecting to "localhost", the server
cert has ".../CN=testserver", and I'm passing {verify, verify_peer} in
the client options.

My question is, basically: why didn't Erlang 19 fail?
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: SSL 'verify_peer' client option changed between Erlang 19.3/20.1?

Ingela Andin

 {server_name_indication, hostname() | disable}

2017-11-03 16:16 GMT+01:00 Frank Muller <[hidden email]>:
Ingela,

Couldn’t find out how to disable this option.
Can you point us to it please ?

/Frank

Hi!

In OTP 20, TLS client processes will by default call public_key:pkix_verify_hostname/2 to verify the hostname of the connection with the server certificates specified hostname during certificate path validation. The user may explicitly disables it. OTP 19 did not perform this check, it was left up to the application to perform it in the verify_fun if they wanted to. It is not really part of the TLS protocol but it is mandated that TLS client perform the check.

Regards Ingela Erlang/OTP team - Ericsson AB


2017-11-03 11:47 GMT+01:00 Roger Lipscombe <[hidden email]>:
I've got some test code where I connect an Erlang ssl client to an
Erlang ssl server on localhost. On Erlang 19.3, it was passing fine.
On Erlang 20.1, it started failing with
{bad_cert,hostname_check_failed}.

Investigation reveals that I'm connecting to "localhost", the server
cert has ".../CN=testserver", and I'm passing {verify, verify_peer} in
the client options.

My question is, basically: why didn't Erlang 19 fail?
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: SSL 'verify_peer' client option changed between Erlang 19.3/20.1?

Max Lapshin-2
heh,  all tests with   https://127.0.0.1:5672  got broken =)

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions