Improved certificate extension handling

Added the functionality so that the verification fun will be called
when a certificate is considered valid by the path validation to allow
access to eachs certificate in the path to the user application.

Removed clause that only check that a extension is not critical,
it does alter the verification rusult only withholds information from
the application.

Try to verify subject-AltName, if unable to verify it let
application try.

1 files changed, 6 insertions, 2 deletions

diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index cc01b35b64..12dffb413c 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -535,7 +535,9 @@ handle_options(Opts0, _Role) ->
 	    (_,{bad_cert, _} = Reason, _) ->
 		 {fail, Reason};
 	    (_,{extension, _}, UserState) ->
-		 {unknown, UserState}
+		 {unknown, UserState};
+	    (_, valid, UserState) ->
+		 {valid, UserState}
 	 end, []},
 
     UserFailIfNoPeerCert = handle_option(fail_if_no_peer_cert, Opts, false),
@@ -631,7 +633,9 @@ validate_option(verify_fun, Fun) when is_function(Fun) ->
 		     {fail, Reason}
 	     end;
 	(_,{extension, _}, UserState) ->
-	     {unknown, UserState}
+	     {unknown, UserState};
+	(_, valid, UserState) ->
+	     {valid, UserState}
      end, Fun};
 validate_option(verify_fun, {Fun, _} = Value) when is_function(Fun) ->
    Value;