diff options
author | Ingela Anderton Andin <ingela@erlang.org> | 2010-09-03 15:04:49 +0200 |
---|---|---|
committer | Ingela Anderton Andin <ingela@erlang.org> | 2010-09-06 14:52:50 +0200 |
commit | 71e720e56888faa6da3856d5c5e08c8e983c9d5d (patch) | |
tree | 5d04ed4f0ac8ce5ecf6855f2af9f7523d6adacc3 /lib/ssl/src/ssl_connection.erl | |
parent | e752dcdefda84291cf819036a600b983326dae25 (diff) | |
download | otp-71e720e56888faa6da3856d5c5e08c8e983c9d5d.tar.gz otp-71e720e56888faa6da3856d5c5e08c8e983c9d5d.tar.bz2 otp-71e720e56888faa6da3856d5c5e08c8e983c9d5d.zip |
Handling of path validation errors by the application
Changed the behavior of the verify_fun option so that
the application can be responsible for handling path validation
errors even on the server side. Also replaced the not yet
documented validate_extensions_fun to be handled by the
verify_fun instead.
If the verify callback fun returns {fail, Reason}, the verification process is
immediately stopped and an alert is sent to the peer and the TLS/SSL
handshake is terminated. If the verify callback fun returns {valid,
UserState}, the verification process is continued. If the verify callback
fun always returns {valid, UserState}, the TLS/SSL handshake will not be
terminated with respect to verification failures and the connection
will be established. The verify callback fun will also be
able to verify application specific extensions.
Diffstat (limited to 'lib/ssl/src/ssl_connection.erl')
-rw-r--r-- | lib/ssl/src/ssl_connection.erl | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl index c004effb85..7689976ff6 100644 --- a/lib/ssl/src/ssl_connection.erl +++ b/lib/ssl/src/ssl_connection.erl @@ -500,8 +500,7 @@ certify(#certificate{} = Cert, ssl_options = Opts} = State) -> case ssl_handshake:certify(Cert, CertDbRef, Opts#ssl_options.depth, Opts#ssl_options.verify, - Opts#ssl_options.verify_fun, - Opts#ssl_options.validate_extensions_fun, Role) of + Opts#ssl_options.verify_fun, Role) of {PeerCert, PublicKeyInfo} -> handle_peer_cert(PeerCert, PublicKeyInfo, State#state{client_certificate_requested = false}); |