From 6cced538abd4f8053c009b163efa8c6d568b9580 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Thu, 9 Sep 2010 17:07:22 +0200
Subject: Improved certificate extension handling

Added the functionality so that the verification fun will be called
when a certificate is considered valid by the path validation to allow
access to eachs certificate in the path to the user application.

Removed clause that only check that a extension is not critical,
it does alter the verification rusult only withholds information from
the application.

Try to verify subject-AltName, if unable to verify it let
application try.
---
 lib/ssl/doc/src/ssl.xml | 55 +++++++++++++++++++++++++------------------------
 1 file changed, 28 insertions(+), 27 deletions(-)

(limited to 'lib/ssl/doc/src/ssl.xml')

diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index 0f3054aec3..d5b7253ef3 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -202,16 +202,19 @@
 	<p>The verification fun should be defined as:</p>
 
 	<code>
-	  fun(OtpCert :: #'OtpCertificate'{},
-	      Event :: {bad_cert, Reason :: atom()} |
-	      {extension, #'Extension'{}}, InitialUserState :: term()) ->
-	          {valid, UserState :: term()} | {fail, Reason :: term()} |
-	          {unknown, UserState :: term()}.
+fun(OtpCert :: #'OtpCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
+	     {extension, #'Extension'{}}, InitialUserState :: term()) ->
+	{valid, UserState :: term()} | {fail, Reason :: term()} |
+	{unknown, UserState :: term()}.
 	</code>
 
 	<p>The verify fun will be called during the X509-path
 	validation when an error or an extension unknown to the ssl
-	application is encountered. See
+	application is encountered. Additionally it will be called
+	when a certificate is considered valid by the path validation
+	to allow access to each certificate in the path to the user
+	application.
+	See
 	<seealso marker="public_key:application">public_key(3)</seealso>
 	for definition of #'OtpCertificate'{} and #'Extension'{}.</p>
 
@@ -229,34 +232,32 @@
 	<p>The default verify_fun option in verify_peer mode:</p>
 
       <code>
-	{fun(_,{bad_cert, _} = Reason, _) ->
-		 {fail, Reason};
-	    (_,{extension, _}, UserState) ->
-		 {unknown, UserState}
-	 end, []}
+{fun(_,{bad_cert, _} = Reason, _) ->
+	 {fail, Reason};
+    (_,{extension, _}, UserState) ->
+	 {unknown, UserState};
+    (_, valid, UserState) ->
+	 {valid, UserState}
+ end, []}
       </code>
 
       <p>The default verify_fun option in verify_none mode:</p>
 
        <code>
-	{fun(_,{bad_cert, unknown_ca}, UserState) ->
-		 {valid, UserState};
-	    (_,{bad_cert, _} = Reason, _) ->
-		 {fail, Reason};
-	    (_,{extension, _}, UserState) ->
-		 {unknown, UserState}
-	 end, []}
+{fun(_,{bad_cert, unknown_ca}, UserState) ->
+	 {valid, UserState};
+    (_,{bad_cert, _} = Reason, _) ->
+	 {fail, Reason};
+    (_,{extension, _}, UserState) ->
+	 {unknown, UserState};
+    (_, valid, UserState) ->
+	 {valid, UserState}
+ end, []}
       </code>
 
-      <p> Possible path validation errors:
-       {bad_cert, cert_expired},
-       {bad_cert, invalid_issuer},
-       {bad_cert, invalid_signature},
-       {bad_cert, unknown_ca},
-       {bad_cert, name_not_permitted},
-       {bad_cert, missing_basic_constraint},
-       {bad_cert, invalid_key_usage},
-       {bad_cert, invalid_subject_altname}</p>
+<p>Possible path validation errors: </p>
+
+<p> {bad_cert, cert_expired}, {bad_cert, invalid_issuer}, {bad_cert, invalid_signature}, {bad_cert, unknown_ca}, {bad_cert, name_not_permitted}, {bad_cert, missing_basic_constraint}, {bad_cert, invalid_key_usage}</p>
       </item>
 
     </taglist>
-- 
cgit v1.2.3