From a567dca5ea418a0aaaed8fb4359032b11f28cccd Mon Sep 17 00:00:00 2001 From: Magnus Henoch Date: Fri, 29 Jan 2016 18:47:43 +0000 Subject: ssl: with verify_none, accept critical extensions When establishing a TLS connection with {verify, verify_none}, if the server has a certificate with a critical extension, for example a "Netscape Cert Type" extension, certificate verification would fail, which is surprising given that the name of the option suggests that no verification would be performed. With this change, certificate extensions marked as critical are ignored when using verify_none. --- lib/ssl/doc/src/ssl.xml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'lib/ssl/doc') diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml index bf87644116..ca5d2afc24 100644 --- a/lib/ssl/doc/src/ssl.xml +++ b/lib/ssl/doc/src/ssl.xml @@ -269,7 +269,11 @@ atom()}} | terminate regarding verification failures and the connection is established.

If called with an extension unknown to the user application, - return value {unknown, UserState} is to be used.

 + return value {unknown, UserState} is to be used.

+ +

Note that if the fun returns unknown for an extension marked + as critical, validation will fail.

+

Default option verify_fun in verify_peer mode:

@@ -291,6 +295,8 @@ atom()}} | {fun(_,{bad_cert, _}, UserState) -> {valid, UserState}; + (_,{extension, #'Extension'{critical = true}}, UserState) -> + {valid, UserState}; (_,{extension, _}, UserState) -> {unknown, UserState}; (_, valid, UserState) -> -- cgit v1.2.3