-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
verify_fun/3
is not called for intermediate certificates
#4682
Comments
The behaviour seems to have changed in OTP-23.2. I am not sure why yet, this is not an intentional change. Although specifying a verify_fun when not verifying is semantically strange and maybe we should not allow it as verify_none is implemented as av verify_fun that accepts all verification errors. I will keep digging! |
IngelaAndin
added a commit
to IngelaAndin/otp
that referenced
this issue
Apr 1, 2021
When trying to reconstruct an incomplete chain we must not use a constructed chain that is a shorter incomplete chain than the original chain. This might happen if we have a chain that we will not be able to reconstruct and hence verify. Even though this is not a problem from a verification point (will fail with unknown_ca anyway) it could cause different behavior for a verify_fun. Closes erlang#4682
IngelaAndin
added a commit
to IngelaAndin/otp
that referenced
this issue
Apr 1, 2021
When trying to reconstruct an incomplete chain we must not use a constructed chain that is a shorter incomplete chain than the original chain. This might happen if we have a chain that we will not be able to reconstruct and hence verify. Even though this is not a problem from a verification point (will fail with unknown_ca anyway) it could cause different behavior for a verify_fun. Closes erlang#4682
IngelaAndin
added a commit
that referenced
this issue
Apr 3, 2021
…iour/GH-4682/OTP-17296 ssl: Make sure incomplete chain is a prefix of the new chain candidate
rickard-green
pushed a commit
that referenced
this issue
Apr 27, 2021
… maint-23 * ingela/ssl/verify-fun-behaviour/GH-4682/OTP-17296: ssl: Make sure incomplete chain is a prefix of the new chain candidate
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
verify_fun/3
is not called for intermediate certificates.To Reproduce
test.exs
:Expected behavior
Expected
verify_fun/3
to be run for both peer and intermediate certificate as it does on previous versions:Affected versions
23.3 (works on at least 23.0.2).
Additional context
Use case: trying to retrieve all certs received from server no matter the validity.
The text was updated successfully, but these errors were encountered: