Hostname verification with Erlang/OTP 19.3

Posted 2017-03-17 06:35:40.000000

One of the features introduced in Erlang/OTP 19.3 is a callback for hostname verification. This makes it easier to protect TLS clients from man-in-the-middle attacks without external dependencies, as explained in the public_key module’s User’s Guide.

Here’s how to use the new callback (sample code in Elixir, as usual):

def verify_fun(_, {:bad_cert, _} = reason, _), do: {:fail, reason}
def verify_fun(_, {:extension, _}, state), do: {:unknown, state}
def verify_fun(_, :valid, state), do: {:valid, state}
def verify_fun(cert, :valid_peer, state) do
  if :public_key.pkix_verify_hostname(cert, state) do
    {:valid, state}
  else
    {:fail, 'hostname mismatch'}
  end
end

With this function in place, along with a variable cacertfile pointing to a CA trust store, you can now call:

:ssl.connect('blog.voltone.net', 443,
  server_name_indication: 'blog.voltone.net',
  verify: :verify_peer, cacertfile: cacertfile,
  verify_fun: {&verify_fun/3, [dns_id: 'blog.voltone.net']})

Replace all occurrences of ‘blog.voltone.net’ with ‘mismatch.voltone.net’ to see verification fail, as it should in that case.