search

processone / fast_tls

TLS / SSL OpenSSL-based native driver for Erlang / Elixir
https://www.ejabberd.im
Other
83 stars 37 forks source link

SSL Certificate verification #29

Closed nosnilmot closed 6 years ago

nosnilmot commented 6 years ago

This is as much a question as an issue, I'm trying to understand why the SSL Certificate verification in fast_tls is largely disabled because the verify callback always returns 1 (success):

static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) {
    return 1;
}

I understand ejabberd does some level of certificate verification at the application level, but I'm curious why this couldn't be left for fast_tls / OpenSSL to handle?

Would you be open to PRs that change this behaviour?

cromain commented 6 years ago

Such patch may have performance penalty, and i'm not sure we need verification on that layer. We can still consider review a PR if you think that can be useful in fast_tls driver.