Question 1

How do I implement certificate pinning with ssl_verify_fun in Erlang?

Accepted Answer

Use ssl_verify_fingerprint:verify_fun/3 with a SHA fingerprint in the ssl:connect options, like the github.com example. Set {verify, verify_none} and manage {reuse_sessions, false} for testing, but adjust for production.

Question 2

What's the difference between certificate pinning and public key pinning in ssl_verify_fun?

Accepted Answer

Certificate pinning checks the exact certificate fingerprint, while public key pinning validates the public key, which can remain the same across renewals. ssl_verify_fun supports both, with public key pinning being more flexible for long-term keys.

Question 3

ssl_verify_fun vs standard OTP SSL: which is better for security?

Accepted Answer

ssl_verify_fun adds layers like pinning and RFC 6125 hostname validation for stronger MITM protection, but requires manual setup. Standard OTP SSL is simpler but less secure for specific threats, so choose based on your risk profile.

Question 4

How to update pinned certificates when they expire?

Accepted Answer

You must manually extract the new certificate's fingerprint or public key using tools like OpenSSL, then update your configuration. This can cause downtime if not monitored proactively, so plan for certificate lifecycle management.

Question 5

Does ssl_verify_fun properly handle wildcard certificates?

Accepted Answer

Yes, it implements RFC 6125 compliant hostname validation, including proper wildcard handling where wildcards are only allowed in the left-most label, as detailed in the README's excerpt from the RFC.

Question 6

Can I use ssl_verify_fun with Erlang HTTP clients like hackney?

Accepted Answer

Yes, but you need to adapt the verify_fun to the client's SSL options. Most Erlang HTTP clients support custom verify functions, so pass ssl_verify_fun's implementations similarly to ssl:connect examples.

ssl_verify_fun

What is ssl_verify_fun?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions