The Erlang :ssl module is very strict in its certification checking.
The result of that is that, if I understand correctly, verify_peer option works when everything is basically done correctly.
What I found out is that the internet is obviously broken everywhere, the :ssl module reliably connects to just about zero of the sites I tried when verifying the peer with CA certs from erlang-certifi.
So I tried using the verify_fun option with ssl_verify_fun.erl, plus the partial_chain based off of hackney's implementation... But it didn't work.
After that I tried a bunch of other stuff and made some progress, changed some more stuff only to find that it still didn't work. So I threw my hands up and made everything insecure by default.
TLDR;
I'm not smart enough to make the :ssl module's verify_peer work correctly.
The Erlang
:sslmodule is very strict in its certification checking.The result of that is that, if I understand correctly,
verify_peeroption works when everything is basically done correctly.What I found out is that the internet is obviously broken everywhere, the
:sslmodule reliably connects to just about zero of the sites I tried when verifying the peer with CA certs fromerlang-certifi.So I tried using the
verify_funoption withssl_verify_fun.erl, plus thepartial_chainbased off ofhackney's implementation... But it didn't work.After that I tried a bunch of other stuff and made some progress, changed some more stuff only to find that it still didn't work. So I threw my hands up and made everything insecure by default.
TLDR;
I'm not smart enough to make the
:sslmodule'sverify_peerwork correctly.