I’ve the pleasure to announce the release of
tls_certificate_check, a library that packs the boilerplate required for verifying the authenticity of certificates presented by TLS servers against a list of trusted certificate authorities.
ssl_verify_fun together with the code required for verifying certificate chains in non canonical order.
It’s simple enough to use:
host = "example.com"
port = 443
tls_options = :tls_certificate_check.options(host)
:ssl.connect(host, 443, tls_options)
You’ll no longer need to copy the usual CA validation boilerplate everywhere!
This looks great, thanks for the lib. Would you consider also wrapping castore as an option?
It’s a good ideia; however, having
tls_certificate_check depend on
castore directly would complicate compatibility with Erlang (since it’s an Elixir dependency.)
I’m planning to add support for consumer-defined CA lists, though - that could be one way to use
castore instead of
Ah, yes, good point. And good solution too since they would allow using platform certificate stores too.
I forgot about this entirely… therefore I created an issue in GitHub to remind me of it.
tls_certificate_check 1.3.0 has been released today.
It now provides the CAs to the API through
(And since I forgot to announce the
1.2.0 update here:
certifi is no longer the backing CA store.)
tls_certificate_check 1.9.0 is out!
tls_certificate_check 1.10.0 has arrived.
- DST Root CA X3, now expired, was removed
tls_certificate_check 1.11.0 is out.
- HARICA TLS ECC Root CA 2021
- HARICA TLS RSA Root CA 2021
- TunTrust Root CA
tls_certificate_check 1.12.0 is out
- vtrus ecc root ca
- isrg root x2
- vtrus root ca
- HiPKI Root CA - G1
- Autoridad de Certificacion Firmaprofesional CIF A62634068
- gts root r4
- gts root r3
- gts root r1
- gts root r2
- GlobalSign ECC Root CA - R4
- GlobalSign Root CA - R2
- cybertrust global root