add missing verify_fun mfa translation

[danj3]

inet_tls_dist is missing a configuration translation for verify_fun from an mfa tuple to a closure that can be called during ssl_handshake.

@IngelaAndin This is the missing verify_fun translation I spoke of, applied to master

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

Dan Janowski seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[github-actions]

CT Test Results

    2 files     66 suites   27m 1s ⏱️
  815 tests   771 ✅  43 💤 1 ❌
4 185 runs  3 384 ✅ 800 💤 1 ❌

For more details on these failures, see this check.

Results for commit 0573dc6.

♻️ This comment has been updated with latest results.

To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass.

See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally.

Artifacts

• Complete CT logs (Download Logs)
• HTML Documentation (Download HTML Docs)
• Windows Installer

// Erlang/OTP Github Action Bot

[RaimoNiskanen]

Sorry, I don't understand what this change enables that cannot be done already.

The existing {verify_fun, {Fun, Init}} should cover everything that {verify_fun, {Mod,Func,Init}} could do, or what am I missing?

[danj3]

Ah I forgot something. This change is to support -ssl_dist_optfile that looks like:

[{server,[{fail_if_no_peer_cert,true},
          {certfile,"erldist_cert.pem"},
          {keyfile,"erldist_privkey.pem"},
          {cacertfile,"erldist_cert.pem"},
          {verify,verify_peer},
          {verify_fun,{localca,verify,"erldist_cert.pem"}}]},
 {client,[{certfile,"erldist_cert.pem"},
          {keyfile,"erldist_privkey.pem"},
          {cacertfile,"erldist_cert.pem"},
          {verify,verify_peer},
          {verify_fun,{localca,verify,"erldist_cert.pem"}}]}].

These quasi-mfa verify_fun tuples are turned into the closure functions by this patch. The existing code was ignoring/passing over the verify_fun of this form. This form is based on what I got out of the Erlang Distribution over TLS

[IngelaAndin]

@danj3 I do not think you should base your new code on how legacy option handling was done. The latest version of the documentation that you are referring to, of erlang distribution, clearly states:
"The following section describes TLS Option handling prior to OTP 20.2 and can only handle a small subset of the actual available options. It is here only for the sake of backwards compatibility ." And I would claim that it is an error in the documentation because verify_fun has always been {verify_fun, {fun(), UserState::term()}}

[RaimoNiskanen]

@IngelaAndin wrote:

And I would claim that it is an error in the documentation because verify_fun has always been {verify_fun, {fun(), UserState::term()}}

I'd say that the documentaion is correct. There was/is a conversion for a command line option -ssl_dist_opt client_verify_fun '{localca,verify,"erldist_cert.pem"}' that converts it into {verify_fun, {fun localca:verify/3,"erldist_cert.pem"}} for the client. And the corresponding for the server.

It is a conversion done for the clumsy legacy command line options, not needed from an -ssl_dist_optfile.

[IngelaAndin]

It is a conversion done for the clumsy legacy command line options, not needed from an -ssl_dist_optfile.

Well, even if the doc is correct why do new things that takes in consideration old legacy thing that we do not recommend using.

[RaimoNiskanen]

I just pointed out that the documentation is not incorrect.

I see no point in adding support for this legacy format to -ssl_dist_optfile, and did not argue for that.

[danj3]

I agree that supporting the legacy verify_fun option in the optfile is pointless. I added an ssl doc section and reverted the code change in the #9691 the pr to make very clear the specific use of verify_fun in the optfile. While the example is implied by the existing documentation, a concrete example of this kind would have saved me considerable time. I can update this PR as well at your request, as well as any content changes to the doc.