Bram Verburg

Just to clarify: it would be possible to implement the core aspect of this feature purely in my application by overriding `after_decrypt/1` to return the closure. But that would not...

Both the public key and the signature use PGP-encoding according to [RFC4880](https://www.rfc-editor.org/rfc/rfc4880). As I said in the `tzdata` ticket, verifying such a signature requires decoding and verification functions to be...

Relying on external binaries is going to be very brittle. I can prepare some code that implements the most important parts of the RFC, but I'm not sure I can...

In tests you pass in a custom endpoint anyway, to direct the client to Bypass, so passing in an additional option to set the CA store shouldn't be such a...

I actually think it is good practice to expose the `ssl` options to users of your API: it allows users to apply their own hardening (e.g. limit protocol versions or...

The standard `verify_fun` callback selected by `verify_peer` is not intended to handle self-signed peer certificates. Normally to use a private PKI you'd generate a self-signed CA and issue server certificates...

> So it seem like the certificate being a wildcard is not the only validation error that pops (maybe the order at which the certificates are delivered in the TLS...

In Wireshark, the `commonName` part of the server certificate's Subject appears to be truncated. Can you tell if this is just a presentation issue, or if the certificate Subject really...

> Use a default cacertfile that points at the current system roots. This way it doesn't need to provided and there's no CAStore dependency or manual configuration of a path...

> @voltone cacerts/cacertfile aside for a second, do you think we can ship with these defaults? I'm fine with setting these only on OTP 21+ (or just requiring that release)...