Erlang ssl module doesn't treat self-signed certificates as an error

Mikage Sawatari <>
Sat Oct 17 08:20:57 CEST 2009


Hello,

The ssl module doesn't treat self-signed certificates an error,
even when it is told to verify peer certificates with an option.

Therefore in case of connecting to a self-signed server, client
programs continue to process their jobs, which lead to a security
problem.

The following is esock_openssl.c at line 961 and later. Shouldn't
it do MAYBE_SET_ERRSTR("eselfsignedcert") when the cert_err is
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT?

   switch (cert_err) {
   case X509_V_OK:
   case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
       ok = 1;
       break;
   case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
   case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
       MAYBE_SET_ERRSTR("enoissuercert");
       break;
   case X509_V_ERR_CERT_HAS_EXPIRED:
       MAYBE_SET_ERRSTR("epeercertexpired");
       break;
   case X509_V_ERR_CERT_NOT_YET_VALID:
   case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
   case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
       MAYBE_SET_ERRSTR("epeercertinvalid");
       break;
   case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
       MAYBE_SET_ERRSTR("eselfsignedcert");
       break;
   case X509_V_ERR_CERT_CHAIN_TOO_LONG:
       MAYBE_SET_ERRSTR("echaintoolong");
       break;
   default:
       MAYBE_SET_ERRSTR("epeercert");
       break;
   }


Thank, you.

--
-----------------------------------------------------------------------
SAWATARI Mikage (SANO Taku)


More information about the erlang-bugs mailing list