SSL - can not verify server's certificate
Michal Ptaszek
michal.ptaszek@REDACTED
Thu Aug 26 08:44:40 CEST 2010
Hello,
I am trying to set up a client-server application where client
communicates with the server using SSL connections. However,
I would like client to verify the server's certificate validity.
Configuration on the server side:
[{verify, verify_none},
{certfile, PATH_TO_MY_CERT},
{keyfile, PATH_TO_MY_KEY},
{ssl_imp, new}]
Certificate is a self-signed, so the verification should fail.
Client's request:
ssl:connect(Host, Port, [{verify, 2}, {depth, 1}, {ssl_imp, new},
{fail_if_no_peer_cert, true},
{verify_fun, fun(Errors) -> io:format(user, "~p~n", [Errors]), false end},
{cacertfile, "/tmp/somecacert"}]).
Unfortunately, all connect attempts are succeeds.
However, if I change the 'verify' option on the server side to 'verify_peer', i.e.:
[{verify, verify_peer},
{certfile, PATH_TO_MY_CERT},
{keyfile, PATH_TO_MY_KEY},
{ssl_imp, new}]
I am getting an error on the client side:
[{bad_cert,unknown_ca}]
=ERROR REPORT==== 25-Aug-2010::15:53:26 ===
SSL: certify_certificate: ./ssl_handshake.erl:528:Fatal error: handshake failure
{error,esslconnect}
Which is an expected behaviour. Moreover, if I provide a 'cacertfile'
with a server's PEM inside, verification is done correctly. Should not
client be server-setting agnostic?
The issue has been observed on R14A and R13B4
openssl version:
0.9.8k-7ubuntu8
uname -a:
Linux coltrane 2.6.32-22-generic #36-Ubuntu SMP Thu Jun 3 19:31:57 UTC 2010 x86_64 GNU/Linux
Nevertheless, I could not make old SSL verification work
on R12B5, R13B4 and R14A.
Best regards,
Michal Ptaszek
More information about the erlang-bugs
mailing list