SSL - can not verify server's certificate

Michal Ptaszek <>
Thu Aug 26 08:44:40 CEST 2010


Hello,

I am trying to set up a client-server application where client
communicates with the server using SSL connections. However,
I would like client to verify the server's certificate validity.

Configuration on the server side:
[{verify, verify_none},
 {certfile, PATH_TO_MY_CERT},
 {keyfile, PATH_TO_MY_KEY},
 {ssl_imp, new}]

Certificate is a self-signed, so the verification should fail.
Client's request:
ssl:connect(Host, Port, [{verify, 2}, {depth, 1}, {ssl_imp, new},
                         {fail_if_no_peer_cert, true},
                         {verify_fun, fun(Errors) -> io:format(user, "~p~n", [Errors]), false end},
                         {cacertfile, "/tmp/somecacert"}]).

Unfortunately, all connect attempts are succeeds.

However, if I change the 'verify' option on the server side to 'verify_peer', i.e.:
[{verify, verify_peer},
 {certfile, PATH_TO_MY_CERT},
 {keyfile, PATH_TO_MY_KEY},
 {ssl_imp, new}]

I am getting an error on the client side:
[{bad_cert,unknown_ca}]

=ERROR REPORT==== 25-Aug-2010::15:53:26 ===
SSL: certify_certificate: ./ssl_handshake.erl:528:Fatal error: handshake failure
{error,esslconnect}

Which is an expected behaviour. Moreover, if I provide a 'cacertfile'
with a server's PEM inside, verification is done correctly. Should not
client be server-setting agnostic?

The issue has been observed on R14A and R13B4
openssl version:
0.9.8k-7ubuntu8
uname -a:
Linux coltrane 2.6.32-22-generic #36-Ubuntu SMP Thu Jun 3 19:31:57 UTC 2010 x86_64 GNU/Linux

Nevertheless, I could not make old SSL verification work
on R12B5, R13B4 and R14A.

Best regards,
Michal Ptaszek


More information about the erlang-bugs mailing list