[erlang-bugs] SSL - can not verify server's certificate

Thu Aug 26 14:39:06 CEST 2010

Hi!

Michal Ptaszek wrote:
> Hello,
>
> I am trying to set up a client-server application where client
> communicates with the server using SSL connections. However,
> I would like client to verify the server's certificate validity.
>
> Configuration on the server side:
> [{verify, verify_none},
>  {certfile, PATH_TO_MY_CERT},
>  {keyfile, PATH_TO_MY_KEY},
>  {ssl_imp, new}]
>
> Certificate is a self-signed, so the verification should fail.
> Client's request:
> ssl:connect(Host, Port, [{verify, 2}, {depth, 1}, {ssl_imp, new},
>                          {fail_if_no_peer_cert, true},
>                          {verify_fun, fun(Errors) -> io:format(user, "~p~n", [Errors]), false end},
>                          {cacertfile, "/tmp/somecacert"}]).
>
>   
To begin with I would like to point out that fail_if_no_peer_cert is a 
server option.

 From doc:

*"{fail_if_no_peer_cert, boolean()}*
    Used together with {verify, verify_peer} by a ssl server. If set to
    true, the server will fail if the client does not have a certificate
    to send, e.i sends a empty certificate, if set to false it will only
    fail if the client sends a invalid certificate (an empty certificate
    is considered valid)." 


{verify, 2} 

Works for backwards comparability reasons and should be equivalent to 
[{verify, verify_peer} , {fail_if_no_peer_cert, true}]

For the client to fail on certificate errors this can be done in two ways.

[{verify, verify_peer}] will fail the the client at all certificate path 
errors or [{verify, verify_none}, {verify_fun, Fun}]
will fail the client for all path validation errors of the applications 
choice. The default verify_fun will accept {bad_cert, unknown_ca}
errors. (On a side note, I now remember the reason is to try to  
resemble openssl)

> Unfortunately, all connect attempts are succeeds.
>
>   
This patch to public_key should help that problem.

index 95c3d71..06d8d2b 100644

--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -447,6 +447,21 @@ pkix_normalize_name(Issuer) ->
                                  {error, {bad_cert, Reason :: term()}}.
 %% Description: Performs a basic path validation according to RFC 5280.
 %%--------------------------------------------------------------------
+pkix_path_validation(#'OTPCertificate'{} = TrustedCert, [], Options) ->
+    case proplists:get_value(verify, Options, true) of
+       true ->
+           {error, {bad_cert, unknown_ca}};
+       false ->
+           DummyState = 
#path_validation_state{working_public_key_algorithm = 'NULL'},
+           #path_validation_state{working_public_key_algorithm
+                                  = Algorithm,
+                                  working_public_key = PublicKey,
+                                  working_public_key_parameters = 
PublicKeyParams
+                                 } =
+               pubkey_cert:prepare_for_next_cert(TrustedCert, DummyState),
+           {ok, {{Algorithm, PublicKey, PublicKeyParams}, [], 
[{bad_cert, unknown_ca}]}}
+    end;
+
 pkix_path_validation(TrustedCert, CertChain, Options)
   when is_binary(TrustedCert) ->
     OtpCert = pkix_decode_cert(TrustedCert, otp),


[...]

Regards Ingela Erlang/OTP team - Ericsson AB

