[erlang-bugs] SSL - can not verify server's certificate
Ingela Anderton Andin
ingela@REDACTED
Thu Aug 26 14:39:06 CEST 2010
Hi!
Michal Ptaszek wrote:
> Hello,
>
> I am trying to set up a client-server application where client
> communicates with the server using SSL connections. However,
> I would like client to verify the server's certificate validity.
>
> Configuration on the server side:
> [{verify, verify_none},
> {certfile, PATH_TO_MY_CERT},
> {keyfile, PATH_TO_MY_KEY},
> {ssl_imp, new}]
>
> Certificate is a self-signed, so the verification should fail.
> Client's request:
> ssl:connect(Host, Port, [{verify, 2}, {depth, 1}, {ssl_imp, new},
> {fail_if_no_peer_cert, true},
> {verify_fun, fun(Errors) -> io:format(user, "~p~n", [Errors]), false end},
> {cacertfile, "/tmp/somecacert"}]).
>
>
To begin with I would like to point out that fail_if_no_peer_cert is a
server option.
From doc:
*"{fail_if_no_peer_cert, boolean()}*
Used together with {verify, verify_peer} by a ssl server. If set to
true, the server will fail if the client does not have a certificate
to send, e.i sends a empty certificate, if set to false it will only
fail if the client sends a invalid certificate (an empty certificate
is considered valid)."
{verify, 2}
Works for backwards comparability reasons and should be equivalent to
[{verify, verify_peer} , {fail_if_no_peer_cert, true}]
For the client to fail on certificate errors this can be done in two ways.
[{verify, verify_peer}] will fail the the client at all certificate path
errors or [{verify, verify_none}, {verify_fun, Fun}]
will fail the client for all path validation errors of the applications
choice. The default verify_fun will accept {bad_cert, unknown_ca}
errors. (On a side note, I now remember the reason is to try to
resemble openssl)
> Unfortunately, all connect attempts are succeeds.
>
>
This patch to public_key should help that problem.
index 95c3d71..06d8d2b 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -447,6 +447,21 @@ pkix_normalize_name(Issuer) ->
{error, {bad_cert, Reason :: term()}}.
%% Description: Performs a basic path validation according to RFC 5280.
%%--------------------------------------------------------------------
+pkix_path_validation(#'OTPCertificate'{} = TrustedCert, [], Options) ->
+ case proplists:get_value(verify, Options, true) of
+ true ->
+ {error, {bad_cert, unknown_ca}};
+ false ->
+ DummyState =
#path_validation_state{working_public_key_algorithm = 'NULL'},
+ #path_validation_state{working_public_key_algorithm
+ = Algorithm,
+ working_public_key = PublicKey,
+ working_public_key_parameters =
PublicKeyParams
+ } =
+ pubkey_cert:prepare_for_next_cert(TrustedCert, DummyState),
+ {ok, {{Algorithm, PublicKey, PublicKeyParams}, [],
[{bad_cert, unknown_ca}]}}
+ end;
+
pkix_path_validation(TrustedCert, CertChain, Options)
when is_binary(TrustedCert) ->
OtpCert = pkix_decode_cert(TrustedCert, otp),
[...]
Regards Ingela Erlang/OTP team - Ericsson AB
More information about the erlang-bugs
mailing list