[erlang-bugs] SSL client certificate verify problems (RSA)

Per Andersson <>
Wed Oct 13 15:57:19 CEST 2010


Thanks for your quick response!

On Wed, Oct 13, 2010 at 10:01 AM, Ingela Anderton Andin
<> wrote:
> Hi!
> Per Andersson wrote:
>> Hi!
>> When setting #ssl.verify = 2 (verify = verify_peer, fail_if_no_peer_cert =
>> true;
>> if I understand correctly), and the client sends a certificate the SSL
>> connection crashes.
>> The investigation I have made indicates that this happens when
>> ssl_handshake:certificate_verify/6 is called, because PublicKey seems to
>> be an
>> integer() and public_key:decrypt_public/3 assumes PublicKey is a
>> #'RSAPublicKey'.
>>  Should public_key:decrypt_public/3 be extended to also take PublicKey
>> formatted
>> as an integer()?
> If the public key is an integer it suggests it is a dsa-key and not an
> rsa-key, and it should not
> have ended up calling public_key:decrypt_public/3 rather calling
> public_key:verify/ 4.

I understand.

>From what I can see the client cert is DSA (pubkey) and RSA (encryption).
Can this be the pressing issue?

> Could you provides us with a way to repeat the problem? (Some dummy cert and
> keys perhaps?).

I am using RBS WorldPays client certs, obviously I don't have the key for
this... CA and client certs attached, they are also available online


Best regards,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bibit.ca.pem
Type: application/octet-stream
Size: 1415 bytes
Desc: not available
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20101013/a66d687a/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bibit.client.pem
Type: application/octet-stream
Size: 1773 bytes
Desc: not available
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20101013/a66d687a/attachment-0001.obj>

More information about the erlang-bugs mailing list