[erlang-bugs] possible bug in ssl and/or public_key module (R13 and R14)

Filipe David Manana fdmanana@REDACTED
Fri Sep 17 14:04:59 CEST 2010 

Both approaches worked for me:

1) adding {depth, 3}   (weird that it's necessary when {verify, verify_none}
is passed)

2) adding the verify_fun option that Ingela wrote

thank you both

On Fri, Sep 17, 2010 at 9:19 AM, Ingela Anderton Andin <
ingela@REDACTED> wrote:

> Hi!
>
> Humm ...
>
> I get this result running your program:
>
> Erlang R14B (erts-5.8.1) [source] [smp:4:4] [rq:4] [async-threads:0]
> [kernel-poll:false]
>
>
> Eshell V5.8.1  (abort with ^G)
> 1> c(ssl_test).
> {ok,ssl_test}
> 2> ssl_test:test().
>
> =ERROR REPORT==== 17-Sep-2010::09:22:46 ===
> SSL: certify_certificate: ./ssl_handshake.erl:570:Fatal error: certificate
> expired
> ** exception error: no match of right hand side value {error,"certificate
> expired"}
>    in function  ssl_test:test/0
>
>
> Did you run your test on a github version of a R14B to be? I do not see how
> you could get
> a completely different error.
>
> If I do
>
> FunAndState = {fun(_,{bad_cert, unknown_ca}, UserState) -> {valid,
> UserState}; (_,{bad_cert, cert_expired}, UserState) -> {valid, UserState};
> (_,{bad_cert, _} = Reason, _) -> {fail, Reason}; (_,{extension, _},
> UserState) -> {unknown, UserState}; (_, valid, UserState) -> {valid,
> UserState} end, []}.
>
> ssl:connect(couchdb.staging.one.ubuntu.com, 443, [{verify, verify_peer},
> {verify_fun, FunAndState}]).
>
> I get a connection. (I.e I accept that the certificate has expired)
>
> However  ssl:connect(couchdb.staging.one.ubuntu.com, 443,  [{verify, 0},
> {ssl_imp, old}]).
>
> will give a connection so it seems {verify, 0} is  more forgiving than
> {verify, verify_none} that only allows the path error unkonwn_ca
> at the moment, maybe we have to rethink that for backwards compatibility
> reasons.
>
> Regards Ingela Erlang/OTP team - Ericsson AB
>
>
> Filipe David Manana wrote:
>
>> When connecting to particular server, though an ssl socket, I always get
>> the
>> error:
>>
>> Erlang R14B (erts-5.8.1) [source] [smp:2:2] [rq:2] [async-threads:0]
>> [hipe]
>> [kernel-poll:false]
>>
>> Eshell V5.8.1  (abort with ^G)
>> 1> c(test_ssl).
>> {ok,test_ssl}
>> 2> test_ssl:test().
>>
>> =ERROR REPORT==== 17-Sep-2010::02:07:25 ===
>> SSL: certify_certificate: ./ssl_handshake.erl:502:Fatal error: handshake
>> failure
>> ** exception error: no match of right hand side value {error,esslconnect}
>>     in function  test_ssl:test/0
>> 3>
>>
>> However, if I pick up another server, like www.cia.gov:443 or
>> www.facebook.com:443 for example, it succeeds (with exactly the same ssl
>> options passed to ssl:connect/3).
>> Also tested with R13B03 and R13B04 and got the same results (only modified
>> value of option verify from verify_none to 0).
>>
>> The code to test this eventual bug is:
>>
>> -module(test_ssl).
>> -compile(export_all).
>>
>> -define(HOST, "couchdb.staging.one.ubuntu.com").
>> % -define(HOST, "www.cia.gov").
>>
>> test() ->
>>    Body = iolist_to_binary([
>>        "GET / HTTP/1.1\r\n",
>>        "Host: ", ?HOST, "\r\n",
>>        "Accept: */*\r\n",
>>        "Connection: close\r\n", "\r\n"
>>    ]),
>>    application:start(crypto),
>>    application:start(public_key),
>>    application:start(ssl),
>>    Options = [
>>                {ssl_imp, new},
>>                binary,
>>                {nodelay, true},
>>                {active, false},
>>                {verify, verify_none}
>>                % {verify_fun, fun(_) -> true end},
>>    ],
>>    {ok, S} = ssl:connect(?HOST, 443, Options),
>>    ok = ssl:send(S, Body),
>>    loop(S),
>>    ssl:close(S).
>>
>> loop(S) ->
>>    ssl:setopts(S, [{active, once}]),
>>    receive
>>    {ssl, S, Data} ->
>>        io:format("received data:  ~p~n", [Data]),
>>        loop(S);
>>    {ssl_closed, S} ->
>>        io:format("socket closed", []);
>>    {ssl_error, S, Error} ->
>>        io:format("socket error:  ~p", [Error])
>>    end.
>>
>>
>> cheers
>>
>>
>>
>
>
> ________________________________________________________________
> erlang-bugs (at) erlang.org mailing list.
> See http://www.erlang.org/faq.html
> To unsubscribe; mailto:erlang-bugs-unsubscribe@REDACTED
>
>


-- 
Filipe David Manana,
fdmanana@REDACTED, fdmanana@REDACTED

"Reasonable men adapt themselves to the world.
 Unreasonable men adapt the world to themselves.
 That's why all progress depends on unreasonable men."

More information about the erlang-bugs mailing list