[erlang-bugs] possible bug in ssl and/or public_key module (R13 and R14)
Filipe David Manana
fdmanana@REDACTED
Mon Sep 20 12:40:28 CEST 2010
On Mon, Sep 20, 2010 at 11:05 AM, Ingela Anderton Andin <
ingela@REDACTED> wrote:
> Hi!
>
> 2) Trying to do this on Ubuntu:
>>
>> {cacertfile, "/etc/ssl/certs/ca-certificates.crt"}
>>
>> That file, is a list o PEM encoded certificate:
>>
>> $ file /etc/ssl/certs/ca-certificates.crt
>> /etc/ssl/certs/ca-certificates.crt: PEM certificate
>>
>> However I get the following exception when I pass that option:
>>
>> ** exception error: no match of right hand side value {error,ecacertfile}
>> in function ssl_test:test/0
>>
>> =ERROR REPORT==== 17-Sep-2010::18:33:04 ===
>> SSL: 1056: error:{error,
>> {badmatch,
>> {error,
>> {asn1,
>> {'Type not compatible with table constraint',
>> {{badmatch,{error,{asn1,{wrong_tag,{5,16}}}}},
>> [{'OTP-PUB-KEY','dec_Dss-Parms',2},
>> {'OTP-PUB-KEY',dec_SignatureAlgorithm,2},
>> {'OTP-PUB-KEY',dec_OTPTBSCertificate,2},
>> {'OTP-PUB-KEY',dec_OTPCertificate,2},
>> {'OTP-PUB-KEY',decode,2},
>> {pubkey_cert_records,decode_cert,1},
>> {public_key,pkix_decode_cert,2},
>> {ssl_certificate_db,add_certs,3}]}}}}}}
>> /etc/ssl/certs/ca-certificates.crt
>> [{ssl_connection,init_certificates,2},
>> {ssl_connection,ssl_init,2},
>> {ssl_connection,init,1},
>> {gen_fsm,init_it,6},
>> {proc_lib,init_p_do_apply,3}]
>>
>> Is this a bug? The ssl man page mentions the file is in the PEM format.
>> The file contents can be looked at:
>> http://friendpaste.com/4lQn7yihrUa4fE2Vs4u7JS
>>
>> I have not verified this yet, but I think this looks like a bug in
> public_key that I have been working on solving that has to do with that
> certs may inherit DSS-Params from their issuer.
The weird thing is that I can use this certificates file with the old ssl
implementation (default on R13 and R12 releases) on R13B03 and R13B04 at
least.
So I definitely consider this a regression :(
>
>
> 3) For the verify function, it receives {bad_cert, unknown_ca} when a
>> certificate is self-signed? I would like to distinguish between unknown CAs
>> and self-signed certificates (certificate signed by the target host).
>>
>> I think you have a point here we will look in to this.
I think this would be very useful - to distinguish between an unknown CA
(not listed in the trusted certificates file) and a certificate that was
self-signed by the server.
Thanks for all the answers and for looking into this.
best regards,
>
> Regards Ingela Erlang/OTP- team - Ericsson AB
>
>
>
>
> ________________________________________________________________
> erlang-bugs (at) erlang.org mailing list.
> See http://www.erlang.org/faq.html
> To unsubscribe; mailto:erlang-bugs-unsubscribe@REDACTED
>
>
--
Filipe David Manana,
fdmanana@REDACTED, fdmanana@REDACTED
"Reasonable men adapt themselves to the world.
Unreasonable men adapt the world to themselves.
That's why all progress depends on unreasonable men."
More information about the erlang-bugs
mailing list