[erlang-bugs] possible bug in ssl and/or public_key module (R13 and R14)

Mon Sep 20 12:40:28 CEST 2010

On Mon, Sep 20, 2010 at 11:05 AM, Ingela Anderton Andin <
ingela@REDACTED> wrote:

> Hi!
>
>  2) Trying to do this on Ubuntu:
>>
>> {cacertfile, "/etc/ssl/certs/ca-certificates.crt"}
>>
>> That file, is a list o PEM encoded certificate:
>>
>> $ file /etc/ssl/certs/ca-certificates.crt
>> /etc/ssl/certs/ca-certificates.crt: PEM certificate
>>
>> However I get the following exception when I pass that option:
>>
>> ** exception error: no match of right hand side value {error,ecacertfile}
>>     in function  ssl_test:test/0
>>
>> =ERROR REPORT==== 17-Sep-2010::18:33:04 ===
>> SSL: 1056: error:{error,
>>                  {badmatch,
>>                   {error,
>>                    {asn1,
>>                     {'Type not compatible with table constraint',
>>                      {{badmatch,{error,{asn1,{wrong_tag,{5,16}}}}},
>>                       [{'OTP-PUB-KEY','dec_Dss-Parms',2},
>>                        {'OTP-PUB-KEY',dec_SignatureAlgorithm,2},
>>                        {'OTP-PUB-KEY',dec_OTPTBSCertificate,2},
>>                        {'OTP-PUB-KEY',dec_OTPCertificate,2},
>>                        {'OTP-PUB-KEY',decode,2},
>>                        {pubkey_cert_records,decode_cert,1},
>>                        {public_key,pkix_decode_cert,2},
>>                        {ssl_certificate_db,add_certs,3}]}}}}}}
>> /etc/ssl/certs/ca-certificates.crt
>>  [{ssl_connection,init_certificates,2},
>>   {ssl_connection,ssl_init,2},
>>   {ssl_connection,init,1},
>>   {gen_fsm,init_it,6},
>>   {proc_lib,init_p_do_apply,3}]
>>
>> Is this a bug? The ssl man page mentions the file is in the PEM format.
>> The file contents can be looked at:
>> http://friendpaste.com/4lQn7yihrUa4fE2Vs4u7JS
>>
>>  I have not verified this yet, but I think this looks like a bug in
> public_key that I have been working on solving that has to do with that
> certs may inherit  DSS-Params from their issuer.

The weird thing is that I can use this certificates file with the old ssl
implementation (default on R13 and R12 releases) on R13B03 and R13B04 at
least.
So I definitely consider this a regression :(

>
>
>  3) For the verify function, it receives {bad_cert, unknown_ca} when a
>> certificate is self-signed? I would like to distinguish between unknown CAs
>> and self-signed certificates (certificate signed by the target host).
>>
>>  I think you have a point here we will look in to this.

I think this would be very useful - to distinguish between an unknown CA
(not listed in the trusted certificates file) and a certificate that was
self-signed by the server.

Thanks for all the answers and for looking into this.

best regards,

>
> Regards Ingela Erlang/OTP- team - Ericsson AB
>
>
>
>
> ________________________________________________________________
> erlang-bugs (at) erlang.org mailing list.
> See http://www.erlang.org/faq.html
> To unsubscribe; mailto:erlang-bugs-unsubscribe@REDACTED
>
>

-- 
Filipe David Manana,
fdmanana@REDACTED, fdmanana@REDACTED

"Reasonable men adapt themselves to the world.
 Unreasonable men adapt the world to themselves.
 That's why all progress depends on unreasonable men."