[erlang-bugs] possible bug in ssl and/or public_key module (R13 and R14)

Filipe David Manana fdmanana@REDACTED
Mon Sep 20 12:44:46 CEST 2010


Another thing to point, is that in my code (actually CouchDB), using the old
ssl implementation I sometimes get the following exception thrown from the
ssl module:

[Thu, 16 Sep 2010 00:10:34 GMT] [error] [<0.604.0>] ** Generic server
<0.604.0> terminating
** Last message in was {tcp,#Port<0.2288>,

 <<"\r\n6d\r\n,\n{\"seq\":70,\"id\":\"97b36d5003934d0c9dd58057b05fa167\",\"changes\":[{\"rev\":\"1-0d6deda5b380ae207ba87a7a3a32d0a1\"}]}\r\n6d\r\n,\n{\"seq\":71,\"id\":\"8a1c475b8dc5426e9172d6b970ae7c03\",\"changes\":[{\"rev\":\"1-72851f645fb6ab77f36866cbe505d82c\"}]}\r\n6d\r\n,\n{\"seq\":72,\"id\":\"fdb1d5b1c5b24ce481463ad668c13c40\",\"changes\":[{\"rev\":\"1-c37b5444eec8375631c326a0e77ca427\"}]}\r\n6d\r\n,\n{\"seq\":73,\"id\":\"b612465dafc44699b09d8bef5d4d4d8d\",\"changes\":[{\"rev\":\"1-be951f78ba830f5a1002abe0ce479c2d\"}]}\r\n6d\r\n,\n{\"seq\":74,\"id\":\"d2c2b5a771ef4b57b6d58fce2808cf7c\",\"changes\":[{\"rev\":\"1-c628443ff4dd7c3d9b4fd226727e2841\"}]}\r\n6d\r\n,\n{\"seq\":75,\"id\":\"8d669c377f08442981ce2d18a21d920b\",\"changes\":[{\"rev\":\"1-6db3a14c76701b87b0686412093ac103\"}]}\r\n6d\r\n,\n{\"seq\":76,\"id\":\"367bf0948d9d459582d187c9232844b8\",\"changes\":[{\"rev\":\"1-16ae7cf1c04c4f7c024493de1f18c8ed\"}]}\r\n6d\r\n,\n{\"seq\":77,\"id\":\"f2c805327ae740098e5db221c3f27b4b\",\"changes\":[{\"rev\":\"1-b22aa541f7e353a4cd430a9293239c77\"}]}\r\n6d\r\n,\n{\"seq\":78,\"id\":\"6ddf8033cec845c8986ee4bd03ff8ed6\",\"changes\":[{\"rev\":\"1-23f5957d250f5079277e6e4a86def1f1\"}]}\r\n6d\r\n,\n{\"seq\":79,\"id\":\"738365bd4fed44158516211847c13616\",\"changes\":[{\"rev\":\"1-6dcd375366f107fb2575c8eda6c6bdec\"}]}\r\n6d\r\n,\n{\"seq\":80,\"id\":\"2d66c797761b4506934d00b2fd260f90\",\"changes\":[{\"rev\":\"1-cc7dddd31fd753a9b4577607ce321cef\"}]}\r\n6d\r\n,\n{\"seq\":81,\"id\":\"0c01c012d4f540a3a015d57681a0af4f\",\"changes\":[{\"rev\":\"1-ff288fbba546fbfbf78c602e2fa39ea2\"}]}\r\n6d\r\n,\n{\"seq\":82,\"id\":\"dc8a7ff04d37428ea83c3515a801bd32\",\"changes\":[{\"rev\":\"1-2">>}
** When Server state ==
{st,connector,<0.119.0>,<0.603.0>,<0.603.0>,11,false,
                           [{mode,binary},
                            {nodelay,true},
                            {active,once},
                            {packet,0},
                            {ip,{0,0,0,0}},
                            {verify,0},
                            {depth,1}],
                           {sslsocket,11,<0.604.0>},
                           #Port<0.2288>,nil,open,false,false}

With the new ssl implementation I don't get this exception anymore. On the
other hand, I have that issue of not being able to use the PEM certificates
file (cacertfile option), therefore being forced to not use certificate
validation :(

cheers


On Mon, Sep 20, 2010 at 11:40 AM, Filipe David Manana <fdmanana@REDACTED>
wrote:
>
> On Mon, Sep 20, 2010 at 11:05 AM, Ingela Anderton Andin <
ingela@REDACTED> wrote:
>>
>> Hi!
>>
>>> 2) Trying to do this on Ubuntu:
>>>
>>> {cacertfile, "/etc/ssl/certs/ca-certificates.crt"}
>>>
>>> That file, is a list o PEM encoded certificate:
>>>
>>> $ file /etc/ssl/certs/ca-certificates.crt
>>> /etc/ssl/certs/ca-certificates.crt: PEM certificate
>>>
>>> However I get the following exception when I pass that option:
>>>
>>> ** exception error: no match of right hand side value
{error,ecacertfile}
>>>     in function  ssl_test:test/0
>>>
>>> =ERROR REPORT==== 17-Sep-2010::18:33:04 ===
>>> SSL: 1056: error:{error,
>>>                  {badmatch,
>>>                   {error,
>>>                    {asn1,
>>>                     {'Type not compatible with table constraint',
>>>                      {{badmatch,{error,{asn1,{wrong_tag,{5,16}}}}},
>>>                       [{'OTP-PUB-KEY','dec_Dss-Parms',2},
>>>                        {'OTP-PUB-KEY',dec_SignatureAlgorithm,2},
>>>                        {'OTP-PUB-KEY',dec_OTPTBSCertificate,2},
>>>                        {'OTP-PUB-KEY',dec_OTPCertificate,2},
>>>                        {'OTP-PUB-KEY',decode,2},
>>>                        {pubkey_cert_records,decode_cert,1},
>>>                        {public_key,pkix_decode_cert,2},
>>>                        {ssl_certificate_db,add_certs,3}]}}}}}}
/etc/ssl/certs/ca-certificates.crt
>>>  [{ssl_connection,init_certificates,2},
>>>   {ssl_connection,ssl_init,2},
>>>   {ssl_connection,init,1},
>>>   {gen_fsm,init_it,6},
>>>   {proc_lib,init_p_do_apply,3}]
>>>
>>> Is this a bug? The ssl man page mentions the file is in the PEM format.
>>> The file contents can be looked at:
http://friendpaste.com/4lQn7yihrUa4fE2Vs4u7JS
>>>
>> I have not verified this yet, but I think this looks like a bug in
public_key that I have been working on solving that has to do with that
>> certs may inherit  DSS-Params from their issuer.
>
> The weird thing is that I can use this certificates file with the old ssl
implementation (default on R13 and R12 releases) on R13B03 and R13B04 at
least.
> So I definitely consider this a regression :(
>
>>
>>
>>> 3) For the verify function, it receives {bad_cert, unknown_ca} when a
certificate is self-signed? I would like to distinguish between unknown CAs
and self-signed certificates (certificate signed by the target host).
>>>
>> I think you have a point here we will look in to this.
>
> I think this would be very useful - to distinguish between an unknown CA
(not listed in the trusted certificates file) and a certificate that was
self-signed by the server.
>
>
> Thanks for all the answers and for looking into this.
>
> best regards,
>
>>
>>
>> Regards Ingela Erlang/OTP- team - Ericsson AB
>>
>>
>>
>>
>> ________________________________________________________________
>> erlang-bugs (at) erlang.org mailing list.
>> See http://www.erlang.org/faq.html
>> To unsubscribe; mailto:erlang-bugs-unsubscribe@REDACTED
>>
>
>
>
> --
> Filipe David Manana,
> fdmanana@REDACTED, fdmanana@REDACTED
>
> "Reasonable men adapt themselves to the world.
>  Unreasonable men adapt the world to themselves.
>  That's why all progress depends on unreasonable men."
>



--
Filipe David Manana,
fdmanana@REDACTED, fdmanana@REDACTED

"Reasonable men adapt themselves to the world.
 Unreasonable men adapt the world to themselves.
 That's why all progress depends on unreasonable men."


More information about the erlang-bugs mailing list