[erlang-bugs] FW: SSL issue

Horst Mani horst_@REDACTED
Tue Jan 15 15:30:09 CET 2013



From: horst_@REDACTED
To: ingela.anderton.andin@REDACTED
Subject: RE: [erlang-bugs] SSL issue
Date: Tue, 15 Jan 2013 09:39:12 +0100




Hi,
thanks for the quick answer.
Now, i tried to connect to the server as follow:
ssl:connect(HOST, 636, [{cacertfile, "EquifaxSecureCA.pem"}, {verify, verify_none}]).=ERROR REPORT==== 15-Jan-2013::09:33:14 ===SSL: certify: ssl_handshake.erl:239:Fatal error: certificate unknown{error,"certificate unknown"}
As i understand from your last mail, the client needs a server certificate with the following informations:








Subject: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
	X509v3 Subject Key Identifier:   48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4
This informations are included in the EquifaxSecureCA.pem which i added as a cacertfile to the connect function,but i got the same result.
Please, can you tell me, what i am doing wrong?
Thanks and best regards,Ulf




> Date: Mon, 14 Jan 2013 09:39:50 +0100
> From: ingela.anderton.andin@REDACTED
> To: horst_@REDACTED
> CC: erlang-bugs@REDACTED
> Subject: Re: [erlang-bugs] SSL issue
> 
> Hi!
> 
> Looking at your cert,  the values of  authorityCertIssuer, 
> authorityCertSerialNumber in #AuthorityKeyIdentifier, are asn1_NOVALUE.
> so then it is logical that public_key can not find the issuer.  
> 
> pubkey_cert:select_extension/2 -> {'Extension',
>                                                             {2,5,29,35},
>                                                             false,
>                                                             
> {'AuthorityKeyIdentifier',
>                                                              
> [192,122,152,104,
>                                                               
> 141,137,251,171,
>                                                               
> 5,100,12,17,125,
>                                                               
> 170,125,101,184,
>                                                               202,204,78],
>                                                              asn1_NOVALUE,
>                                                              asn1_NOVALUE}}
> (<0.43.0>) call 
> pubkey_cert:cert_auth_key_id({'AuthorityKeyIdentifier',[192,122,152,104,141,137,251,171,5,100,12,17,125,
>                            170,125,101,184,202,204,78],
>                           asn1_NOVALUE,asn1_NOVALUE})
> (<0.43.0>) returned from pubkey_cert:cert_auth_key_id/1 -> {error,
>                                                             
> issuer_not_found}
> 
> 
> Some old certs does not properly specify the AuthorityKeyIdentifier the 
> fallback is to search the entire known CA database which ssl will do if 
> it has one, you have
> not specified any CA-certs in your call to ssl:connect.  You should try 
> doing that.
> 
> Regards Ingela Erlang/OTP team - Ericsson AB
> 
> Horst Mani wrote:
> > Hi,
> >
> > I ty to connect to a ssl server with the following command:
> >
> > ssl:connect(HOST, 636, []).
> > SSL: certify: ssl_handshake.erl:239:Fatal error: certificate unknown
> > {error,"certificate unknown"}
> >
> > After debugging the problem, i found that the error occurs inside the 
> > public_key module. 
> > Please, have a look at my testcase which you can find here : 
> > https://gist.github.com/4525223
> >
> > Note: The ssl connect works with other clients. 
> >
> > Env : R15B03 32 bit, build by erlang-solutions, OSX 10.7.5, 
> > public_key-0.17
> >
> > I hope that i gave you all the informations you need to fix the 
> > problem. I would do it by my own,
> > but i don't know the expected behavior.
> >
> > Best Regards,
> > Ulf
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > erlang-bugs mailing list
> > erlang-bugs@REDACTED
> > http://erlang.org/mailman/listinfo/erlang-bugs
> >   
> 
 		 	   		   		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20130115/49c2f5cd/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: EquifaxSecureCA.pem
Type: application/octet-stream
Size: 1143 bytes
Desc: not available
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20130115/49c2f5cd/attachment.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: cert_chain.txt
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20130115/49c2f5cd/attachment.txt>


More information about the erlang-bugs mailing list