[erlang-bugs] FW: SSL issue

Ingela Anderton Andin <>
Wed Jan 16 15:07:30 CET 2013


Hi!

The attached PEM-file is broken! It is missing -----END CERTIFICATE-----
and some data that ought to come before the ending tag.

Regards Ingela Erlang/OTP team - Ericsson AB

Horst Mani wrote:
> 
> 
> ------------------------------------------------------------------------
> From: 
> To: 
> Subject: RE: [erlang-bugs] SSL issue
> Date: Tue, 15 Jan 2013 09:39:12 +0100
> 
> Hi,
> 
> thanks for the quick answer.
> 
> Now, i tried to connect to the server as follow:
> 
> ssl:connect(HOST, 636, [{cacertfile, "EquifaxSecureCA.pem"}, {verify, 
> verify_none}]).
> =ERROR REPORT==== 15-Jan-2013::09:33:14 ===
> SSL: certify: ssl_handshake.erl:239:Fatal error: certificate unknown
> {error,"certificate unknown"}
> 
> As i understand from your last mail, the client needs a server 
> certificate with the following informations:
> 
> Subject: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
> 
> X509v3 Subject Key Identifier: 
>   48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4
> 
> 
> This informations are included in the EquifaxSecureCA.pem which i added 
> as a cacertfile to the connect function,
> 
> but i got the same result.
> 
> 
> Please, can you tell me, what i am doing wrong?
> 
> 
> Thanks and best regards,
> 
> Ulf
> 
> 
> 
> 
> 
> 
>  > Date: Mon, 14 Jan 2013 09:39:50 +0100
>  > From: 
>  > To: 
>  > CC: 
>  > Subject: Re: [erlang-bugs] SSL issue
>  >
>  > Hi!
>  >
>  > Looking at your cert, the values of authorityCertIssuer,
>  > authorityCertSerialNumber in #AuthorityKeyIdentifier, are asn1_NOVALUE.
>  > so then it is logical that public_key can not find the issuer.
>  >
>  > pubkey_cert:select_extension/2 -> {'Extension',
>  > {2,5,29,35},
>  > false,
>  >
>  > {'AuthorityKeyIdentifier',
>  >
>  > [192,122,152,104,
>  >
>  > 141,137,251,171,
>  >
>  > 5,100,12,17,125,
>  >
>  > 170,125,101,184,
>  > 202,204,78],
>  > asn1_NOVALUE,
>  > asn1_NOVALUE}}
>  > (<0.43.0>) call
>  > 
> pubkey_cert:cert_auth_key_id({'AuthorityKeyIdentifier',[192,122,152,104,141,137,251,171,5,100,12,17,125,
>  > 170,125,101,184,202,204,78],
>  > asn1_NOVALUE,asn1_NOVALUE})
>  > (<0.43.0>) returned from pubkey_cert:cert_auth_key_id/1 -> {error,
>  >
>  > issuer_not_found}
>  >
>  >
>  > Some old certs does not properly specify the AuthorityKeyIdentifier the
>  > fallback is to search the entire known CA database which ssl will do if
>  > it has one, you have
>  > not specified any CA-certs in your call to ssl:connect. You should try
>  > doing that.
>  >
>  > Regards Ingela Erlang/OTP team - Ericsson AB
>  >
>  > Horst Mani wrote:
>  > > Hi,
>  > >
>  > > I ty to connect to a ssl server with the following command:
>  > >
>  > > ssl:connect(HOST, 636, []).
>  > > SSL: certify: ssl_handshake.erl:239:Fatal error: certificate unknown
>  > > {error,"certificate unknown"}
>  > >
>  > > After debugging the problem, i found that the error occurs inside the
>  > > public_key module.
>  > > Please, have a look at my testcase which you can find here :
>  > > https://gist.github.com/4525223
>  > >
>  > > Note: The ssl connect works with other clients.
>  > >
>  > > Env : R15B03 32 bit, build by erlang-solutions, OSX 10.7.5,
>  > > public_key-0.17
>  > >
>  > > I hope that i gave you all the informations you need to fix the
>  > > problem. I would do it by my own,
>  > > but i don't know the expected behavior.
>  > >
>  > > Best Regards,
>  > > Ulf
>  > > 
> ------------------------------------------------------------------------
>  > >
>  > > _______________________________________________
>  > > erlang-bugs mailing list
>  > > 
>  > > http://erlang.org/mailman/listinfo/erlang-bugs
>  > >
>  >



More information about the erlang-bugs mailing list