[erlang-bugs] FW: SSL issue

Horst Mani <>
Wed Jan 16 15:38:50 CET 2013


Hi,
perhaps it is broken during the upload, because localy the file seems ok.Now i will paste the EquifaxSecure.pem file also : 
-----BEGIN CERTIFICATE-----MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVxdWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6fBeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+AcJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kCAwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgwODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gjIBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQFMAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUAA4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4-----END CERTIFICATE----- The cert_chain.txt contains the certificate chain from the server.
Best Regards,Ulf

> Date: Wed, 16 Jan 2013 15:07:30 +0100
> From: 
> To: 
> CC: 
> Subject: Re: [erlang-bugs] FW:  SSL issue
> 
> Hi!
> 
> The attached PEM-file is broken! It is missing -----END CERTIFICATE-----
> and some data that ought to come before the ending tag.
> 
> Regards Ingela Erlang/OTP team - Ericsson AB
> 
> Horst Mani wrote:
> > 
> > 
> > ------------------------------------------------------------------------
> > From: 
> > To: 
> > Subject: RE: [erlang-bugs] SSL issue
> > Date: Tue, 15 Jan 2013 09:39:12 +0100
> > 
> > Hi,
> > 
> > thanks for the quick answer.
> > 
> > Now, i tried to connect to the server as follow:
> > 
> > ssl:connect(HOST, 636, [{cacertfile, "EquifaxSecureCA.pem"}, {verify, 
> > verify_none}]).
> > =ERROR REPORT==== 15-Jan-2013::09:33:14 ===
> > SSL: certify: ssl_handshake.erl:239:Fatal error: certificate unknown
> > {error,"certificate unknown"}
> > 
> > As i understand from your last mail, the client needs a server 
> > certificate with the following informations:
> > 
> > Subject: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
> > 
> > X509v3 Subject Key Identifier: 
> >   48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4
> > 
> > 
> > This informations are included in the EquifaxSecureCA.pem which i added 
> > as a cacertfile to the connect function,
> > 
> > but i got the same result.
> > 
> > 
> > Please, can you tell me, what i am doing wrong?
> > 
> > 
> > Thanks and best regards,
> > 
> > Ulf
> > 
> > 
> > 
> > 
> > 
> > 
> >  > Date: Mon, 14 Jan 2013 09:39:50 +0100
> >  > From: 
> >  > To: 
> >  > CC: 
> >  > Subject: Re: [erlang-bugs] SSL issue
> >  >
> >  > Hi!
> >  >
> >  > Looking at your cert, the values of authorityCertIssuer,
> >  > authorityCertSerialNumber in #AuthorityKeyIdentifier, are asn1_NOVALUE.
> >  > so then it is logical that public_key can not find the issuer.
> >  >
> >  > pubkey_cert:select_extension/2 -> {'Extension',
> >  > {2,5,29,35},
> >  > false,
> >  >
> >  > {'AuthorityKeyIdentifier',
> >  >
> >  > [192,122,152,104,
> >  >
> >  > 141,137,251,171,
> >  >
> >  > 5,100,12,17,125,
> >  >
> >  > 170,125,101,184,
> >  > 202,204,78],
> >  > asn1_NOVALUE,
> >  > asn1_NOVALUE}}
> >  > (<0.43.0>) call
> >  > 
> > pubkey_cert:cert_auth_key_id({'AuthorityKeyIdentifier',[192,122,152,104,141,137,251,171,5,100,12,17,125,
> >  > 170,125,101,184,202,204,78],
> >  > asn1_NOVALUE,asn1_NOVALUE})
> >  > (<0.43.0>) returned from pubkey_cert:cert_auth_key_id/1 -> {error,
> >  >
> >  > issuer_not_found}
> >  >
> >  >
> >  > Some old certs does not properly specify the AuthorityKeyIdentifier the
> >  > fallback is to search the entire known CA database which ssl will do if
> >  > it has one, you have
> >  > not specified any CA-certs in your call to ssl:connect. You should try
> >  > doing that.
> >  >
> >  > Regards Ingela Erlang/OTP team - Ericsson AB
> >  >
> >  > Horst Mani wrote:
> >  > > Hi,
> >  > >
> >  > > I ty to connect to a ssl server with the following command:
> >  > >
> >  > > ssl:connect(HOST, 636, []).
> >  > > SSL: certify: ssl_handshake.erl:239:Fatal error: certificate unknown
> >  > > {error,"certificate unknown"}
> >  > >
> >  > > After debugging the problem, i found that the error occurs inside the
> >  > > public_key module.
> >  > > Please, have a look at my testcase which you can find here :
> >  > > https://gist.github.com/4525223
> >  > >
> >  > > Note: The ssl connect works with other clients.
> >  > >
> >  > > Env : R15B03 32 bit, build by erlang-solutions, OSX 10.7.5,
> >  > > public_key-0.17
> >  > >
> >  > > I hope that i gave you all the informations you need to fix the
> >  > > problem. I would do it by my own,
> >  > > but i don't know the expected behavior.
> >  > >
> >  > > Best Regards,
> >  > > Ulf
> >  > > 
> > ------------------------------------------------------------------------
> >  > >
> >  > > _______________________________________________
> >  > > erlang-bugs mailing list
> >  > > 
> >  > > http://erlang.org/mailman/listinfo/erlang-bugs
> >  > >
> >  >
> 
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20130116/a43f3ae1/attachment-0001.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: cert_chain.txt
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20130116/a43f3ae1/attachment-0001.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: EquifaxSecureCA.pem
Type: application/octet-stream
Size: 1143 bytes
Desc: not available
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20130116/a43f3ae1/attachment-0001.obj>


More information about the erlang-bugs mailing list