[erlang-bugs] FW: SSL issue

Wed Jan 16 18:03:28 CET 2013

Hi!

Horst Mani wrote:
> Hi,
>
> perhaps it is broken during the upload, because localy the file seems ok.
> Now i will paste the EquifaxSecure.pem file also : 
>
> -----BEGIN CERTIFICATE-----
> MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
> UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
> dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
> MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
> dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
> AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
> BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
> cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
> AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
> MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
> aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
> ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
> IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
> MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
> A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
> 7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
> 1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
> -----END CERTIFICATE-----
>  
This certificate is fine, it is self signed and will not look at the
AuthorityKeyIdentifier extension.

However among the other certs in you chain from your original mail
This certificate below will crash the ASN-1 decoder and cause the error.

It fails on the field X520StateOrProvinceName. Maybe it is something 
similar to the
problem described like "Workaround for handling certificates that 
wrongly encode X509countryname in utf-8 when the actual value is a valid 
ASCCI value of length 2. Such certificates are accepted by many browsers 
such as Chrome and Fierfox so for interoperability reasons we will too."

I will ask our ASN-1 experts to  have a look.

Regards Ingela Erlang/OTP team - Ericsson AB

> The cert_chain.txt contains the certificate chain from the server.
>
> Best Regards,
> Ulf
>
> > Date: Wed, 16 Jan 2013 15:07:30 +0100
> > From: Ingela.Anderton.Andin@REDACTED
> > To: horst_@REDACTED
> > CC: erlang-bugs@REDACTED
> > Subject: Re: [erlang-bugs] FW: SSL issue
> >
> > Hi!
> >
> > The attached PEM-file is broken! It is missing -----END CERTIFICATE-----
> > and some data that ought to come before the ending tag.
> >
> > Regards Ingela Erlang/OTP team - Ericsson AB
> >
> > Horst Mani wrote:
> > >
> > >
> > > 
> ------------------------------------------------------------------------
> > > From: horst_@REDACTED
> > > To: ingela.anderton.andin@REDACTED
> > > Subject: RE: [erlang-bugs] SSL issue
> > > Date: Tue, 15 Jan 2013 09:39:12 +0100
> > >
> > > Hi,
> > >
> > > thanks for the quick answer.
> > >
> > > Now, i tried to connect to the server as follow:
> > >
> > > ssl:connect(HOST, 636, [{cacertfile, "EquifaxSecureCA.pem"}, {verify,
> > > verify_none}]).
> > > =ERROR REPORT==== 15-Jan-2013::09:33:14 ===
> > > SSL: certify: ssl_handshake.erl:239:Fatal error: certificate unknown
> > > {error,"certificate unknown"}
> > >
> > > As i understand from your last mail, the client needs a server
> > > certificate with the following informations:
> > >
> > > Subject: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
> > >
> > > X509v3 Subject Key Identifier:
> > > 48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4
> > >
> > >
> > > This informations are included in the EquifaxSecureCA.pem which i 
> added
> > > as a cacertfile to the connect function,
> > >
> > > but i got the same result.
> > >
> > >
> > > Please, can you tell me, what i am doing wrong?
> > >
> > >
> > > Thanks and best regards,
> > >
> > > Ulf
> > >
> > >
> > >
> > >
> > >
> > >
> > > > Date: Mon, 14 Jan 2013 09:39:50 +0100
> > > > From: ingela.anderton.andin@REDACTED
> > > > To: horst_@REDACTED
> > > > CC: erlang-bugs@REDACTED
> > > > Subject: Re: [erlang-bugs] SSL issue
> > > >
> > > > Hi!
> > > >
> > > > Looking at your cert, the values of authorityCertIssuer,
> > > > authorityCertSerialNumber in #AuthorityKeyIdentifier, are 
> asn1_NOVALUE.
> > > > so then it is logical that public_key can not find the issuer.
> > > >
> > > > pubkey_cert:select_extension/2 -> {'Extension',
> > > > {2,5,29,35},
> > > > false,
> > > >
> > > > {'AuthorityKeyIdentifier',
> > > >
> > > > [192,122,152,104,
> > > >
> > > > 141,137,251,171,
> > > >
> > > > 5,100,12,17,125,
> > > >
> > > > 170,125,101,184,
> > > > 202,204,78],
> > > > asn1_NOVALUE,
> > > > asn1_NOVALUE}}
> > > > (<0.43.0>) call
> > > >
> > > 
> pubkey_cert:cert_auth_key_id({'AuthorityKeyIdentifier',[192,122,152,104,141,137,251,171,5,100,12,17,125,
> > > > 170,125,101,184,202,204,78],
> > > > asn1_NOVALUE,asn1_NOVALUE})
> > > > (<0.43.0>) returned from pubkey_cert:cert_auth_key_id/1 -> {error,
> > > >
> > > > issuer_not_found}
> > > >
> > > >
> > > > Some old certs does not properly specify the 
> AuthorityKeyIdentifier the
> > > > fallback is to search the entire known CA database which ssl 
> will do if
> > > > it has one, you have
> > > > not specified any CA-certs in your call to ssl:connect. You 
> should try
> > > > doing that.
> > > >
> > > > Regards Ingela Erlang/OTP team - Ericsson AB
> > > >
> > > > Horst Mani wrote:
> > > > > Hi,
> > > > >
> > > > > I ty to connect to a ssl server with the following command:
> > > > >
> > > > > ssl:connect(HOST, 636, []).
> > > > > SSL: certify: ssl_handshake.erl:239:Fatal error: certificate 
> unknown
> > > > > {error,"certificate unknown"}
> > > > >
> > > > > After debugging the problem, i found that the error occurs 
> inside the
> > > > > public_key module.
> > > > > Please, have a look at my testcase which you can find here :
> > > > > https://gist.github.com/4525223
> > > > >
> > > > > Note: The ssl connect works with other clients.
> > > > >
> > > > > Env : R15B03 32 bit, build by erlang-solutions, OSX 10.7.5,
> > > > > public_key-0.17
> > > > >
> > > > > I hope that i gave you all the informations you need to fix the
> > > > > problem. I would do it by my own,
> > > > > but i don't know the expected behavior.
> > > > >
> > > > > Best Regards,
> > > > > Ulf
> > > > >
> > > 
> ------------------------------------------------------------------------
> > > > >
> > > > > _______________________________________________
> > > > > erlang-bugs mailing list
> > > > > erlang-bugs@REDACTED
> > > > > http://erlang.org/mailman/listinfo/erlang-bugs
> > > > >
> > > >
> >
> ------------------------------------------------------------------------
>
> _______________________________________________
> erlang-bugs mailing list
> erlang-bugs@REDACTED
> http://erlang.org/mailman/listinfo/erlang-bugs