[erlang-bugs] FW: SSL issue

Ingela Anderton Andin ingela.anderton.andin@REDACTED
Wed Jan 16 18:03:28 CET 2013


Hi!

Horst Mani wrote:
> Hi,
>
> perhaps it is broken during the upload, because localy the file seems ok.
> Now i will paste the EquifaxSecure.pem file also : 
>
> -----BEGIN CERTIFICATE-----
> MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
> UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
> dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
> MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
> dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
> AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
> BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
> cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
> AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
> MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
> aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
> ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
> IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
> MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
> A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
> 7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
> 1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
> -----END CERTIFICATE-----
>  
This certificate is fine, it is self signed and will not look at the
AuthorityKeyIdentifier extension.

However among the other certs in you chain from your original mail
This certificate below will crash the ASN-1 decoder and cause the error.

It fails on the field X520StateOrProvinceName. Maybe it is something 
similar to the
problem described like "Workaround for handling certificates that 
wrongly encode X509countryname in utf-8 when the actual value is a valid 
ASCCI value of length 2. Such certificates are accepted by many browsers 
such as Chrome and Fierfox so for interoperability reasons we will too."

-----BEGIN CERTIFICATE-----
MIIEijCCA3KgAwIBAgIDAUACMA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEYMBYGA1UEAxMPR2VvVHJ1c3QgU1NM
IENBMB4XDTEyMDIyOTE0NTcxM1oXDTEzMDUwMzA1MjE0MlowgaIxKTAnBgNVBAUT
IGYvcWpDZXl2Q1JiM25LaHdMYTNDM0JBZVRXUEh6dWhMMQswCQYDVQQGEwJERTEJ
MAcGA1UECBMAMRkwFwYDVQQHExBNb25oZWltIGFtIFJoZWluMR8wHQYDVQQKExZp
bm5vUSBEZXV0c2NobGFuZCBHbWJIMQswCQYDVQQLEwJJVDEUMBIGA1UEAwwLKi5p
bm5vcS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzCgisRSel
Z5LHTBv4+16yUs76Io0IAOHsxHeSuRRQTHAusTZVfq58otZPuCvMLcXRO4hlrqXq
usth/s+yUgtcA2MWAxeJz0nyiB7/CDv95bV4RVGjwLS2O5mzGOQLq7JRX9q4yK1F
J9GmtfYPpDcsWm/k538Y9/UalxlatSvUouy9qx1y7LcM4hLydRs8wOmjqN6o1LiL
uxOJHS1o6GRAs3JozDJVFcnuxXRCtQYnjorMTtBKpvxzkOXzrpRhlvvxnyv/BrvV
ua/OIyXmM1N2pOSUtNVKXSpaBGLBJpA8BMHpDVu6gJbP9httQQY9ml8/gjFYqVU/
CbLR2KZ8pSB3AgMBAAGjggEoMIIBJDAfBgNVHSMEGDAWgBRCeVQbYc1VKz5j1TxI
V/Wf+0XOSjAOBgNVHQ8BAf8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMCEGA1UdEQQaMBiCCyouaW5ub3EuY29tgglpbm5vcS5jb20wPQYDVR0f
BDYwNDAyoDCgLoYsaHR0cDovL2d0c3NsLWNybC5nZW90cnVzdC5jb20vY3Jscy9n
dHNzbC5jcmwwHQYDVR0OBBYEFKoTKF2gAS4WeHt+/yyIbymHGjn4MAwGA1UdEwEB
/wQCMAAwQwYIKwYBBQUHAQEENzA1MDMGCCsGAQUFBzAChidodHRwOi8vZ3Rzc2wt
YWlhLmdlb3RydXN0LmNvbS9ndHNzbC5jcnQwDQYJKoZIhvcNAQEFBQADggEBAAk4
YRTsUXI+pb6ciUCJ0Qya/lcWVUa2CQG46EOZiJatZvXfAsa22SfaTBouf1B2p9p3
S1z1nFVr7/tncEsTpuC01xjlfJBRPzHg6ROnjtR/auMNnU53mF56Bvy25DpVFPJe
wAEL7I0ZFyqfTqVmwtHZ/HLHTMCKIL+XhMEPz/fnJ8NBMW2hUwVmPqFE/SiygXUr
m8sqiD/kw2IA+Yp4g049O6aWGeMa8NLUQ4HRPD+lBtT58S2fYV1i/VtKXybuMf7E
9Rz/2YkE1wn5g/FG8wVha8V/AtYxxgYhxY28lTCv+qiMlGRso8VnZnr/2MwAbRzT
TSpzIpirzDzbp1B6IbQ=
-----END CERTIFICATE-----

I will ask our ASN-1 experts to  have a look.

Regards Ingela Erlang/OTP team - Ericsson AB

> The cert_chain.txt contains the certificate chain from the server.
>
> Best Regards,
> Ulf
>
> > Date: Wed, 16 Jan 2013 15:07:30 +0100
> > From: Ingela.Anderton.Andin@REDACTED
> > To: horst_@REDACTED
> > CC: erlang-bugs@REDACTED
> > Subject: Re: [erlang-bugs] FW: SSL issue
> >
> > Hi!
> >
> > The attached PEM-file is broken! It is missing -----END CERTIFICATE-----
> > and some data that ought to come before the ending tag.
> >
> > Regards Ingela Erlang/OTP team - Ericsson AB
> >
> > Horst Mani wrote:
> > >
> > >
> > > 
> ------------------------------------------------------------------------
> > > From: horst_@REDACTED
> > > To: ingela.anderton.andin@REDACTED
> > > Subject: RE: [erlang-bugs] SSL issue
> > > Date: Tue, 15 Jan 2013 09:39:12 +0100
> > >
> > > Hi,
> > >
> > > thanks for the quick answer.
> > >
> > > Now, i tried to connect to the server as follow:
> > >
> > > ssl:connect(HOST, 636, [{cacertfile, "EquifaxSecureCA.pem"}, {verify,
> > > verify_none}]).
> > > =ERROR REPORT==== 15-Jan-2013::09:33:14 ===
> > > SSL: certify: ssl_handshake.erl:239:Fatal error: certificate unknown
> > > {error,"certificate unknown"}
> > >
> > > As i understand from your last mail, the client needs a server
> > > certificate with the following informations:
> > >
> > > Subject: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
> > >
> > > X509v3 Subject Key Identifier:
> > > 48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4
> > >
> > >
> > > This informations are included in the EquifaxSecureCA.pem which i 
> added
> > > as a cacertfile to the connect function,
> > >
> > > but i got the same result.
> > >
> > >
> > > Please, can you tell me, what i am doing wrong?
> > >
> > >
> > > Thanks and best regards,
> > >
> > > Ulf
> > >
> > >
> > >
> > >
> > >
> > >
> > > > Date: Mon, 14 Jan 2013 09:39:50 +0100
> > > > From: ingela.anderton.andin@REDACTED
> > > > To: horst_@REDACTED
> > > > CC: erlang-bugs@REDACTED
> > > > Subject: Re: [erlang-bugs] SSL issue
> > > >
> > > > Hi!
> > > >
> > > > Looking at your cert, the values of authorityCertIssuer,
> > > > authorityCertSerialNumber in #AuthorityKeyIdentifier, are 
> asn1_NOVALUE.
> > > > so then it is logical that public_key can not find the issuer.
> > > >
> > > > pubkey_cert:select_extension/2 -> {'Extension',
> > > > {2,5,29,35},
> > > > false,
> > > >
> > > > {'AuthorityKeyIdentifier',
> > > >
> > > > [192,122,152,104,
> > > >
> > > > 141,137,251,171,
> > > >
> > > > 5,100,12,17,125,
> > > >
> > > > 170,125,101,184,
> > > > 202,204,78],
> > > > asn1_NOVALUE,
> > > > asn1_NOVALUE}}
> > > > (<0.43.0>) call
> > > >
> > > 
> pubkey_cert:cert_auth_key_id({'AuthorityKeyIdentifier',[192,122,152,104,141,137,251,171,5,100,12,17,125,
> > > > 170,125,101,184,202,204,78],
> > > > asn1_NOVALUE,asn1_NOVALUE})
> > > > (<0.43.0>) returned from pubkey_cert:cert_auth_key_id/1 -> {error,
> > > >
> > > > issuer_not_found}
> > > >
> > > >
> > > > Some old certs does not properly specify the 
> AuthorityKeyIdentifier the
> > > > fallback is to search the entire known CA database which ssl 
> will do if
> > > > it has one, you have
> > > > not specified any CA-certs in your call to ssl:connect. You 
> should try
> > > > doing that.
> > > >
> > > > Regards Ingela Erlang/OTP team - Ericsson AB
> > > >
> > > > Horst Mani wrote:
> > > > > Hi,
> > > > >
> > > > > I ty to connect to a ssl server with the following command:
> > > > >
> > > > > ssl:connect(HOST, 636, []).
> > > > > SSL: certify: ssl_handshake.erl:239:Fatal error: certificate 
> unknown
> > > > > {error,"certificate unknown"}
> > > > >
> > > > > After debugging the problem, i found that the error occurs 
> inside the
> > > > > public_key module.
> > > > > Please, have a look at my testcase which you can find here :
> > > > > https://gist.github.com/4525223
> > > > >
> > > > > Note: The ssl connect works with other clients.
> > > > >
> > > > > Env : R15B03 32 bit, build by erlang-solutions, OSX 10.7.5,
> > > > > public_key-0.17
> > > > >
> > > > > I hope that i gave you all the informations you need to fix the
> > > > > problem. I would do it by my own,
> > > > > but i don't know the expected behavior.
> > > > >
> > > > > Best Regards,
> > > > > Ulf
> > > > >
> > > 
> ------------------------------------------------------------------------
> > > > >
> > > > > _______________________________________________
> > > > > erlang-bugs mailing list
> > > > > erlang-bugs@REDACTED
> > > > > http://erlang.org/mailman/listinfo/erlang-bugs
> > > > >
> > > >
> >
> ------------------------------------------------------------------------
>
> _______________________________________________
> erlang-bugs mailing list
> erlang-bugs@REDACTED
> http://erlang.org/mailman/listinfo/erlang-bugs




More information about the erlang-bugs mailing list