[erlang-bugs] FW: SSL issue

Ingela Anderton Andin Ingela.Anderton.Andin@REDACTED
Thu Jan 17 11:10:35 CET 2013


Hello again!

The problem is that the 'X520StateOrProvinceName' is an empty string and 
according to the spec it should be not be an empty string, however it is 
an optional attribute so I do not understand why you would want to 
include it as an empty string.  The problem could of course be
worked around by relaxing the ASN-1 spec but I think it is Equifax
that is at fault here.

Regards Ingela Erlang/OTP team - Ericsson AB


Horst Mani wrote:
> 
> 
> ------------------------------------------------------------------------
> From: horst_@REDACTED
> To: ingela.anderton.andin@REDACTED
> Subject: RE: [erlang-bugs] SSL issue
> Date: Tue, 15 Jan 2013 09:39:12 +0100
> 
> Hi,
> 
> thanks for the quick answer.
> 
> Now, i tried to connect to the server as follow:
> 
> ssl:connect(HOST, 636, [{cacertfile, "EquifaxSecureCA.pem"}, {verify, 
> verify_none}]).
> =ERROR REPORT==== 15-Jan-2013::09:33:14 ===
> SSL: certify: ssl_handshake.erl:239:Fatal error: certificate unknown
> {error,"certificate unknown"}
> 
> As i understand from your last mail, the client needs a server 
> certificate with the following informations:
> 
> Subject: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
> 
> X509v3 Subject Key Identifier: 
>   48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4
> 
> 
> This informations are included in the EquifaxSecureCA.pem which i added 
> as a cacertfile to the connect function,
> 
> but i got the same result.
> 
> 
> Please, can you tell me, what i am doing wrong?
> 
> 
> Thanks and best regards,
> 
> Ulf
> 
> 
> 
> 
> 
> 
>  > Date: Mon, 14 Jan 2013 09:39:50 +0100
>  > From: ingela.anderton.andin@REDACTED
>  > To: horst_@REDACTED
>  > CC: erlang-bugs@REDACTED
>  > Subject: Re: [erlang-bugs] SSL issue
>  >
>  > Hi!
>  >
>  > Looking at your cert, the values of authorityCertIssuer,
>  > authorityCertSerialNumber in #AuthorityKeyIdentifier, are asn1_NOVALUE.
>  > so then it is logical that public_key can not find the issuer.
>  >
>  > pubkey_cert:select_extension/2 -> {'Extension',
>  > {2,5,29,35},
>  > false,
>  >
>  > {'AuthorityKeyIdentifier',
>  >
>  > [192,122,152,104,
>  >
>  > 141,137,251,171,
>  >
>  > 5,100,12,17,125,
>  >
>  > 170,125,101,184,
>  > 202,204,78],
>  > asn1_NOVALUE,
>  > asn1_NOVALUE}}
>  > (<0.43.0>) call
>  > 
> pubkey_cert:cert_auth_key_id({'AuthorityKeyIdentifier',[192,122,152,104,141,137,251,171,5,100,12,17,125,
>  > 170,125,101,184,202,204,78],
>  > asn1_NOVALUE,asn1_NOVALUE})
>  > (<0.43.0>) returned from pubkey_cert:cert_auth_key_id/1 -> {error,
>  >
>  > issuer_not_found}
>  >
>  >
>  > Some old certs does not properly specify the AuthorityKeyIdentifier the
>  > fallback is to search the entire known CA database which ssl will do if
>  > it has one, you have
>  > not specified any CA-certs in your call to ssl:connect. You should try
>  > doing that.
>  >
>  > Regards Ingela Erlang/OTP team - Ericsson AB
>  >
>  > Horst Mani wrote:
>  > > Hi,
>  > >
>  > > I ty to connect to a ssl server with the following command:
>  > >
>  > > ssl:connect(HOST, 636, []).
>  > > SSL: certify: ssl_handshake.erl:239:Fatal error: certificate unknown
>  > > {error,"certificate unknown"}
>  > >
>  > > After debugging the problem, i found that the error occurs inside the
>  > > public_key module.
>  > > Please, have a look at my testcase which you can find here :
>  > > https://gist.github.com/4525223
>  > >
>  > > Note: The ssl connect works with other clients.
>  > >
>  > > Env : R15B03 32 bit, build by erlang-solutions, OSX 10.7.5,
>  > > public_key-0.17
>  > >
>  > > I hope that i gave you all the informations you need to fix the
>  > > problem. I would do it by my own,
>  > > but i don't know the expected behavior.
>  > >
>  > > Best Regards,
>  > > Ulf
>  > > 
> ------------------------------------------------------------------------
>  > >
>  > > _______________________________________________
>  > > erlang-bugs mailing list
>  > > erlang-bugs@REDACTED
>  > > http://erlang.org/mailman/listinfo/erlang-bugs
>  > >
>  >




More information about the erlang-bugs mailing list