[erlang-bugs] FW: SSL issue
Horst Mani
horst_@REDACTED
Fri Jan 18 04:59:12 CET 2013
Hi,
thanks for your help.
I will try it, when i have the new certificate and when i am back from vacation.
Best Regards,Ulf
> Date: Thu, 17 Jan 2013 11:10:35 +0100
> From: Ingela.Anderton.Andin@REDACTED
> To: horst_@REDACTED
> CC: erlang-bugs@REDACTED
> Subject: Re: [erlang-bugs] FW: SSL issue
>
> Hello again!
>
> The problem is that the 'X520StateOrProvinceName' is an empty string and
> according to the spec it should be not be an empty string, however it is
> an optional attribute so I do not understand why you would want to
> include it as an empty string. The problem could of course be
> worked around by relaxing the ASN-1 spec but I think it is Equifax
> that is at fault here.
>
> Regards Ingela Erlang/OTP team - Ericsson AB
>
>
> Horst Mani wrote:
> >
> >
> > ------------------------------------------------------------------------
> > From: horst_@REDACTED
> > To: ingela.anderton.andin@REDACTED
> > Subject: RE: [erlang-bugs] SSL issue
> > Date: Tue, 15 Jan 2013 09:39:12 +0100
> >
> > Hi,
> >
> > thanks for the quick answer.
> >
> > Now, i tried to connect to the server as follow:
> >
> > ssl:connect(HOST, 636, [{cacertfile, "EquifaxSecureCA.pem"}, {verify,
> > verify_none}]).
> > =ERROR REPORT==== 15-Jan-2013::09:33:14 ===
> > SSL: certify: ssl_handshake.erl:239:Fatal error: certificate unknown
> > {error,"certificate unknown"}
> >
> > As i understand from your last mail, the client needs a server
> > certificate with the following informations:
> >
> > Subject: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
> >
> > X509v3 Subject Key Identifier:
> > 48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4
> >
> >
> > This informations are included in the EquifaxSecureCA.pem which i added
> > as a cacertfile to the connect function,
> >
> > but i got the same result.
> >
> >
> > Please, can you tell me, what i am doing wrong?
> >
> >
> > Thanks and best regards,
> >
> > Ulf
> >
> >
> >
> >
> >
> >
> > > Date: Mon, 14 Jan 2013 09:39:50 +0100
> > > From: ingela.anderton.andin@REDACTED
> > > To: horst_@REDACTED
> > > CC: erlang-bugs@REDACTED
> > > Subject: Re: [erlang-bugs] SSL issue
> > >
> > > Hi!
> > >
> > > Looking at your cert, the values of authorityCertIssuer,
> > > authorityCertSerialNumber in #AuthorityKeyIdentifier, are asn1_NOVALUE.
> > > so then it is logical that public_key can not find the issuer.
> > >
> > > pubkey_cert:select_extension/2 -> {'Extension',
> > > {2,5,29,35},
> > > false,
> > >
> > > {'AuthorityKeyIdentifier',
> > >
> > > [192,122,152,104,
> > >
> > > 141,137,251,171,
> > >
> > > 5,100,12,17,125,
> > >
> > > 170,125,101,184,
> > > 202,204,78],
> > > asn1_NOVALUE,
> > > asn1_NOVALUE}}
> > > (<0.43.0>) call
> > >
> > pubkey_cert:cert_auth_key_id({'AuthorityKeyIdentifier',[192,122,152,104,141,137,251,171,5,100,12,17,125,
> > > 170,125,101,184,202,204,78],
> > > asn1_NOVALUE,asn1_NOVALUE})
> > > (<0.43.0>) returned from pubkey_cert:cert_auth_key_id/1 -> {error,
> > >
> > > issuer_not_found}
> > >
> > >
> > > Some old certs does not properly specify the AuthorityKeyIdentifier the
> > > fallback is to search the entire known CA database which ssl will do if
> > > it has one, you have
> > > not specified any CA-certs in your call to ssl:connect. You should try
> > > doing that.
> > >
> > > Regards Ingela Erlang/OTP team - Ericsson AB
> > >
> > > Horst Mani wrote:
> > > > Hi,
> > > >
> > > > I ty to connect to a ssl server with the following command:
> > > >
> > > > ssl:connect(HOST, 636, []).
> > > > SSL: certify: ssl_handshake.erl:239:Fatal error: certificate unknown
> > > > {error,"certificate unknown"}
> > > >
> > > > After debugging the problem, i found that the error occurs inside the
> > > > public_key module.
> > > > Please, have a look at my testcase which you can find here :
> > > > https://gist.github.com/4525223
> > > >
> > > > Note: The ssl connect works with other clients.
> > > >
> > > > Env : R15B03 32 bit, build by erlang-solutions, OSX 10.7.5,
> > > > public_key-0.17
> > > >
> > > > I hope that i gave you all the informations you need to fix the
> > > > problem. I would do it by my own,
> > > > but i don't know the expected behavior.
> > > >
> > > > Best Regards,
> > > > Ulf
> > > >
> > ------------------------------------------------------------------------
> > > >
> > > > _______________________________________________
> > > > erlang-bugs mailing list
> > > > erlang-bugs@REDACTED
> > > > http://erlang.org/mailman/listinfo/erlang-bugs
> > > >
> > >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20130118/8565fd00/attachment.htm>
More information about the erlang-bugs
mailing list