[erlang-bugs] bad certificate if trying to verify StartSsl certificate

Alex Hudich alttagil@REDACTED
Fri Jul 17 14:00:48 CEST 2015 

I don’t know if it is an Erlang bug but still I don’t have any clue how to resolve this situation:


ubuntu 14.04 and OTP 18.0


# wget http://curl.haxx.se/ca/cacert.pem <http://curl.haxx.se/ca/cacert.pem>
--2015-07-16 19:11:50--  http://curl.haxx.se/ca/cacert.pem <http://curl.haxx.se/ca/cacert.pem>
Resolving curl.haxx.se (curl.haxx.se)... 2a00:1a28:1200:9::2, 80.67.6.50
Connecting to curl.haxx.se (curl.haxx.se)|2a00:1a28:1200:9::2|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 258424 (252K)
Saving to: 'cacert.pem'

100%[=============================================================================================================================================================================================>] 258,424     1.62MB/s   in 0.2s   

2015-07-16 19:11:50 (1.62 MB/s) - 'cacert.pem' saved [258424/258424]

# erl
Erlang/OTP 18 [erts-7.0] [source] [64-bit] [smp:4:4] [async-threads:10] [hipe] [kernel-poll:false]

Eshell V7.0  (abort with ^G)
1> application:ensure_all_started(ssl).
{ok,[crypto,asn1,public_key,ssl]}
2>  ssl:connect( "www.nicemine.ru", 443, [{verify,verify_peer},{server_name_indication,"www.nicemine.ru"},{depth,2},{cacertfile,"cacert.pem"}] ).

=ERROR REPORT==== 16-Jul-2015::19:12:18 ===
SSL: certify: ssl_handshake.erl:1476:Fatal error: bad certificate
{error,{tls_alert,"bad certificate"}}
3> 


and

Mac OS X and OTP 17.4


$ wget http://curl.haxx.se/ca/cacert.pem <http://curl.haxx.se/ca/cacert.pem>
--2015-07-16 22:09:02--  http://curl.haxx.se/ca/cacert.pem <http://curl.haxx.se/ca/cacert.pem>
Resolving curl.haxx.se... 80.67.6.50, 2a00:1a28:1200:9::2
Connecting to curl.haxx.se|80.67.6.50|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 258424 (252K)
Saving to: 'cacert.pem'

100%[=============================================================================================================================================================================================>] 258,424     --.-K/s   in 0.1s    

2015-07-16 22:09:02 (1.92 MB/s) - 'cacert.pem' saved [258424/258424]

$ erl
Erlang/OTP 17 [erts-6.3] [source] [64-bit] [smp:8:8] [async-threads:10] [hipe] [kernel-poll:false] [dtrace]

Eshell V6.3  (abort with ^G)
1>  application:ensure_all_started(ssl).
{ok,[crypto,asn1,public_key,ssl]}
2>  ssl:connect( "www.nicemine.ru", 443, [{verify,verify_peer},{server_name_indication,"www.nicemine.ru"},{depth,2},{cacertfile,"cacert.pem"}] ).

=ERROR REPORT==== 16-Jul-2015::22:09:23 ===
SSL: certify: ssl_handshake.erl:1389:Fatal error: bad certificate
{error,{tls_alert,"bad certificate"}}
3> 

Then Santiago Fernández reported that problem couldn’t be reproduced with OTP 17.5 and I tried it. Indeed connection was successful but I decided to dig it more and I found interesting things:

I prepared two files. cacert.pem.1 was just an empty file (with zero legth) and cacert.pem which I’d downloaded earlier. And there is an output of 17.5 which seems to me wrong. 

Line 2 and 3 is ok. Line 4 is ok. But why line 5 gave me no error??



Erlang/OTP 17 [erts-6.4] [source] [64-bit] [async-threads:10] [hipe] [kernel-poll:false]

Eshell V6.4  (abort with ^G)
1> application:ensure_all_started(ssl).
{ok,[crypto,asn1,public_key,ssl]}
2> ssl:connect( "www.nicemine.ru", 443, [{verify,verify_peer},{server_name_indication,"www.nicemine.ru"},{depth,2},{cacertfile,"cacert.pem.1"}] ).

=ERROR REPORT==== 17-Jul-2015::13:26:45 ===
SSL: certify: ssl_handshake.erl:1401:Fatal error: unknown ca
{error,{tls_alert,"unknown ca"}}
3> ssl:connect( "www.nicemine.ru", 443, [{verify,verify_peer},{server_name_indication,"www.nicemine.ru"},{depth,2},{cacertfile,"cacert.pem.1"}] ).

=ERROR REPORT==== 17-Jul-2015::13:26:48 ===
SSL: certify: ssl_handshake.erl:1401:Fatal error: unknown ca
{error,{tls_alert,"unknown ca"}}
4> ssl:connect( "www.nicemine.ru", 443, [{verify,verify_peer},{server_name_indication,"www.nicemine.ru"},{depth,2},{cacertfile,"cacert.pem"}] ).  
{ok,{sslsocket,{gen_tcp,#Port<0.1236>,tls_connection,
                        undefined},
               <0.53.0>}}
5> ssl:connect( "www.nicemine.ru", 443, [{verify,verify_peer},{server_name_indication,"www.nicemine.ru"},{depth,2},{cacertfile,"cacert.pem.1"}] ).
{ok,{sslsocket,{gen_tcp,#Port<0.1243>,tls_connection,
                        undefined},
               <0.55.0>}}




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20150717/566c98ea/attachment.htm>

More information about the erlang-bugs mailing list