
<p>Hi Daniel,</p>

<p>We have looked into this and found that the certificate from Farmbureaubank is incorrect with respect to the standard.<br>

The countryname "US" is supposed to be of type printablestring but is encoded as utf8string in one instance of countryname out of two in this certificate.</p>

<p>The crasch is a bug in that a proper error indicating wrong tag in input data shoul have been returned instead.</p>

<p>The explanation to why this certificate is accepted by other ssl implementations is that they don't check or don,t care about the stringtype for countryname.</p>

<p>When searching on the net for similar problems I found that e.g Netscape also seems to crasch on the same input.</p>

<p>We are thinking of adding a more forgiving when decoding of parts of the data in a certificate in order to be compatible with openssl and other implementations.</p>

<p>We strongly suspect that the certificate in question is created with openssl and that it depends on certain settings regarding stringtypes in openssl.cnf.<br>

When time allows we will verify that.</p>

<p>/Kenneth, Erlang/OTP Ericsson</p>

<div class="gmail_quote">Den 9 aug 2012 00:43 skrev "Daniel Luna" <<a href="mailto:daniel@lunas.se">daniel@lunas.se</a>>:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

We are experiencing a crash in ssl when trying to establish<br>

connections to websites with seemingly valid ssl certificates.  Going<br>

to the following domains in a normal web browser will give a green<br>

light.  Trying to connect to them using ssl:connect gives a crash.<br>

This crash occurs even with verify_none turned on.<br>

<br>

Some example domains are <a href="http://www.farmbureaubank.com" target="_blank">www.farmbureaubank.com</a> and <a href="http://login.secureserver.net" target="_blank">login.secureserver.net</a><br>

<br>

ssl:connect is working in general which is shown by the <a href="http://google.com" target="_blank">google.com</a> example.<br>

<br>

Cheers,<br>

<br>

Daniel<br>

<br>

1> ssl:connect("<a href="http://google.com" target="_blank">google.com</a>", 443,  [], infinity).<br>

{ok,{sslsocket,new_ssl,<0.8447.0>}}<br>

2> ssl:connect("<a href="http://login.secureserver.net" target="_blank">login.secureserver.net</a>", 443,  [{verify,<br>

verify_none}], infinity).<br>

** exception exit: {{{badmatch,<br>

                         {error,<br>

                             {asn1,<br>

                                 {{case_clause,19},<br>

                                  [{'OTP-PUB-KEY',<br>

                                       check_and_convert_restricted_string,5,<br>

                                       [{file,"OTP-PUB-KEY.erl"},<br>

                                        {line,14122}]},<br>

                                   {'OTP-PUB-KEY',decode,2,<br>

                                       [{file,"OTP-PUB-KEY.erl"},{line,493}]},<br>

                                   {pubkey_cert_records,transform,2,<br>

                                       [{file,"pubkey_cert_records.erl"},<br>

                                        {line,60}]},<br>

                                   {lists,map,2,<br>

                                       [{file,"lists.erl"},{line,1173}]},<br>

                                   {pubkey_cert_records,transform,2,<br>

                                       [{file,"pubkey_cert_records.erl"},<br>

                                        {line,72}]},<br>

                                   {pubkey_cert_records,decode_tbs,1,<br>

                                       [{file,"pubkey_cert_records.erl"},<br>

                                        {line,190}]},<br>

                                   {pubkey_cert_records,decode_cert,1,<br>

                                       [{file,"pubkey_cert_records.erl"},<br>

                                        {line,40}]},<br>

                                   {public_key,pkix_decode_cert,2,<br>

                                       [{file,"public_key.erl"},<br>

                                        {line,211}]}]}}}},<br>

                     [{public_key,pkix_decode_cert,2,<br>

                          [{file,"public_key.erl"},{line,215}]},<br>

                      {public_key,path_validation,2,<br>

                          [{file,"public_key.erl"},{line,605}]},<br>

                      {ssl_handshake,certify,7,<br>

                          [{file,"ssl_handshake.erl"},{line,218}]},<br>

                      {ssl_connection,certify,2,<br>

                          [{file,"ssl_connection.erl"},{line,514}]},<br>

                      {ssl_connection,next_state,4,<br>

                          [{file,"ssl_connection.erl"},{line,1929}]},<br>

                      {gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,494}]},<br>

                      {proc_lib,init_p_do_apply,3,<br>

                          [{file,"proc_lib.erl"},{line,227}]}]},<br>

                    {gen_fsm,sync_send_all_state_event,<br>

                        [<0.8453.0>,start,infinity]}}<br>

     in function  gen_fsm:sync_send_all_state_event/3 (gen_fsm.erl, line 240)<br>

     in call from ssl_connection:sync_send_all_state_event/3<br>

(ssl_connection.erl, line 1195)<br>

     in call from ssl_connection:handshake/2 (ssl_connection.erl, line 167)<br>

     in call from ssl_connection:start_fsm/8 (ssl_connection.erl, line 1037)<br>

     in call from ssl_connection:connect/7 (ssl_connection.erl, line 139)<br>

18:40:19.798 [error] gen_fsm <0.8453.0> in state certify terminated<br>

with reason: no match of right hand value<br>

{error,{asn1,{{case_clause,19},[{'OTP-PUB-KEY',check_and_convert_restricted_string,5,[{file,"OTP-PUB-KEY.erl"},{line,14122}]},{'OTP-PUB-KEY',decode,2,[{file,"OTP-PUB-KEY.erl"},{line,493}]},{pubkey_cert_records,transform,2,[{file,"pubkey_cert_records.erl"},{line,60}]},{lists,map,2,[{file,"lists.erl"},{line,1173}]},{pubkey_cert_records,transform,2,[{file,"pubkey_cert_records.erl"},{line,72}]},{pubkey_cert_records,decode_tbs,1,[{file,"pubkey_cert_records.erl"},{line,190}]},{pubkey_cert_records,...},...]}}}<br>


in public_key:pkix_decode_cert/2 line 215<br>

18:40:19.931 [error] CRASH REPORT Process <0.8453.0> with 0 neighbours<br>

exited with reason: no match of right hand value<br>

{error,{asn1,{{case_clause,19},[{'OTP-PUB-KEY',check_and_convert_restricted_string,5,[{file,"OTP-PUB-KEY.erl"},{line,14122}]},{'OTP-PUB-KEY',decode,2,[{file,"OTP-PUB-KEY.erl"},{line,493}]},{pubkey_cert_records,transform,2,[{file,"pubkey_cert_records.erl"},{line,60}]},{lists,map,2,[{file,"lists.erl"},{line,1173}]},{pubkey_cert_records,transform,2,[{file,"pubkey_cert_records.erl"},{line,72}]},{pubkey_cert_records,decode_tbs,1,[{file,"pubkey_cert_records.erl"},{line,190}]},{pubkey_cert_records,...},...]}}}<br>


in public_key:pkix_decode_cert/2 line 215 in gen_fsm:terminate/7 line<br>

611<br>

18:40:19.970 [error] Supervisor ssl_connection_sup had child undefined<br>

started with {ssl_connection,start_link,undefined} at <0.8453.0> exit<br>

with reason no match of right hand value<br>

{error,{asn1,{{case_clause,19},[{'OTP-PUB-KEY',check_and_convert_restricted_string,5,[{file,"OTP-PUB-KEY.erl"},{line,14122}]},{'OTP-PUB-KEY',decode,2,[{file,"OTP-PUB-KEY.erl"},{line,493}]},{pubkey_cert_records,transform,2,[{file,"pubkey_cert_records.erl"},{line,60}]},{lists,map,2,[{file,"lists.erl"},{line,1173}]},{pubkey_cert_records,transform,2,[{file,"pubkey_cert_records.erl"},{line,72}]},{pubkey_cert_records,decode_tbs,1,[{file,"pubkey_cert_records.erl"},{line,190}]},{pubkey_cert_records,...},...]}}}<br>


in public_key:pkix_decode_cert/2 line 215 in context child_terminated<br>

_______________________________________________<br>

erlang-bugs mailing list<br>

<a href="mailto:erlang-bugs@erlang.org">erlang-bugs@erlang.org</a><br>

<a href="http://erlang.org/mailman/listinfo/erlang-bugs" target="_blank">http://erlang.org/mailman/listinfo/erlang-bugs</a><br>

</blockquote></div>