<p>Hi Daniel,</p>
<p>We have looked into this and found that the certificate from Farmbureaubank is incorrect with respect to the standard.<br>
The countryname "US" is supposed to be of type printablestring but is encoded as utf8string in one instance of countryname out of two in this certificate.</p>
<p>The crasch is a bug in that a proper error indicating wrong tag in input data shoul have been returned instead.</p>
<p>The explanation to why this certificate is accepted by other ssl implementations is that they don't check or don,t care about the stringtype for countryname.</p>
<p>When searching on the net for similar problems I found that e.g Netscape also seems to crasch on the same input.</p>
<p>We are thinking of adding a more forgiving when decoding of parts of the data in a certificate in order to be compatible with openssl and other implementations.</p>
<p>We strongly suspect that the certificate in question is created with openssl and that it depends on certain settings regarding stringtypes in openssl.cnf.<br>
When time allows we will verify that.</p>
<p>/Kenneth, Erlang/OTP Ericsson</p>
<div class="gmail_quote">Den 9 aug 2012 00:43 skrev "Daniel Luna" <<a href="mailto:daniel@lunas.se">daniel@lunas.se</a>>:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
We are experiencing a crash in ssl when trying to establish<br>
connections to websites with seemingly valid ssl certificates.  Going<br>
to the following domains in a normal web browser will give a green<br>
light.  Trying to connect to them using ssl:connect gives a crash.<br>
This crash occurs even with verify_none turned on.<br>
<br>
Some example domains are <a href="http://www.farmbureaubank.com" target="_blank">www.farmbureaubank.com</a> and <a href="http://login.secureserver.net" target="_blank">login.secureserver.net</a><br>
<br>
ssl:connect is working in general which is shown by the <a href="http://google.com" target="_blank">google.com</a> example.<br>
<br>
Cheers,<br>
<br>
Daniel<br>
<br>
1> ssl:connect("<a href="http://google.com" target="_blank">google.com</a>", 443,  [], infinity).<br>
{ok,{sslsocket,new_ssl,<0.8447.0>}}<br>
2> ssl:connect("<a href="http://login.secureserver.net" target="_blank">login.secureserver.net</a>", 443,  [{verify,<br>
verify_none}], infinity).<br>
** exception exit: {{{badmatch,<br>
                         {error,<br>
                             {asn1,<br>
                                 {{case_clause,19},<br>
                                  [{'OTP-PUB-KEY',<br>
                                       check_and_convert_restricted_string,5,<br>
                                       [{file,"OTP-PUB-KEY.erl"},<br>
                                        {line,14122}]},<br>
                                   {'OTP-PUB-KEY',decode,2,<br>
                                       [{file,"OTP-PUB-KEY.erl"},{line,493}]},<br>
                                   {pubkey_cert_records,transform,2,<br>
                                       [{file,"pubkey_cert_records.erl"},<br>
                                        {line,60}]},<br>
                                   {lists,map,2,<br>
                                       [{file,"lists.erl"},{line,1173}]},<br>
                                   {pubkey_cert_records,transform,2,<br>
                                       [{file,"pubkey_cert_records.erl"},<br>
                                        {line,72}]},<br>
                                   {pubkey_cert_records,decode_tbs,1,<br>
                                       [{file,"pubkey_cert_records.erl"},<br>
                                        {line,190}]},<br>
                                   {pubkey_cert_records,decode_cert,1,<br>
                                       [{file,"pubkey_cert_records.erl"},<br>
                                        {line,40}]},<br>
                                   {public_key,pkix_decode_cert,2,<br>
                                       [{file,"public_key.erl"},<br>
                                        {line,211}]}]}}}},<br>
                     [{public_key,pkix_decode_cert,2,<br>
                          [{file,"public_key.erl"},{line,215}]},<br>
                      {public_key,path_validation,2,<br>
                          [{file,"public_key.erl"},{line,605}]},<br>
                      {ssl_handshake,certify,7,<br>
                          [{file,"ssl_handshake.erl"},{line,218}]},<br>
                      {ssl_connection,certify,2,<br>
                          [{file,"ssl_connection.erl"},{line,514}]},<br>
                      {ssl_connection,next_state,4,<br>
                          [{file,"ssl_connection.erl"},{line,1929}]},<br>
                      {gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,494}]},<br>
                      {proc_lib,init_p_do_apply,3,<br>
                          [{file,"proc_lib.erl"},{line,227}]}]},<br>
                    {gen_fsm,sync_send_all_state_event,<br>
                        [<0.8453.0>,start,infinity]}}<br>
     in function  gen_fsm:sync_send_all_state_event/3 (gen_fsm.erl, line 240)<br>
     in call from ssl_connection:sync_send_all_state_event/3<br>
(ssl_connection.erl, line 1195)<br>
     in call from ssl_connection:handshake/2 (ssl_connection.erl, line 167)<br>
     in call from ssl_connection:start_fsm/8 (ssl_connection.erl, line 1037)<br>
     in call from ssl_connection:connect/7 (ssl_connection.erl, line 139)<br>
18:40:19.798 [error] gen_fsm <0.8453.0> in state certify terminated<br>
with reason: no match of right hand value<br>
{error,{asn1,{{case_clause,19},[{'OTP-PUB-KEY',check_and_convert_restricted_string,5,[{file,"OTP-PUB-KEY.erl"},{line,14122}]},{'OTP-PUB-KEY',decode,2,[{file,"OTP-PUB-KEY.erl"},{line,493}]},{pubkey_cert_records,transform,2,[{file,"pubkey_cert_records.erl"},{line,60}]},{lists,map,2,[{file,"lists.erl"},{line,1173}]},{pubkey_cert_records,transform,2,[{file,"pubkey_cert_records.erl"},{line,72}]},{pubkey_cert_records,decode_tbs,1,[{file,"pubkey_cert_records.erl"},{line,190}]},{pubkey_cert_records,...},...]}}}<br>

in public_key:pkix_decode_cert/2 line 215<br>
18:40:19.931 [error] CRASH REPORT Process <0.8453.0> with 0 neighbours<br>
exited with reason: no match of right hand value<br>
{error,{asn1,{{case_clause,19},[{'OTP-PUB-KEY',check_and_convert_restricted_string,5,[{file,"OTP-PUB-KEY.erl"},{line,14122}]},{'OTP-PUB-KEY',decode,2,[{file,"OTP-PUB-KEY.erl"},{line,493}]},{pubkey_cert_records,transform,2,[{file,"pubkey_cert_records.erl"},{line,60}]},{lists,map,2,[{file,"lists.erl"},{line,1173}]},{pubkey_cert_records,transform,2,[{file,"pubkey_cert_records.erl"},{line,72}]},{pubkey_cert_records,decode_tbs,1,[{file,"pubkey_cert_records.erl"},{line,190}]},{pubkey_cert_records,...},...]}}}<br>

in public_key:pkix_decode_cert/2 line 215 in gen_fsm:terminate/7 line<br>
611<br>
18:40:19.970 [error] Supervisor ssl_connection_sup had child undefined<br>
started with {ssl_connection,start_link,undefined} at <0.8453.0> exit<br>
with reason no match of right hand value<br>
{error,{asn1,{{case_clause,19},[{'OTP-PUB-KEY',check_and_convert_restricted_string,5,[{file,"OTP-PUB-KEY.erl"},{line,14122}]},{'OTP-PUB-KEY',decode,2,[{file,"OTP-PUB-KEY.erl"},{line,493}]},{pubkey_cert_records,transform,2,[{file,"pubkey_cert_records.erl"},{line,60}]},{lists,map,2,[{file,"lists.erl"},{line,1173}]},{pubkey_cert_records,transform,2,[{file,"pubkey_cert_records.erl"},{line,72}]},{pubkey_cert_records,decode_tbs,1,[{file,"pubkey_cert_records.erl"},{line,190}]},{pubkey_cert_records,...},...]}}}<br>

in public_key:pkix_decode_cert/2 line 215 in context child_terminated<br>
_______________________________________________<br>
erlang-bugs mailing list<br>
<a href="mailto:erlang-bugs@erlang.org">erlang-bugs@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-bugs" target="_blank">http://erlang.org/mailman/listinfo/erlang-bugs</a><br>
</blockquote></div>