[erlang-patches] support md2WithRSAEncryption certificates
Christian von Roques
roques@REDACTED
Sat Aug 6 20:47:20 CEST 2011
I've added support for md2WithRSAEncryption certificates to public_key
and the necessary support for md2 to crypto:rsa_sign/3 and
crypto:rsa_verify/4.
git fetch git://github.com/roques/otp.git md2WithRSAEncryption
I did this to solve the following urgent problem, which others might
stumble upon in the future as well: One of our service providers
switched their SSL-certificate. The new certificate is issued by
"VeriSign International Server CA - Class 3", which is included in many
collections of trusted root certificates. However, to be supported by
ancient software VeriSign's Class 3 certificate itself is issued by
VeriSign's "Class 3 Public Primary Certification Authority", which is a
self-signed md2WithRSAEncryption certificate. All this would not be a
problem in itself, our service provider however has bundled his
certificate with the complete certificate chain up to and *including*
VeriSign's md2WithRSAEncryption root-certificate. This mistake causes
OTP's ssl to try and fail to verify the self-signature of VeriSign's
root-certificate, because it does not yet know how to check
md2WithRSAEncryption signatures.
Attempts to solve the problem via polite requests to our service
provider not to include VeriSign's root certificate in the certificate
chain up to now just got "upgrade your Java to a current version"
replies. --- I'm not sure if my patch counts as "upgrading Java", but
it solves the problem :-)
Christian.
More information about the erlang-patches
mailing list