[erlang-patches] Fix ssl connection issue using proxy certificate (certificate chain file)

Valentin Kuznetsov vkuznet@REDACTED
Sat Mar 16 15:43:24 CET 2013


Hi,
physicists working in CERN experiments relies on usage of proxy certificates, i.e. certificate chain file. Those are obtained via grid-proxy-init, voms-proxy-init and can be stored to proxy server.

We found that default ssl module partially parses such files and therefore fails to authenticate clients with servers accepting proxy certificates. Provided patch fixes this issue (thanks to Diego da Silva Gomes <diego@REDACTED>), please include:

git fetch git://github.com/vkuznet/otp.git ssl_connection4chain_certificate

https://github.com/vkuznet/otp/compare/maint...ssl_connection4chain_certificate
https://github.com/vkuznet/otp/compare/maint...ssl_connection4chain_certificate.patch

To verify the change you need to have a server which accepts proxy certificate and configure your client with your proxy certificate as following:

%% generate user proxy file by using grid-proxy-init
%% produced /tmp/x509up_u<id> proxy file contains user private key, certificate and cacertificate
%% configure your client to use proxy file
Request={Url, Headers},
ProxyCert = "/tmp/x509up_u502",
HTTPOptions = [{ssl, [{keyfile, ProxyCert}, {certfile, ProxyCert}, {cacertfile, ProxyCert}]}]
httpc:request(get, Request, HTTPOptions, [])

Thanks,
Valentin.




More information about the erlang-patches mailing list