[erlang-patches] Fix ssl connection issue using proxy certificate (certificate chain file)
Fredrik
fredrik@REDACTED
Wed Mar 20 10:59:06 CET 2013
On 03/20/2013 10:18 AM, Fredrik wrote:
> On 03/16/2013 03:43 PM, Valentin Kuznetsov wrote:
>> Hi,
>> physicists working in CERN experiments relies on usage of proxy
>> certificates, i.e. certificate chain file. Those are obtained via
>> grid-proxy-init, voms-proxy-init and can be stored to proxy server.
>>
>> We found that default ssl module partially parses such files and
>> therefore fails to authenticate clients with servers accepting proxy
>> certificates. Provided patch fixes this issue (thanks to Diego da
>> Silva Gomes<diego@REDACTED>), please include:
>>
>> git fetch git://github.com/vkuznet/otp.git
>> ssl_connection4chain_certificate
>>
>> https://github.com/vkuznet/otp/compare/maint...ssl_connection4chain_certificate
>>
>> https://github.com/vkuznet/otp/compare/maint...ssl_connection4chain_certificate.patch
>>
>>
>> To verify the change you need to have a server which accepts proxy
>> certificate and configure your client with your proxy certificate as
>> following:
>>
>> %% generate user proxy file by using grid-proxy-init
>> %% produced /tmp/x509up_u<id> proxy file contains user private key,
>> certificate and cacertificate
>> %% configure your client to use proxy file
>> Request={Url, Headers},
>> ProxyCert = "/tmp/x509up_u502",
>> HTTPOptions = [{ssl, [{keyfile, ProxyCert}, {certfile, ProxyCert},
>> {cacertfile, ProxyCert}]}]
>> httpc:request(get, Request, HTTPOptions, [])
>>
>> Thanks,
>> Valentin.
>>
>> _______________________________________________
>> erlang-patches mailing list
>> erlang-patches@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-patches
> Hello, could you please rebase this patch upon current maint branch
> instead?
>
Except the rebaseing, you could make some changes to your patch. This T
variable you are initiating is not used and we think it should be an
unbound variable (_) instead. Could you also add a explanation why this
is the way to go to handle this. Does this proxy concept guarantee that
the first certificate is the 'own certificate' ?
--
BR Fredrik Gustafsson
Erlang OTP Team
More information about the erlang-patches
mailing list