[erlang-patches] Fix ssl connection issue using proxy certificate (certificate chain file)

Fredrik <>
Wed Mar 20 10:59:06 CET 2013


On 03/20/2013 10:18 AM, Fredrik wrote:
> On 03/16/2013 03:43 PM, Valentin Kuznetsov wrote:
>> Hi,
>> physicists working in CERN experiments relies on usage of proxy 
>> certificates, i.e. certificate chain file. Those are obtained via 
>> grid-proxy-init, voms-proxy-init and can be stored to proxy server.
>>
>> We found that default ssl module partially parses such files and 
>> therefore fails to authenticate clients with servers accepting proxy 
>> certificates. Provided patch fixes this issue (thanks to Diego da 
>> Silva Gomes<>), please include:
>>
>> git fetch git://github.com/vkuznet/otp.git 
>> ssl_connection4chain_certificate
>>
>> https://github.com/vkuznet/otp/compare/maint...ssl_connection4chain_certificate 
>>
>> https://github.com/vkuznet/otp/compare/maint...ssl_connection4chain_certificate.patch 
>>
>>
>> To verify the change you need to have a server which accepts proxy 
>> certificate and configure your client with your proxy certificate as 
>> following:
>>
>> %% generate user proxy file by using grid-proxy-init
>> %% produced /tmp/x509up_u<id>  proxy file contains user private key, 
>> certificate and cacertificate
>> %% configure your client to use proxy file
>> Request={Url, Headers},
>> ProxyCert = "/tmp/x509up_u502",
>> HTTPOptions = [{ssl, [{keyfile, ProxyCert}, {certfile, ProxyCert}, 
>> {cacertfile, ProxyCert}]}]
>> httpc:request(get, Request, HTTPOptions, [])
>>
>> Thanks,
>> Valentin.
>>
>> _______________________________________________
>> erlang-patches mailing list
>> 
>> http://erlang.org/mailman/listinfo/erlang-patches
> Hello, could you please rebase this patch upon current maint branch 
> instead?
>
Except the rebaseing, you could make some changes to your patch. This T 
variable you are initiating is not used and we think it should be an 
unbound variable (_) instead. Could you also add a explanation why this 
is the way to go to handle this. Does this proxy concept guarantee that 
the first certificate is the 'own certificate' ?

-- 

BR Fredrik Gustafsson
Erlang OTP Team



More information about the erlang-patches mailing list