[erlang-patches] Fix ssl connection issue using proxy certificate (certificate chain file)

Valentin Kuznetsov <>
Thu Mar 21 01:27:55 CET 2013

Hi Fredrik,
yes, you're right, the T variable can be replaced with unbounded one. I did local build and test it, it works fine.

Regarding your questions. My understanding that former is related to later. According to the following docs [1,2] the proxy file contains PEM-certificate which is followed by PEM-encoded private key and other certificates. And ssl_certificate:file_to_certificats will incorrectly extract owner certificate.

[1] http://dev.globus.org/wiki/Security/ProxyCertTypes
[2] http://dev.globus.org/wiki/Security/ProxyFileFormat

So, as you requested, I made a patch against current maint branch. Please take

git fetch git://github.com/vkuznet/otp.git ssl_connection4chain_certificate2


P.S. I'm new to erlang patch procedure and hopefully I did everything right with patches.

On Mar 20, 2013, at ,Mar 20, 5:59 AM, Fredrik wrote:

> On 03/20/2013 10:18 AM, Fredrik wrote:
>> On 03/16/2013 03:43 PM, Valentin Kuznetsov wrote:
>>> Hi,
>>> physicists working in CERN experiments relies on usage of proxy certificates, i.e. certificate chain file. Those are obtained via grid-proxy-init, voms-proxy-init and can be stored to proxy server.
>>> We found that default ssl module partially parses such files and therefore fails to authenticate clients with servers accepting proxy certificates. Provided patch fixes this issue (thanks to Diego da Silva Gomes<>), please include:
>>> git fetch git://github.com/vkuznet/otp.git ssl_connection4chain_certificate
>>> https://github.com/vkuznet/otp/compare/maint...ssl_connection4chain_certificate 
>>> https://github.com/vkuznet/otp/compare/maint...ssl_connection4chain_certificate.patch 
>>> To verify the change you need to have a server which accepts proxy certificate and configure your client with your proxy certificate as following:
>>> %% generate user proxy file by using grid-proxy-init
>>> %% produced /tmp/x509up_u<id>  proxy file contains user private key, certificate and cacertificate
>>> %% configure your client to use proxy file
>>> Request={Url, Headers},
>>> ProxyCert = "/tmp/x509up_u502",
>>> HTTPOptions = [{ssl, [{keyfile, ProxyCert}, {certfile, ProxyCert}, {cacertfile, ProxyCert}]}]
>>> httpc:request(get, Request, HTTPOptions, [])
>>> Thanks,
>>> Valentin.
>>> _______________________________________________
>>> erlang-patches mailing list
>>> http://erlang.org/mailman/listinfo/erlang-patches
>> Hello, could you please rebase this patch upon current maint branch instead?
> Except the rebaseing, you could make some changes to your patch. This T variable you are initiating is not used and we think it should be an unbound variable (_) instead. Could you also add a explanation why this is the way to go to handle this. Does this proxy concept guarantee that the first certificate is the 'own certificate' ?
> -- 
> BR Fredrik Gustafsson
> Erlang OTP Team

More information about the erlang-patches mailing list