[erlang-questions] ssl_pkix:decode_cert_file exceptions with common PEM files

Ingela Anderton Andin ingela@REDACTED
Fri Jan 16 15:55:10 CET 2009

> Hi,
> I installed the "ca-certificate" package in Debian which provides
> common CA Certificate PEM files (like those that would be preinstalled
> on a web-browser).
> When I tried using ssl_pkix:decode_cert_file on the CA certificates
> installed a lot of the certificates caused an exception which appear
> to be due to a few  recurring certificate extensions:
> 1,2,840,113533,7,65,0    (entrust version extension)
> 2,16,840,1,113730,1,4    (Netscape CA Revocation URL)
> 2,16,840,1,113730,1,1    (Netscape Certificate Type)
> 2,16,840,1,113730,1,8    (Netscape CA policy URL)
> I had a quick look at the ASN.1 definitions in the pkix directory of
> the OTP distribution and the above definitions are missing. Is there
> anyway to add the definitions, or a way to avoid the problem? I am
> concerned if I use the new SSL erlang library to connect to a secure
> Web site the certificate validation will fail.
The new ssl implementation does not use the ssl_pkix module at all or 
the ASN-specs in ssl. The new ssl implementation
uses the new application public_key for all its certificate handling and 
a soon as we make public_key
a documented application the ssl_pkix module will be come deprecated and 
later on removed.
I do not think that the ssl_pkix module  can have been used so much as 
it seems to be somewhat broken!
Note however that the new ssl implementations still has a few 
limitations that we are working on implementing.

Regards Ingela Erlang/OTP - Ericsson

More information about the erlang-questions mailing list