[erlang-questions] ssl_pkix:decode_cert_file exceptions with common PEM files
Ingela Anderton Andin
Fri Jan 16 15:55:10 CET 2009
> I installed the "ca-certificate" package in Debian which provides
> common CA Certificate PEM files (like those that would be preinstalled
> on a web-browser).
> When I tried using ssl_pkix:decode_cert_file on the CA certificates
> installed a lot of the certificates caused an exception which appear
> to be due to a few recurring certificate extensions:
> 1,2,840,113533,7,65,0 (entrust version extension)
> 2,16,840,1,113730,1,4 (Netscape CA Revocation URL)
> 2,16,840,1,113730,1,1 (Netscape Certificate Type)
> 2,16,840,1,113730,1,8 (Netscape CA policy URL)
> I had a quick look at the ASN.1 definitions in the pkix directory of
> the OTP distribution and the above definitions are missing. Is there
> anyway to add the definitions, or a way to avoid the problem? I am
> concerned if I use the new SSL erlang library to connect to a secure
> Web site the certificate validation will fail.
The new ssl implementation does not use the ssl_pkix module at all or
the ASN-specs in ssl. The new ssl implementation
uses the new application public_key for all its certificate handling and
a soon as we make public_key
a documented application the ssl_pkix module will be come deprecated and
later on removed.
I do not think that the ssl_pkix module can have been used so much as
it seems to be somewhat broken!
Note however that the new ssl implementations still has a few
limitations that we are working on implementing.
Regards Ingela Erlang/OTP - Ericsson
More information about the erlang-questions