[erlang-questions] using bundled certificates in the ssl:ssl_accept upgrade function

Ingela Andin <>
Mon Dec 3 10:57:16 CET 2012


Hi!

2012/11/30, Daniel Barney <>:
> Hello,
>
> I am using erlang on a server that has quite a few ips, and I need to
> serve out a different certificate based on which ip the client
> connects to.
>
> So i am upgrading a tcp socket based on the ip that the client is
> connecting to. Unfortunatly i have only managed to get this to work
> with certificates that don't have another certificates bundled with
> them.
>
> Am i just doing this wrong?
>
> so here is how I tried the first time, this establishes the encrypted
> connection, but it doesn't serve the bundled certificates. just the
> first one.
>
> {ok,BundleFileData} = file:read_file("/mnt/ssl/mycert.bundle.crt"),
>
> [{_,TheCert,_} | _] = public_key:pem_decode(CertFIleData), %% notice
> how I only grab the first one, which is why it can only serve the
> first one in the chain
> Certs = [{cert,TheCert},{keyfile = "/mnt/ssl/mycert.key"}],
> {ok,SslSocket} = ssl:ssl_accept(Socket,[{active,false},{verify,
> verify_none}] ++ Certs) %% Socket is opened somewhere else
>
> I tried to verify the connection with the following command: openssl
> s_client -showcerts -connect 127.0.0.1:4430
>
> but the cert is never trusted because only it is served and never the
> bundled certs.and I expect that the cert will not be trusted because I
> am only giving it the first one.
>
> and I get this:
> CONNECTED(00000003)
> depth=0 %% removed because it is not my cert
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 %% removed because it is not my cert
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 %% removed because it is not my cert
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
>  0 %% removed because it is not my cert
>    i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
> %% some more stuff removed
> Verify return code: 21 (unable to verify the first certificate)
>
>
> and when I switch to just trying to load the file from the disk, which
> returns an ecertfile error
>
>
> Certs = [{certfile,"/mnt/ssl/mycert.bundle.crt"},{keyfile =
> "/mnt/ssl/mycert.key"}],

The option certifile expects a pem-file that only holds one certificate
the peer certificate. Other certificates in the chain should be specified
by the option cacertfile option.


> {error,ecertfile} = ssl:ssl_accept(Socket,[{active,false},{verify,
> verify_none}] ++ Certs) %% Socket is opened somewhere else
>
> I've checked and the file does exist at the path, and I have used the
> same cert bundle in a Node.js project before so I know its not the
> certificate.
>
>
> So my question is am I doing this completely wrong? I can't manage to
> find anything on the manual page for ssl to indicate that bundled
> certs wouldn't work in erlang, and I can't imagine that erlang does
> not support bundled certificates. So i have to be doing this wrong.
>
> any help would be much appreciated on figuring this out.

So yes and no we support bundled certificates but not in the way you expected.
Only cacertfile can be a bundle not certfile! This is a very old API
and if there is a good
reason too we could extend it, you are welcome to make suggestions.

Regards Ingela Erlang/OTP team - Ericsson AB



More information about the erlang-questions mailing list