[erlang-questions] ssl:peercert returns no_peercert on server, but works on client

Ingela Andin <>
Fri Nov 23 10:15:17 CET 2012


Hi!

2012/11/22,  <>:
> Hello Ingela!
>
>> you have not
>> specified that the server should verify the client {verify,
>> verify_peer} , by default the server will
>> not  request a client certificate
>
> Thanks for your reply, it helped! I can now retrieve the certificate and
> validate it when the client needs to enter a privileged role.
>
> I had to work around a problem - when the client certificate is signed by a
> CA, the server crashes at SSL connection time. When the client
> certificate is only self-signed everything seems to work right including
> ssl:peercert/1.
>
> The server uses the following SSL options and the nul verification fun fron
> the SSL manual:
>
>     SslOptions = [{certfile, ?SSL_CERT_PATH}, {keyfile, ?SSL_KEY_PATH},
> {verify, verify_peer}, {verify_fun, {verify_fun_none(), []}}],

Why do you not validate the certificate in the veryify_fun as part of
the path_validation?
And why do you specify a verify_fun that accepts all stadnard
certificates path errors
that is not very safe!

fun(_,{bad_cert, _} = Reason, _) ->
	 {fail, Reason};
    (_,{extension, _}, UserState) ->
	 {unknown, UserState};
    (_, valid, UserState) ->
	 {valid, UserState};
    (PeerCert, valid_peer, UserState) ->

 {valid, UserState}
 end, []}



> The client uses following SSL options:
>
>     SslOptions = [{certfile, ?SSL_LM_CLIENTCERT_PATH}, {keyfile,
> ?SSL_LM_CLIENTKEY_PATH}],
>

I will look in to reproducing your problem. So far I have spoted a missing try
clause, e.i. we could generate an decrypt faild error message here instead of
this crash.


> The crash looks as follows:
>
> =ERROR REPORT==== 22-Nov-2012::11:14:33 ===
> ** State machine <0.1813.0> terminating
> ** Last message in was {tcp,#Port<0.7011>,
>                             <<22,3,1,0,134,16,0,0,130,0,128,124,165,185,225,
>
> 252,236,46,20,10,57,92,171,44,24,67,237,105,105,
>
> 128,153,53,52,65,236,144,79,246,189,81,211,105,
>
> 88,87,179,197,9,197,132,36,31,157,38,240,241,76,
>
> 214,15,188,32,114,131,114,197,104,78,246,89,142,
>
> 110,183,91,237,202,20,29,182,215,97,199,75,199,
>
> 86,132,197,29,141,105,6,51,167,226,66,140,11,62,
>
> 67,79,41,72,103,243,214,47,27,97,176,109,211,15,
>
> 192,44,112,127,12,169,78,43,238,119,86,164,119,
>
> 235,122,165,209,66,162,67,173,146,105,53,161,79,
>
> 183,91,94,22,3,1,1,6,15,0,1,2,1,0,86,79,97,119,
>
> 56,220,212,141,121,171,170,45,99,158,180,65,155,
>
> 20,158,110,113,113,205,252,0,175,202,212,69,250,
>                               27,118,17,89,131,102,246,150,72,74,115,26,88,
>
> 155,52,193,129,163,57,97,69,40,47,216,77,120,59,
>
> 73,214,173,46,24,203,163,109,116,172,240,129,40,
>
> 245,230,84,7,159,230,152,230,36,205,202,234,29,
>                               112,180,231,160,46,98,96,88,177,133,184,13,64,
>
> 25,48,209,188,28,118,125,14,8,183,220,40,146,11,
>
> 129,37,29,242,175,117,238,84,105,81,222,97,253,
>                               29,199,106,161,91,229,86,118,121,76,223,9,82,
>                               229,222,144,242,18,65,15,104,222,218,238,207,
>                               154,43,36,22,28,223,32,79,18,163,141,43,34,33,
>
> 141,55,126,216,34,213,0,88,132,249,70,199,94,9,
>
> 22,201,100,153,222,54,196,13,138,254,175,18,94,
>
> 5,81,36,49,239,200,164,3,35,227,215,180,129,206,
>
> 9,231,115,68,246,85,247,189,90,107,57,31,76,117,
>                               158,41,167,185,217,186,39,171,4,182,91,66,171,
>                               123,32,129,175,90,243,217,41,18,16,80,217,104,
>
> 104,98,184,34,233,98,98,157,190,14,136,137,128,
>
> 20,3,1,0,1,1,22,3,1,0,48,236,59,196,85,219,154,
>
> 221,159,242,33,94,39,156,30,135,226,130,11,229,
>
> 89,17,239,94,183,150,153,48,119,185,238,182,42,
>                               98,81,64,172,239,201,40,122,109,54,11,64,208,
>                               244,135,97>>}
> ** When State == certify
> **      Data  == {state,server,
>                      {#Ref<0.0.0.8307>,<0.1801.0>},
>                      gen_tcp,tcp,tcp_closed,tcp_error,"localhost",8045,
>                      #Port<0.7011>,
>                      {ssl_options,[],verify_peer,
>                          {#Fun<command_processor.0.26526889>,[]},
>                          false,false,undefined,1,"../cert/server.crt",
>                          undefined,"../cert/server.key",undefined,undefined,
>                          undefined,[],undefined,undefined,
>                          [<<0,57>>,
>                           <<0,56>>,
>                           <<0,53>>,
>                           <<0,22>>,
>                           <<0,19>>,
>                           <<0,10>>,
>                           <<0,51>>,
>                           <<0,50>>,
>                           <<0,47>>,
>                           <<0,5>>,
>                           <<0,4>>,
>                           <<0,21>>,
>                           <<0,9>>],
>                          #Fun<ssl.0.123982462>,true,18446744073709551900,
>                          false,[],undefined},
>                      {socket_options,list,line,0,0,false},
>                      {connection_states,
>                          {connection_state,
>                              {security_parameters,
>                                  <<0,0>>,
>                                  0,0,0,0,0,0,0,0,0,0,undefined,undefined,
>                                  undefined,undefined},
>                              undefined,undefined,undefined,2,true,undefined,
>                              undefined},
>                          {connection_state,
>                              {security_parameters,
>                                  <<0,57>>,
>                                  0,7,1,16,256,32,unknown,2,20,0,undefined,
>
> <<80,173,251,9,182,167,195,207,85,233,230,8,
>
> 168,220,102,65,112,98,206,125,25,138,109,69,
>                                    19,203,42,127,243,91,89,209>>,
>
> <<80,173,251,9,181,195,163,185,49,240,227,167,
>                                    126,49,159,95,118,198,197,199,80,109,167,
>                                    144,126,133,243,15,58,35,163,41>>,
>                                  undefined},
>                              undefined,undefined,undefined,undefined,true,
>                              undefined,undefined},
>                          {connection_state,
>                              {security_parameters,
>                                  <<0,0>>,
>                                  0,0,0,0,0,0,0,0,0,0,undefined,undefined,
>                                  undefined,undefined},
>                              undefined,undefined,undefined,5,true,undefined,
>                              undefined},
>                          {connection_state,
>                              {security_parameters,
>                                  <<0,57>>,
>                                  0,7,1,16,256,32,unknown,2,20,0,undefined,
>
> <<80,173,251,9,182,167,195,207,85,233,230,8,
>
> 168,220,102,65,112,98,206,125,25,138,109,69,
>                                    19,203,42,127,243,91,89,209>>,
>
> <<80,173,251,9,181,195,163,185,49,240,227,167,
>                                    126,49,159,95,118,198,197,199,80,109,167,
>                                    144,126,133,243,15,58,35,163,41>>,
>                                  undefined},
>                              undefined,undefined,undefined,undefined,true,
>                              undefined,undefined}},
>                      [],<<>>,<<>>,
>
> {{<<74,235,27,194,251,55,161,227,190,40,7,141,30,30,195,
>
> 73,80,72,0,0,0,0,0,0,141,253,46,225,175,139,230,151,
>
> 57,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
>
> 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
>                          0,0,0,10,0,0,0>>,
>                        <<124,237,16,106,151,175,31,162,73,226,133,96,82,170,
>                          172,146,62,65,50,112,80,72,0,0,0,0,0,0,141,253,46,
>
> 225,175,139,230,151,57,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
>
> 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
>                          0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0>>},
>
> {<<254,34,90,191,186,108,88,132,227,38,96,111,102,221,16,
>
> 176,176,47,0,0,0,0,0,0,194,101,158,183,125,65,112,84,
>
> 154,138,247,42,54,110,227,200,226,77,200,16,226,112,
>
> 64,93,223,163,2,160,174,68,70,242,182,160,122,43,217,
>
> 29,58,168,255,227,13,0,0,4,1,1,0,0,14,0,0,0,0,0,0,0,0,
>                          0,0,0,0,0,54,0,0,0>>,
>                        <<58,140,204,97,184,192,94,67,73,81,149,252,253,209,
>
> 248,42,177,107,91,42,176,47,0,0,0,0,0,0,194,101,158,
>
> 183,125,65,112,84,154,138,247,42,54,110,227,200,226,
>
> 77,200,16,226,112,64,93,223,163,2,160,174,68,70,242,
>
> 182,160,122,43,217,29,58,168,255,227,13,0,0,4,1,1,0,
>                          0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,54,0,0,0>>}},
>                      [],282641,
>                      {session,
>
> <<40,81,21,171,116,215,2,75,239,85,93,101,222,58,221,
>
> 16,169,9,131,231,253,81,71,239,191,101,119,219,34,
>                            105,114,1>>,
>
> <<48,130,3,6,48,130,1,238,2,9,0,144,207,233,174,127,
>
> 216,70,81,48,13,6,9,42,134,72,134,247,13,1,1,5,5,0,
>
> 48,69,49,11,48,9,6,3,85,4,6,19,2,67,90,49,22,48,20,
>
> 6,3,85,4,10,12,13,83,111,101,109,115,97,116,117,32,
>
> 67,97,98,117,49,12,48,10,6,3,85,4,11,12,3,73,67,84,
>                            49,16,48,14,6,3,85,4,3,12,7,105,99,116,46,99,111,
>
> 109,48,30,23,13,49,50,49,49,50,50,49,48,49,52,49,55,
>
> 90,23,13,49,55,49,49,50,49,49,48,49,52,49,55,90,48,
>
> 69,49,11,48,9,6,3,85,4,6,19,2,67,90,49,22,48,20,6,3,
>
> 85,4,10,12,13,83,111,101,109,115,97,116,117,32,67,
>
> 97,98,117,49,12,48,10,6,3,85,4,11,12,3,73,67,84,49,
>
> 16,48,14,6,3,85,4,3,12,7,105,99,116,46,99,111,109,
>
> 48,130,1,34,48,13,6,9,42,134,72,134,247,13,1,1,1,5,
>
> 0,3,130,1,15,0,48,130,1,10,2,130,1,1,0,190,0,28,89,
>
> 0,189,127,83,155,81,235,193,186,105,224,229,114,20,
>
> 147,7,203,135,145,175,179,74,115,137,217,179,46,49,
>
> 33,83,30,86,32,155,97,177,70,12,87,5,33,124,3,131,
>                            208,19,118,215,95,145,193,207,211,149,0,158,20,3,
>                            133,178,174,238,7,147,205,225,11,50,58,113,4,187,
>
> 200,107,194,118,228,153,119,142,202,212,232,111,238,
>
> 143,149,0,240,149,144,31,155,235,119,242,167,31,204,
>                            20,13,173,83,39,18,200,244,150,207,229,103,83,58,
>                            216,250,208,252,232,175,56,73,248,44,55,38,176,9,
>
> 123,154,211,195,62,97,197,194,234,18,186,40,237,125,
>
> 123,63,242,164,23,146,164,198,225,0,94,178,101,232,
>
> 183,87,153,207,90,128,63,109,177,132,144,205,127,41,
>
> 152,134,149,79,59,224,25,165,83,178,126,96,220,209,
>
> 53,165,13,126,95,193,235,94,92,31,201,65,68,116,232,
>
> 5,42,84,173,157,4,255,232,77,52,164,103,201,255,162,
>
> 250,59,47,45,164,81,61,234,176,62,195,186,173,243,
>                            27,172,129,174,40,187,164,7,169,184,96,68,31,244,
>
> 150,24,140,5,247,39,14,70,200,149,63,2,3,1,0,1,48,
>
> 13,6,9,42,134,72,134,247,13,1,1,5,5,0,3,130,1,1,0,
>
> 95,48,235,37,237,45,7,232,113,142,18,0,146,119,212,
>
> 239,43,122,106,160,11,238,184,163,22,75,111,96,224,
>
> 116,174,142,137,245,152,220,76,169,91,137,205,60,47,
>
> 35,144,44,252,197,149,211,209,121,242,142,122,62,35,
>                            219,37,230,226,96,249,121,68,16,156,28,79,92,174,
>
> 101,210,57,156,142,31,129,133,111,65,211,82,16,162,
>
> 250,88,35,66,67,62,160,73,110,206,248,0,88,149,217,
>
> 191,73,198,117,59,154,45,98,15,156,120,161,84,206,
>
> 43,95,242,200,197,1,200,152,131,135,103,253,194,147,
>
> 184,115,50,153,45,109,165,189,147,143,194,55,53,12,
>
> 52,27,166,133,81,220,200,95,201,0,224,66,152,210,9,
>                            206,187,117,137,123,231,110,173,63,140,33,218,91,
>
> 222,194,37,220,146,190,252,10,137,153,167,212,35,77,
>
> 107,147,118,84,189,187,130,130,71,245,49,67,101,165,
>
> 235,226,224,210,221,240,237,193,53,125,149,159,50,
>                            249,194,176,97,76,224,35,41,249,121,147,23,72,47,
>
> 104,178,59,134,201,135,119,189,144,209,144,63,169,
>                            95,86,78,104,79,44,150,79,141,253,46,225,175,139,
>                            230,151,57,6>>,
>                          <<48,130,3,54,48,130,2,30,2,9,0,140,204,151,61,246,
>
> 240,165,67,48,13,6,9,42,134,72,134,247,13,1,1,5,5,0,
>
> 48,93,49,11,48,9,6,3,85,4,6,19,2,67,90,49,39,48,37,
>
> 6,3,85,4,10,19,30,82,101,112,117,116,97,116,105,111,
>
> 110,32,83,101,114,118,105,99,101,32,68,101,118,101,
>
> 108,111,112,109,101,110,116,49,37,48,35,6,3,85,4,3,
>
> 19,28,114,101,112,117,116,97,116,105,111,110,45,115,
>
> 101,114,118,105,99,101,46,107,101,114,105,111,46,99,
>
> 111,109,48,30,23,13,49,50,48,52,48,51,49,53,50,51,
>
> 50,55,90,23,13,49,55,48,52,48,50,49,53,50,51,50,55,
>
> 90,48,93,49,11,48,9,6,3,85,4,6,19,2,67,90,49,39,48,
>
> 37,6,3,85,4,10,19,30,82,101,112,117,116,97,116,105,
>
> 111,110,32,83,101,114,118,105,99,101,32,68,101,118,
>
> 101,108,111,112,109,101,110,116,49,37,48,35,6,3,85,
>
> 4,3,19,28,114,101,112,117,116,97,116,105,111,110,45,
>
> 115,101,114,118,105,99,101,46,107,101,114,105,111,
>
> 46,99,111,109,48,130,1,34,48,13,6,9,42,134,72,134,
>
> 247,13,1,1,1,5,0,3,130,1,15,0,48,130,1,10,2,130,1,1,
>
> 0,192,14,209,47,35,12,52,111,245,93,138,117,89,37,
>
> 130,184,25,108,243,65,169,208,204,66,122,25,192,194,
>
> 226,86,105,37,222,108,131,213,4,139,199,248,161,59,
>                            13,46,125,207,2,199,57,238,131,38,248,28,139,159,
>
> 211,81,31,186,202,57,81,143,111,8,122,164,73,41,11,
>
> 141,15,83,3,9,25,95,113,95,196,37,150,2,121,248,182,
>
> 104,215,240,24,222,66,173,79,125,100,36,187,231,69,
>
> 248,20,181,125,39,202,203,193,164,129,95,249,43,99,
>
> 3,37,85,200,139,131,12,248,253,89,41,91,142,220,183,
>
> 106,47,88,173,175,69,210,89,209,146,97,163,84,153,
>                            107,141,220,76,26,223,247,133,189,234,31,107,176,
>                            129,188,57,164,200,21,91,97,77,105,97,223,236,67,
>
> 253,16,128,222,157,234,177,180,47,21,85,131,170,177,
>
> 28,238,121,144,92,162,226,2,173,143,181,212,6,172,
>
> 148,162,33,100,151,2,91,48,114,135,239,237,111,36,
>
> 236,7,8,41,143,3,117,25,15,207,2,79,77,6,126,34,43,
>                            249,147,215,252,97,30,188,15,208,245,195,111,180,
>
> 103,104,175,210,13,226,147,46,156,176,119,146,105,2,
>
> 3,1,0,1,48,13,6,9,42,134,72,134,247,13,1,1,5,5,0,3,
>
> 130,1,1,0,74,14,242,251,17,1,83,137,202,112,234,245,
>
> 203,168,159,226,56,164,149,123,50,233,229,88,0,156,
>
> 11,0,45,18,250,63,199,38,58,241,62,147,201,162,36,
>
> 231,92,72,211,94,244,14,11,205,254,48,95,14,76,204,
>
> 149,242,115,80,59,217,248,183,21,114,70,30,51,191,
>
> 147,204,247,234,160,80,38,41,119,75,46,227,250,35,
>
> 33,24,99,49,182,20,50,255,75,63,209,134,204,68,215,
>
> 163,240,89,103,251,242,184,232,33,106,248,81,70,132,
>
> 164,142,166,20,112,248,14,66,234,151,21,243,179,22,
>                            144,184,243,240,150,203,228,207,165,155,6,46,157,
>                            227,41,184,122,191,228,99,176,126,245,254,120,84,
>
> 159,214,194,167,141,102,73,31,112,183,166,246,102,
>
> 66,48,241,174,52,201,190,31,63,109,171,247,83,147,
>
> 42,253,196,217,208,128,223,199,226,123,176,180,70,
>
> 228,147,208,5,23,182,3,94,114,39,21,150,31,129,137,
>                            92,132,177,71,128,126,44,184,106,224,119,159,219,
>
> 192,239,100,163,0,58,205,242,221,178,117,27,149,189,
>
> 12,240,147,217,61,4,234,76,231,132,117,189,32,209,
>                            115,85,22,18,239,192,240>>,
>                          0,
>                          <<0,57>>,
>                          undefined,false,undefined},
>                      294932,ssl_session_cache,
>                      {3,1},
>                      undefined,false,dhe_rsa,
>                      {{1,2,840,113549,1,1,1},
>                       {'RSAPublicKey',
>
> 23985332548066223260322774259983152247797545948725977981875025710391659706585537937762959847062338790405599724727995315638420544358206480001280868527351317937548968876345931793589896941602423200065683725877315198229678655238870730302517002323138774678006366072941089637364098826231863208669397304033591358850613302169833622263116162988138227035449809879884230462587875848694948534737421208621472209080883099703159964364087058652885206739036200595109009813390823243309991477889022926642506234188064656504587631372428472973627488535282906583541347813283001630133822872906001289445314889618418076221729617745551234209087,
>                           65537},
>                       'NULL'},
>                      {'RSAPrivateKey','two-prime',
>
> 24245061150388932126267388211561744501091175463407888595224551795663243174179988206545263128427895384819161106685261774299926886043886449727365149760320167454881950274766434421391227835510145242902399427836428837752665263535539327909106678269499287402480269087683223401095638029356908814821392014964348552872878386913883155024136808504734817452104655112897489194364101268365556518013584741158156036753091620252122206747573951286458946943600837100506515889843196447909183388855876119846269544345680287986326246932374547999824620904250547635320124126286130214850019238265403675412304909021441994637469225051132486193769,
>                          65537,
>
> 17328576366714496692349218475330937854580034940285470950591470934901841303717973474263189804212750777733407470562344122709047946491015536135000243830556128046052236642207219658092169355373769219262268513958316114396029626154205985299761446462633567621642404814626392226234352822575140238263100590093306842930006045435892856121601423729512197996242068235270905851036153226021734054606688010693704177209978560595698319274376708915898529303563327262255759966796798795075686111639483078123875727747288297150915376929152726694642421456339054268945476553274267673852919202129038846069271873486039976781207205533522013452901,
>
> 175370494815195674207106911731501626457371590465889564240336423322818657338712687959781189374639152154813531306121219213930531469102050716841885921299604376592875157055568786704961285756158968740499753148009889247438281864458144963953290691240618002674486253789360979786944138116053414853181637891019175023947,
>
> 138250514580221862655892174736393256109561741620998730071324163294133331805750724515526687394456291120722335476788733177943715853063937025485775099007036433458977246157028955416570452620946072552127788423550793775405053948011855722670612242672683268700825660765387097861823041722523099578698965460097679657627,
>
> 142026097972310688682979178892246827377686719495362230673056380430625800035239858799660442303559022228189923060312340067421103929903114940371087128780655231274599719790063153991676842131832299691331078598101421818164307921296069428060253852454141036512977896548882667244027756452807590319170371129342718366281,
>
> 65422024332459841410915727224312434986737847214429003703281753455925004490467174563987200454159832713230111084450752735822031215207773913535717886773963118709481076873642964956194202467818187406490060612777221529161190443408939706229819758029936161438862111743243512305853456718199015628335001843447355527747,
>
> 96692327788712893502227594737656137616777825297927354007039082535604854560178523094918225407406512660518516707411647582424617277816228673283401730456439499912365000393053010166088811818218189984574138829734660366829219694139224814835276610527380177578913321283217512483858915039007177988094558316513780160433,
>                          asn1_NOVALUE},
>                      {'DHParameter',
>
> 179769313486231590770839156793787453197860296048756011706444423684197180216158519368947833795864925541502180565485980503646440548199239100050792877003355816639229553136239076508735759914822574862575007425302077447712589550957937778424442426617334727629299387668709205606050270810842907692932019128194467627007,
>                          2,asn1_NOVALUE},
>
> {<<0,0,0,128,42,92,72,253,178,119,231,149,208,224,184,195,
>
> 2,12,214,157,94,48,216,139,94,54,195,90,237,248,61,35,
>
> 73,227,11,233,89,182,207,43,216,239,223,47,78,186,249,
>
> 223,191,42,199,139,246,10,26,246,64,161,131,210,59,8,
>                         207,143,77,241,200,231,165,114,131,173,49,12,174,86,
>
> 243,21,240,218,153,61,142,225,144,44,97,205,94,146,14,
>
> 123,173,160,147,174,179,19,134,160,75,147,215,243,34,
>
> 67,171,218,101,134,50,112,3,248,40,18,46,190,50,53,69,
>                         80,243,194,54,162,75,122,225,69,191,217>>,
>
> <<0,0,0,128,108,57,203,135,98,244,98,181,102,201,31,96,
>                         95,187,67,232,64,61,39,6,38,213,166,214,127,108,94,
>
> 230,39,199,145,16,194,86,68,250,69,141,221,241,87,166,
>
> 81,101,78,204,176,32,74,30,152,23,114,104,225,230,194,
>                         189,126,121,214,84,227,4,147,94,63,105,129,185,189,
>
> 175,250,36,16,110,165,122,184,49,73,89,226,148,192,79,
>
> 96,248,191,190,116,209,246,242,56,130,10,65,97,89,221,
>                         234,85,120,34,240,170,224,133,195,255,196,58,212,96,
>
> 233,34,160,182,220,123,171,219,109,43,188,240,120>>},
>                      undefined,#Ref<0.0.0.8310>,
>                      {<0.1801.0>,#Ref<0.0.0.8318>},
>                      0,<<>>,true,
>                      {false,first},
>                      false,
>                      {[],[]},
>                      false}
> ** Reason for termination =
> ** {decrypt_failed,[{crypto,rsa_public_decrypt,
>
> [<<86,79,97,119,56,220,212,141,121,171,170,45,99,
>
> 158,180,65,155,20,158,110,113,113,205,252,0,175,
>
> 202,212,69,250,27,118,17,89,131,102,246,150,72,
>
> 74,115,26,88,155,52,193,129,163,57,97,69,40,47,
>
> 216,77,120,59,73,214,173,46,24,203,163,109,116,
>
> 172,240,129,40,245,230,84,7,159,230,152,230,36,
>
> 205,202,234,29,112,180,231,160,46,98,96,88,177,
>
> 133,184,13,64,25,48,209,188,28,118,125,14,8,183,
>
> 220,40,146,11,129,37,29,242,175,117,238,84,105,
>
> 81,222,97,253,29,199,106,161,91,229,86,118,121,
>                                76,223,9,82,229,222,144,242,18,65,15,104,222,
>                                218,238,207,154,43,36,22,28,223,32,79,18,163,
>
> 141,43,34,33,141,55,126,216,34,213,0,88,132,249,
>                                70,199,94,9,22,201,100,153,222,54,196,13,138,
>
> 254,175,18,94,5,81,36,49,239,200,164,3,35,227,
>
> 215,180,129,206,9,231,115,68,246,85,247,189,90,
>
> 107,57,31,76,117,158,41,167,185,217,186,39,171,
>
> 4,182,91,66,171,123,32,129,175,90,243,217,41,18,
>
> 16,80,217,104,104,98,184,34,233,98,98,157,190,
>                                14,136,137,128>>,
>                              [<<0,0,0,3,1,0,1>>,
>
> <<0,0,1,1,0,190,0,28,89,0,189,127,83,155,81,235,
>
> 193,186,105,224,229,114,20,147,7,203,135,145,
>
> 175,179,74,115,137,217,179,46,49,33,83,30,86,
>
> 32,155,97,177,70,12,87,5,33,124,3,131,208,19,
>
> 118,215,95,145,193,207,211,149,0,158,20,3,133,
>
> 178,174,238,7,147,205,225,11,50,58,113,4,187,
>                                 200,107,194,118,228,153,119,142,202,212,232,
>
> 111,238,143,149,0,240,149,144,31,155,235,119,
>
> 242,167,31,204,20,13,173,83,39,18,200,244,150,
>
> 207,229,103,83,58,216,250,208,252,232,175,56,
>                                 73,248,44,55,38,176,9,123,154,211,195,62,97,
>
> 197,194,234,18,186,40,237,125,123,63,242,164,
>                                 23,146,164,198,225,0,94,178,101,232,183,87,
>
> 153,207,90,128,63,109,177,132,144,205,127,41,
>                                 152,134,149,79,59,224,25,165,83,178,126,96,
>
> 220,209,53,165,13,126,95,193,235,94,92,31,201,
>
> 65,68,116,232,5,42,84,173,157,4,255,232,77,52,
>                                 164,103,201,255,162,250,59,47,45,164,81,61,
>
> 234,176,62,195,186,173,243,27,172,129,174,40,
>                                 187,164,7,169,184,96,68,31,244,150,24,140,5,
>                                 247,39,14,70,200,149,63>>],
>                              rsa_pkcs1_padding]},
>                     {ssl_handshake,certificate_verify,5},
>                     {ssl_connection,cipher,2},
>                     {ssl_connection,next_state,3},
>                     {ssl_connection,certify,2},
>                     {ssl_connection,next_state,3},
>                     {gen_fsm,handle_msg,7},
>                     {proc_lib,init_p_do_apply,3}]}
>
> I am attaching the Makefile which generates the certificates/keys using
> OpenSSL:
>
> # Generation of license manager certificates.
> $(LM_CERT_DIR)/Cooking-service-ca.crt:
> 	openssl genrsa -out $(LM_CERT_DIR)/Cooking-service-ca.key 2048
> 	openssl req -subj '/C=CZ/O=Cooking Service Development/OU=Certificate
> Authority/CN=Cooking-service-ca.com' -new -key
> $(LM_CERT_DIR)/Cooking-service-ca.key \
> 		-out $(LM_CERT_DIR)/Cooking-service-ca.csr
> 	openssl x509 -req -days 1825 -in $(LM_CERT_DIR)/Cooking-service-ca.csr
> -signkey $(LM_CERT_DIR)/Cooking-service-ca.key -out
> $(LM_CERT_DIR)/Cooking-service-ca.crt
>
> $(LM_CERT_DIR)/Manager-client.key:
> 	openssl genrsa -out $(LM_CERT_DIR)/Manager-client.key 2048
>
> # Erlang SSL_LM_CLIENTCERT_PATH = Manager-client.crt
> $(LM_CERT_DIR)/Manager-client.crt: $(LM_CERT_DIR)/Manager-client.key
> $(LM_CERT_DIR)/Cooking-service-ca.crt
> 	openssl req -subj '/C=CZ/O=Soemsatu Cabu/OU=ICT/CN=ict.com' -new -key
> $(LM_CERT_DIR)/Manager-client.key -out $(LM_CERT_DIR)/Manager-client.csr
> 	openssl x509 -req -days 1825 -in $(LM_CERT_DIR)/Manager-client.csr -signkey
> $(LM_CERT_DIR)/Manager-client.key -out $(LM_CERT_DIR)/Manager-client-tmp.crt
> 	openssl x509 -days 1825 -in $(LM_CERT_DIR)/Manager-client-tmp.crt -signkey
> $(LM_CERT_DIR)/Cooking-service-ca.key -out $(LM_CERT_DIR)/Manager-client.crt
> 	rm -f Manager-client-tmp.crt
>
> ---------- Původní zpráva ----------
> Od: Ingela Andin
> Datum: 21. 11. 2012
> Předmět: Re: [erlang-questions] ssl:peercert returns no_peercert on server,
> but works on client
> Hello!
>
> 2012/11/20,  :
>> Hello.
>>
>> I am writing a client-server application which communicates over SSL.
>>
>> When the SSL connection is successfully established, the server attempts
>> to
>> retrieve the client certificate with ssl:peercert/1 - but on server the
>> function always returns no_peercert error. The client gives PEM
>> certificate
>> and key paths when it requests connection upgrade to SSL:
>>
>>     SslOptions = [{cacertfile, ?SSL_CACERT_PATH}, {certfile,
>> ?SSL_CERT_PATH}, {keyfile, ?SSL_KEY_PATH}],
>>     SslConnectResult = ssl:connect(Socket, SslOptions),
>>     ?assertMatch({ok, _}, SslConnectResult),
>>     ....
>>
>> In an attempt to find what is wrong, I tried to reverse the client and
>> server roles - and the peer certificate can be retrieved successfully on
>> client. In this case the connection is upgraded to SSL with exactly the
>> same
>> SslOptions on server. The peer certificate can be retrieved successfully
>> on
>> client:
>>     ...
>>     ?assertMatch({ok, _}, ssl:peercert(SslSocket)),
>>
>> and the server code contains basically
>>
>>     SslOptions = [{cacertfile, ?SSL_CACERT_PATH}, {certfile,
>> ?SSL_CERT_PATH}, {keyfile, ?SSL_KEY_PATH}],
>>     {ok, SslSocket} = ssl:ssl_accept(Socket, SslOptions, infinity),
>>     ...
>>
>> Is the failing ssl:peercert/1 on server a bug/missing implementation, or
>> am
>> I missing something? The Erlang distribution is R14B04.
>>
>> Thanks, Jan
>> _______________________________________________
>> erlang-questions mailing list
>> 
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>
> Well we have a reported issue that is similar to what you describe,
> but we have not been able to reproduce it yet.  However in your case
> it proably depends on that you have not
> specified that the server should verify the client {verify,
> verify_peer} , by default the server will
> not  request a client certificate.
>
> Regards Ingela Erlang/OTP team - Ericsson AB



More information about the erlang-questions mailing list