[erlang-questions] using bundled certificates in the ssl:ssl_accept upgrade function

[Daniel Barney]

Hello,

I am using erlang on a server that has quite a few ips, and I need to
serve out a different certificate based on which ip the client
connects to.

So i am upgrading a tcp socket based on the ip that the client is
connecting to. Unfortunatly i have only managed to get this to work
with certificates that don't have another certificates bundled with
them.

Am i just doing this wrong?

so here is how I tried the first time, this establishes the encrypted
connection, but it doesn't serve the bundled certificates. just the
first one.

{ok,BundleFileData} = file:read_file("/mnt/ssl/mycert.bundle.crt"),

[{_,TheCert,_} | _] = public_key:pem_decode(CertFIleData), %% notice
how I only grab the first one, which is why it can only serve the
first one in the chain
Certs = [{cert,TheCert},{keyfile = "/mnt/ssl/mycert.key"}],
{ok,SslSocket} = ssl:ssl_accept(Socket,[{active,false},{verify,
verify_none}] ++ Certs) %% Socket is opened somewhere else

I tried to verify the connection with the following command: openssl
s_client -showcerts -connect 127.0.0.1:4430

but the cert is never trusted because only it is served and never the
bundled certs.and I expect that the cert will not be trusted because I
am only giving it the first one.

and I get this:
CONNECTED(00000003)
depth=0 %% removed because it is not my cert
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 %% removed because it is not my cert
verify error:num=27:certificate not trusted
verify return:1
depth=0 %% removed because it is not my cert
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 %% removed because it is not my cert
   i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
%% some more stuff removed
Verify return code: 21 (unable to verify the first certificate)


and when I switch to just trying to load the file from the disk, which
returns an ecertfile error


Certs = [{certfile,"/mnt/ssl/mycert.bundle.crt"},{keyfile =
"/mnt/ssl/mycert.key"}],
{error,ecertfile} = ssl:ssl_accept(Socket,[{active,false},{verify,
verify_none}] ++ Certs) %% Socket is opened somewhere else

I've checked and the file does exist at the path, and I have used the
same cert bundle in a Node.js project before so I know its not the
certificate.


So my question is am I doing this completely wrong? I can't manage to
find anything on the manual page for ssl to indicate that bundled
certs wouldn't work in erlang, and I can't imagine that erlang does
not support bundled certificates. So i have to be doing this wrong.

any help would be much appreciated on figuring this out.

Daniel