[erlang-questions] ssl_upgrade_failure with particular SSL certificate

Ingela Andin ingela.andin@REDACTED
Tue Apr 2 11:45:55 CEST 2013


Hi!

This is because of some software does not use the PKCS-standard oids
but alternative ISO-oids. In the upcoming version of public_key and ssl
this is solved by handling these alternative oids see commit:
006f45a738a6612958381b2fcbf48586c008d911

Regards Ingela Erlang/OTP team - Ericsson AB


2013/3/29, Scott Baldwin <arrogantparagon@REDACTED>:
> I am trying to configure SSL for connections to my RabbitMQ broker. I
> realize that this is not the RabbitMQ mailing list, but I think that my
> problem is related specifically to Erlang's SSL implementation. I was able
> to get it working with a certificate/key pair created directly with
> OpenSSL; however, when I converted a certificate made with makecert.exe to
> PEM format and try to use that, the client fails to connect and the server
> logs an ssl_upgrade_failure. It seems that there is something about my
> certificate that Erlang doesn't like.
>
> I am using Erlang R16B.
>
> Here is my certificate:
>
> -----BEGIN CERTIFICATE-----
> MIIDTzCCAjugAwIBAgIQYuux7Ob2BL5PUnDLgT/igTAJBgUrDgMCHQUAMCgxJjAk
> BgNVBAMTHUVsbGtheSBTdGFnaW5nIFJvb3QgQXV0aG9yaXR5MB4XDTEyMDgxNTE1
> MTMzN1oXDTM5MTIzMTIzNTk1OVowMzExMC8GA1UEAx4oACoALgBsAGsAYwBsAG8A
> dQBkAHMAdABhAGcAaQBuAGcALgBjAG8AbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
> ADCCAQoCggEBANhryzuSNbDOUVqD7Oby/z+JNjICGemlpP0qmcAZ8JbE7ci/l5eu
> BYwIyKy/LvjYYV6Z8ZlMKIbzmEgKxGCmSZjTcg08QXxG7CXpJfls/1ycv8Le7Tz0
> ep2mzBnFhkOCNDQz2zAOiI/K6gwB0D2tv3O+j3ytnME8w+To5epzZSnfGHRIutQ4
> jC7rVz8T1oLixYynQ39tG6L5ALmu5u1DZTRYmzaIbF16c6dy1m8OCqAvQ3LnykZq
> rukjjaLDlJT6ZbUUXaZeGS2avf8ZM0f+HlrdDR+IFC/CxipxzHa6kStc+1dZVgqj
> jT7ql9nEQ/8DaXmF4C749ELbtWOlSB/ElwUCAwEAAaNyMHAwEwYDVR0lBAwwCgYI
> KwYBBQUHAwEwWQYDVR0BBFIwUIAQx8ryGLLGJ2Qr6NrWGYDWT6EqMCgxJjAkBgNV
> BAMTHUVsbGtheSBTdGFnaW5nIFJvb3QgQXV0aG9yaXR5ghAu7ZXj5fLAu0CXveR3
> xHi0MAkGBSsOAwIdBQADggEBACiAPScOR/DViwY4ZDVSxeGFqezh6ubWt4aqrYlt
> h6ODWF1T0uUjf/VKksPtXlAxAz1F7IHmf80VAGPY18ZmH9JvnVz67PdGcKi6RMHY
> vpBT79vbv0/+9TXxdIl2+qafuVb5ckmSlq1pIslnlZszt32pwrSYDvLihfRLStvV
> MzKtUGRsug/eUeuCQBAalAHmuNh77bC6Bnp2ZMg/7HEb0bqXQS1mOupiN3Ylpe/y
> r3pT7+xLzyzX4NY7GyYVO2VPnz2kvNbrTsTPWO7y1NQc3tDbRIwQeCqpYditByVN
> cS/zgODqcpH1NipIfL/JTMFvA5O0jlgpSQDbRxiQELjJ9ms=
> -----END CERTIFICATE-----
>
> Here is the relevant part of the log from RabbitMQ:
>
> =INFO REPORT==== 28-Mar-2013::20:46:52 ===
> accepting AMQP connection <0.301.0> (192.168.51.234:50804 ->
> 192.168.51.153:5671)
>
> =ERROR REPORT==== 28-Mar-2013::20:46:52 ===
> ** State machine <0.302.0> terminating
> ** Last message in was {tcp,#Port<0.15153>,
>
> <<22,3,0,0,53,1,0,0,49,3,0,81,84,228,150,220,41,
>
> 203,120,104,165,175,147,215,108,167,136,54,238,
>
> 178,50,70,122,181,212,166,114,251,121,27,202,52,
>                               143,0,0,10,0,5,0,10,0,19,0,4,0,255,1,0>>}
> ** When State == hello
> **      Data  == {state,server,
>                      {#Ref<0.0.0.1972>,<0.301.0>},
>                      gen_tcp,tcp,tcp_closed,tcp_error,"localhost",5671,
>                      #Port<0.15153>,
>                      {ssl_options,[],verify_none,
>                          {#Fun<ssl.1.131723950>,[]},
>                          false,false,undefined,1,
>
>  <<"C:/Users/ScottB/AppData/Roaming/RabbitMQ/lkcloudstaging_cer.pem">>,
>                          undefined,
>
>  <<"C:/Users/ScottB/AppData/Roaming/RabbitMQ/server/key.pem">>,
>                          undefined,undefined,undefined,<<>>,undefined,
>                          undefined,
>                          [<<0,107>>,
>                           <<0,106>>,
>                           <<0,61>>,
>                           <<0,103>>,
>                           <<0,64>>,
>                           <<0,60>>,
>                           <<0,57>>,
>                           <<0,56>>,
>                           <<0,53>>,
>                           <<0,22>>,
>                           <<0,19>>,
>                           <<0,10>>,
>                           <<0,51>>,
>                           <<0,50>>,
>                           <<0,47>>,
>                           <<0,5>>,
>                           <<0,4>>,
>                           <<0,21>>,
>                           <<0,9>>],
>
>  #Fun<ssl.0.131723950>,true,268435456,false,undefined,
>                          undefined,false,undefined,undefined},
>                      {socket_options,binary,0,0,0,false},
>                      {connection_states,
>                          {connection_state,
>                              {security_parameters,
>                                  <<0,0>>,
>                                  0,0,0,0,0,0,0,0,0,0,0,undefined,undefined,
>                                  undefined,undefined},
>                              undefined,undefined,undefined,0,undefined,
>                              undefined,undefined},
>                          {connection_state,
>                              {security_parameters,undefined,0,undefined,
>                                  undefined,undefined,undefined,undefined,
>                                  undefined,undefined,undefined,undefined,
>                                  undefined,undefined,undefined,
>
>  <<81,84,228,124,31,218,166,3,48,108,125,182,
>
>  121,180,129,153,59,55,16,200,98,117,189,183,
>                                    170,169,208,189,111,61,67,162>>,
>                                  undefined},
>                              undefined,undefined,undefined,undefined,
>                              undefined,undefined,undefined},
>                          {connection_state,
>                              {security_parameters,
>                                  <<0,0>>,
>                                  0,0,0,0,0,0,0,0,0,0,0,undefined,undefined,
>                                  undefined,undefined},
>                              undefined,undefined,undefined,0,undefined,
>                              undefined,undefined},
>                          {connection_state,
>                              {security_parameters,undefined,0,undefined,
>                                  undefined,undefined,undefined,undefined,
>                                  undefined,undefined,undefined,undefined,
>                                  undefined,undefined,undefined,
>
>  <<81,84,228,124,31,218,166,3,48,108,125,182,
>
>  121,180,129,153,59,55,16,200,98,117,189,183,
>                                    170,169,208,189,111,61,67,162>>,
>                                  undefined},
>                              undefined,undefined,undefined,undefined,
>                              undefined,undefined,undefined}},
>                      [],<<>>,<<>>,
>                      {[],[]},
>                      [],311374,
>                      {session,undefined,undefined,
>
>  <<48,130,3,79,48,130,2,59,160,3,2,1,2,2,16,98,235,177,
>
>  236,230,246,4,190,79,82,112,203,129,63,226,129,48,9,
>
>  6,5,43,14,3,2,29,5,0,48,40,49,38,48,36,6,3,85,4,3,
>
> 19,29,69,108,108,107,97,121,32,83,116,97,103,105,
>
>  110,103,32,82,111,111,116,32,65,117,116,104,111,114,
>
>  105,116,121,48,30,23,13,49,50,48,56,49,53,49,53,49,
>
>  51,51,55,90,23,13,51,57,49,50,51,49,50,51,53,57,53,
>
>  57,90,48,51,49,49,48,47,6,3,85,4,3,30,40,0,42,0,46,
>
> 0,108,0,107,0,99,0,108,0,111,0,117,0,100,0,115,0,
>
>  116,0,97,0,103,0,105,0,110,0,103,0,46,0,99,0,111,0,
>
>  109,48,130,1,34,48,13,6,9,42,134,72,134,247,13,1,1,
>
>  1,5,0,3,130,1,15,0,48,130,1,10,2,130,1,1,0,216,107,
>
>  203,59,146,53,176,206,81,90,131,236,230,242,255,63,
>
> 137,54,50,2,25,233,165,164,253,42,153,192,25,240,
>
>  150,196,237,200,191,151,151,174,5,140,8,200,172,191,
>
>  46,248,216,97,94,153,241,153,76,40,134,243,152,72,
>
>  10,196,96,166,73,152,211,114,13,60,65,124,70,236,37,
>
> 233,37,249,108,255,92,156,191,194,222,237,60,244,
>
>  122,157,166,204,25,197,134,67,130,52,52,51,219,48,
>
>  14,136,143,202,234,12,1,208,61,173,191,115,190,143,
>
>  124,173,156,193,60,195,228,232,229,234,115,101,41,
>
> 223,24,116,72,186,212,56,140,46,235,87,63,19,214,
>
>  130,226,197,140,167,67,127,109,27,162,249,0,185,174,
>
>  230,237,67,101,52,88,155,54,136,108,93,122,115,167,
>
>  114,214,111,14,10,160,47,67,114,231,202,70,106,174,
>
>  233,35,141,162,195,148,148,250,101,181,20,93,166,94,
>
>  25,45,154,189,255,25,51,71,254,30,90,221,13,31,136,
>
>  20,47,194,198,42,113,204,118,186,145,43,92,251,87,
>
> 89,86,10,163,141,62,234,151,217,196,67,255,3,105,
>
>  121,133,224,46,248,244,66,219,181,99,165,72,31,196,
>
>  151,5,2,3,1,0,1,163,114,48,112,48,19,6,3,85,29,37,4,
>
>  12,48,10,6,8,43,6,1,5,5,7,3,1,48,89,6,3,85,29,1,4,
>
> 82,48,80,128,16,199,202,242,24,178,198,39,100,43,
>
>  232,218,214,25,128,214,79,161,42,48,40,49,38,48,36,
>
>  6,3,85,4,3,19,29,69,108,108,107,97,121,32,83,116,97,
>
>  103,105,110,103,32,82,111,111,116,32,65,117,116,104,
>
>  111,114,105,116,121,130,16,46,237,149,227,229,242,
>
>  192,187,64,151,189,228,119,196,120,180,48,9,6,5,43,
>
> 14,3,2,29,5,0,3,130,1,1,0,40,128,61,39,14,71,240,
>
>  213,139,6,56,100,53,82,197,225,133,169,236,225,234,
>
>  230,214,183,134,170,173,137,109,135,163,131,88,93,
>
>  83,210,229,35,127,245,74,146,195,237,94,80,49,3,61,
>
>  69,236,129,230,127,205,21,0,99,216,215,198,102,31,
>
> 210,111,157,92,250,236,247,70,112,168,186,68,193,
>
> 216,190,144,83,239,219,219,191,79,254,245,53,241,
>
>  116,137,118,250,166,159,185,86,249,114,73,146,150,
>
>  173,105,34,201,103,149,155,51,183,125,169,194,180,
>
>  152,14,242,226,133,244,75,74,219,213,51,50,173,80,
>
> 100,108,186,15,222,81,235,130,64,16,26,148,1,230,
>
> 184,216,123,237,176,186,6,122,118,100,200,63,236,
>
> 113,27,209,186,151,65,45,102,58,234,98,55,118,37,
>
> 165,239,242,175,122,83,239,236,75,207,44,215,224,
>
>  214,59,27,38,21,59,101,79,159,61,164,188,214,235,78,
>
>  196,207,88,238,242,212,212,28,222,208,219,68,140,16,
>
> 120,42,169,97,216,173,7,37,77,113,47,243,128,224,
>
>  234,114,145,245,54,42,72,124,191,201,76,193,111,3,
>
>  147,180,142,88,41,73,0,219,71,24,144,16,184,201,246,
>                            107>>,
>                          undefined,undefined,undefined,new,63531722812},
>                      323665,ssl_session_cache,undefined,undefined,false,
>                      undefined,undefined,undefined,
>                      {'RSAPrivateKey','two-prime',
>
> 25091000490399564416382733665912293706281236323287507449391018333858706088067104372951637210440828548699801793107621328582247328739957168356535343760898421117596223923057958675108280840952652110424468556362893842108742460936250265912296002218912760264533284800177616747391132407486580757942725318853670784742540298023139943942002078742079335138046822007139070167779479715409389988021492873379536675527198388004784204705449619014967663111341423672277165259908002197645143645833929707716094821495848245665580802072300300901995696081299311434728567907957618159230597695337971845318310069905698028328520007565703331606819,
>                          65537,
>
> 12532291835951284642352753464759952731760837234028003552929880741268762456120795803045590924921343389430997938501684187097537025786559622030041471881063352256944852432936802405831735737793065202597533511207149656340503466992496089298764016305810310122514496309703131156584850210212028846765905833153120519214366483351036620512028360903366902227866159233021509892771286294064778569099266243884082209785268720465970929381008430443130075496396131177443808450873061131440124680376808011317874020764946935204300278562787258089499308485762628408971801392792765876969493808892573747399158232707154902628249712310347508330481,
>
> 164613524625768478096728511491146234379950805547018160443402940694931123301226530314268605486708880647658162742710176890755691202467149416112553065729831746391569481381229328262217225008710581122456985360175690217141752754366597025760074826970126144030433840076718674219450293036228318089528491377991378917023,
>
> 152423687831490839453627602007609954938806264385151113997291723876694061058672531571680491904693205860873313947735180318401018227463103944680073963443527347105243646402511993135691316201430837009543216841366727950952917475175355759283610454988240555587842851002909990207473661609226206434152468235025307200253,
>
> 103984547751379971996375538203182369609466154978729646218112491292391375460388439026510307132524542623745369476562226118076733144497574174552444945117251391868174999766567175194585209852993108440859312097378784492720927449807326399887717438420071901928924585277569562140638458907286206884483421800776127924467,
>
> 39507777060187907438527428403852332339678380351718296130002815409515266417499584872791499702229633458331247753638059539934359165508273901891762155988452310073344428665326017782260225343145179490686339388197454990354108505894437772295812911773276810317388444847741459078907412450309375905167279214922484907925,
>
> 140777917719684893441642072243040594921813463059778562021367548768326948139714681618402000290527139618053328133891840461484222782830228667641262369743730585486629970714763524415800836168519782394433537656246543908266747427470739521793087643652694808980372432733634387874662999415574210646072641560865328049441,
>                          asn1_NOVALUE},
>                      {'DHParameter',
>
> 179769313486231590770839156793787453197860296048756011706444423684197180216158519368947833795864925541502180565485980503646440548199239100050792877003355816639229553136239076508735759914822574862575007425302077447712589550957937778424442426617334727629299387668709205606050270810842907692932019128194467627007,
>                          2,asn1_NOVALUE},
>                      undefined,undefined,315471,#Ref<0.0.0.1974>,undefined,
>                      <<>>,true,
>                      {false,first},
>                      {<0.301.0>,#Ref<0.0.0.1971>},
>                      #Ref<0.0.0.1980>,
>                      {[],[]},
>                      false,true,false,undefined}
> ** Reason for termination =
> ** {{badmatch,
>         {error,
>             {asn1,
>                 {'Type not compatible with table constraint',
>                     {{component,'Type'},
>                      {value,{5,<<>>}},
>                      {unique_name_and_value,id,{1,3,14,3,2,29}}}}}}},
>     [{public_key,pkix_decode_cert,2,[{file,"public_key.erl"},{line,218}]},
>      {ssl_cipher,filter,2,[{file,"ssl_cipher.erl"},{line,484}]},
>
>  {ssl_handshake,select_session,8,[{file,"ssl_handshake.erl"},{line,654}]},
>      {ssl_handshake,hello,4,[{file,"ssl_handshake.erl"},{line,178}]},
>      {ssl_connection,hello,2,[{file,"ssl_connection.erl"},{line,413}]},
>
>  {ssl_connection,next_state,4,[{file,"ssl_connection.erl"},{line,2001}]},
>      {gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,494}]},
>      {proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,239}]}]}
>
> =ERROR REPORT==== 28-Mar-2013::20:46:52 ===
> error on AMQP connection <0.301.0>: {ssl_upgrade_failure,
>                                      {{{badmatch,
>                                         {error,
>                                          {asn1,
>                                           {'Type not compatible with table
> constraint',
>                                            {{component,'Type'},
>                                             {value,{5,<<>>}},
>                                             {unique_name_and_value,id,
>                                              {1,3,14,3,2,29}}}}}}},
>                                        [{public_key,pkix_decode_cert,2,
>
>  [{file,"public_key.erl"},{line,218}]},
>                                         {ssl_cipher,filter,2,
>
>  [{file,"ssl_cipher.erl"},{line,484}]},
>                                         {ssl_handshake,select_session,8,
>                                          [{file,"ssl_handshake.erl"},
>                                           {line,654}]},
>                                         {ssl_handshake,hello,4,
>                                          [{file,"ssl_handshake.erl"},
>                                           {line,178}]},
>                                         {ssl_connection,hello,2,
>                                          [{file,"ssl_connection.erl"},
>                                           {line,413}]},
>                                         {ssl_connection,next_state,4,
>                                          [{file,"ssl_connection.erl"},
>                                           {line,2001}]},
>                                         {gen_fsm,handle_msg,7,
>
> [{file,"gen_fsm.erl"},{line,494}]},
>                                         {proc_lib,init_p_do_apply,3,
>
>  [{file,"proc_lib.erl"},{line,239}]}]},
>                                       {gen_fsm,sync_send_all_state_event,
>                                        [<0.302.0>,{start,5000},infinity]}}}
>
> Note that this certificate/key pair was created for testing purposes only,
> but I am concerned that our production certificate/key pair will fail in
> similar fashion.
>
> Thanks,
> Scott
>



More information about the erlang-questions mailing list