[erlang-questions] SSL peer verification in httpc with Mozilla's certificate store

Eric Meadows-Jönsson eric.meadows.jonsson@REDACTED
Fri Sep 12 15:53:00 CEST 2014


Great, that looks like exactly what we need! Thanks Ingela.

I found the commit on the OTP repo, but could not find the branch it
belonged to. Do you know when when it will be available and which release
it will be part of?

On Fri, Sep 12, 2014 at 10:28 AM, Ingela Andin <ingela.andin@REDACTED>
wrote:

> Hi!
>
> When it comes to when to stop the path validation there is no clear answer
> that will always cut it and TLS, X509 RFC are not always in total
> agreement. Even the same
> RFC is sometimes contradicting itself. The issue you are describing has
> been addressed in the latest version of the ssl application.
>
> See commit 1c9e0651c4917b63f49d8505dba7e820da8e32d2,  where I added a new
> option partial_chain that lets the user decide which certificate in the
> chain that shall be
> considered the trusted anchor if the whole chain can not be validated.
>
> Regards Ingela Erlang/OTP team - Ericsson AB
>
>
> 2014-09-10 10:16 GMT+02:00 Eric Meadows-Jönsson <
> eric.meadows.jonsson@REDACTED>:
>
>> We are using httpc with the `{verify, verify_peer}` option for SSL
>> connections. We also provide CA certificates through the `cacertfile`
>> option. The certificate store we are using is from Mozilla [1] where we
>> extract all certificates that been set as trusted for issuing new
>> certificates.
>>
>> Using this set of certificates, when accessing https://s3.amazonaws.com,
>> gives us the following error:
>>
>>     17:03:17.397 [error] SSL: :certify: ssl_handshake.erl:1389:Fatal
>> error: unknown ca
>>
>> Using the same certificate file with curl, python's built-in http client
>> or ruby's http client produces no error and the connection is successful. I
>> believe this happens because the root certificate in amazon's certificate
>> chain is not include the certificate file. The intermediate certificate is
>> included though, so it is trusted. It seems erlang's SSL implementation
>> does not handle this scenario even though most HTTP clients and browsers
>> do. From what I can read about path validation it is recommended to stop
>> validation when a trusted certificate is found in the chain and not
>> continue to the root and check it as well.
>>
>> --
>> Eric Meadows-Jönsson
>>
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>>
>


-- 
Eric Meadows-Jönsson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140912/5a5ffa24/attachment.htm>


More information about the erlang-questions mailing list