[erlang-questions] bad certificate if trying to verify StartSsl certificate

Ingela Andin ingela.andin@REDACTED
Tue Aug 11 09:34:19 CEST 2015


Hi!

2015-07-17 11:31 GMT+02:00 Alex Hudich <alttagil@REDACTED>:

> But it seems to me thet there are some diffrernces between 17.4 and 17.5
> which make 17.5 «more buggy»
>
> I prepared two files. cacert.pem.1 is empty file with length 0 and
> cacert.pem which I’ve downloaded earlier. And there is an output of 17.5
> which seems to me wrong.
>
> Line 2 and 3 is ok. Line 4 is ok. But why line 5 gave me no error??
>
>
>
> Erlang/OTP 17 [erts-6.4] [source] [64-bit] [async-threads:10] [hipe]
> [kernel-poll:false]
>
> Eshell V6.4  (abort with ^G)
> 1> application:ensure_all_started(ssl).
> {ok,[crypto,asn1,public_key,ssl]}
> 2> ssl:connect( "www.nicemine.ru", 443,
> [{verify,verify_peer},{server_name_indication,"www.nicemine.ru"},{depth,2},{cacertfile,"cacert.pem.1"}]
> ).
>
> =ERROR REPORT==== 17-Jul-2015::13:26:45 ===
> SSL: certify: ssl_handshake.erl:1401:Fatal error: unknown ca
> {error,{tls_alert,"unknown ca"}}
> 3> ssl:connect( "www.nicemine.ru", 443,
> [{verify,verify_peer},{server_name_indication,"www.nicemine.ru"},{depth,2},{cacertfile,"cacert.pem.1"}]
> ).
>
> =ERROR REPORT==== 17-Jul-2015::13:26:48 ===
> SSL: certify: ssl_handshake.erl:1401:Fatal error: unknown ca
> {error,{tls_alert,"unknown ca"}}
> 4> ssl:connect( "www.nicemine.ru", 443,
> [{verify,verify_peer},{server_name_indication,"www.nicemine.ru"},{depth,2},{cacertfile,"cacert.pem"}]
> ).
> {ok,{sslsocket,{gen_tcp,#Port<0.1236>,tls_connection,
>                         undefined},
>                <0.53.0>}}
> 5> ssl:connect( "www.nicemine.ru", 443,
> [{verify,verify_peer},{server_name_indication,"www.nicemine.ru"},{depth,2},{cacertfile,"cacert.pem.1"}]
> ).
> {ok,{sslsocket,{gen_tcp,#Port<0.1243>,tls_connection,
>                         undefined},
>                <0.55.0>}}
>
>

This is because the SSL/TLS-session established in 4 is reused to preform a
abbreviated handshake where the chain is not checked.



Regards Ingela Erlang/OTP team - Ericsson AB




> 16 июля 2015 г., в 21:16, Santiago Fernández <santif@REDACTED>
> написал(а):
>
> can't reproduce:
>
> Erlang/OTP 17 [erts-6.4] [source] [64-bit] [smp:8:8] [async-threads:10]
> [kernel-poll:false]
>
> Eshell V6.4  (abort with ^G)
> 1> application:ensure_all_started(ssl).
> {ok,[crypto,asn1,public_key,ssl]}
> 2> ssl:connect( "www.nicemine.ru", 443,
> [{verify,verify_peer},{server_name_indication,"www.nicemine.ru"},{depth,2},{cacertfile,"cacert.pem"}]
> ).
> {ok,{sslsocket,{gen_tcp,#Port<0.821>,tls_connection,
>                         undefined},
>                <0.49.0>}}
>
>
>
>
>
> --
> Santiago
>
> On Thu, Jul 16, 2015 at 2:54 PM, Alex Hudich <alttagil@REDACTED> wrote:
>
>> Hi,
>>
>> It doesn’t help. Still  {bad_cert,invalid_issuer}
>>
>>
>>
>> 16 июля 2015 г., в 20:29, Éric Pailleau <eric.pailleau@REDACTED>
>> написал(а):
>>
>> Hi, try with depth = 3.   Depth 0 to depth 2 is 3.
>> Regards
>>
>> Le 16 juil. 2015 15:15, Alex Hudich <alttagil@REDACTED> a écrit :
>>
>>
>> When I tried to check connection with openssl command I’ve got w/o
>> cacert.pem file:
>>
>> $ openssl s_client -connect nicemine.ru:443 -verify 99
>> verify depth is 99
>> CONNECTED(00000003)
>> depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
>> Signing/CN=StartCom Certification Authority
>> verify error:num=19:self signed certificate in certificate chain
>> verify return:1
>> depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
>> Signing/CN=StartCom Certification Authority
>> verify return:1
>> depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
>> Signing/CN=StartCom Class 1 Primary Intermediate Server CA
>> verify return:1
>> depth=0 /C=KZ/CN=www.nicefiles.ru/emailAddress=webmaster@REDACTED
>> verify return:1
>>
>>
>> and with it
>>
>> $ openssl s_client -connect nicemine.ru:443 -verify 99 -CAfile cacert.pem
>> verify depth is 99
>> CONNECTED(00000003)
>> depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
>> Signing/CN=StartCom Certification Authority
>> verify return:1
>> depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
>> Signing/CN=StartCom Class 1 Primary Intermediate Server CA
>> verify return:1
>> depth=0 /C=KZ/CN=www.nicefiles.ru/emailAddress=webmaster@REDACTED
>> verify return:1
>>
>> so cacert.pem file contains enough info for StartCom certificates to be
>> checked as valid.
>>
>>
>> Also I’ve tried to dig it more in erlang and I’ve found that I get error
>> in OTP 18 too.
>>
>> And the reason for bad certificate error is {bad_cert,invalid_issuer}
>>
>>
>>
>> I also tried to add
>> https://www.startssl.com/certs/sub.class1.server.ca.pem file to
>> cacert.pem but with no luck.
>>
>>
>>
>>
>>
>> 16 июля 2015 г., в 12:16, Alex Hudich <alttagil@REDACTED> написал(а):
>>
>> Hi!
>>
>>
>>
>> wget http://curl.haxx.se/ca/cacert.pem
>>
>> and then
>>
>> ssl:connect( "www.nicemine.ru", 443,
>> [{verify,verify_peer},{server_name_indication,"www.nicemine.ru"},{depth,2},{cacertfile,"cacert.pem"}]
>> ).
>>
>> gives me {error,{tls_alert,"bad certificate"}}
>>
>>
>>
>> Why? Site can be opened ok in the browser.
>>
>> Erlang/OTP 17 [erts-6.3]
>>
>>
>>
>>
>>
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>>
>
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150811/a1c223b0/attachment.htm>


More information about the erlang-questions mailing list