[erlang-questions] SSL: "unknown ca"

Ingela Andin ingela.andin@REDACTED
Sun Feb 1 19:04:35 CET 2015 

Hi!

2015-01-30 21:37 GMT+01:00 e@REDACTED <e@REDACTED>:

> On 01/30/2015 09:18 PM, Ingela Andin wrote:
>
>> Hi!
>>
>> 2015-01-30 19:25 GMT+01:00 e@REDACTED <e@REDACTED>:
>>
>>  Hi, all.
>>>
>>> SSL: certify: ssl_alert.erl:92:Fatal error: unknown ca
>>>
>>> I know this issue generates thousands of "hits" in google-search
>>> yet google does not reveal a consistent explanation (not a recipe!)
>>>
>>> first of all: Unknown TO WHOM???
>>>
>>>
>>
>> To the client or server trying to verify its peer certificate.
>>
>
> since the error appears on the server side,
> may i deduce that the server (Erlang's ssl application)
> is trying to verify the client (a browser)?
>
>
No, the error does not appear on the server side. The error appers on the
client side that sends
a TLS alert message to the server side that will log  the reason why the
client disconnects.



> in this case i want to know how to disable this feature.
> (i only need to verify the server by the client)


You did not enable client certification.



>  secondly: What CA will be considered known?
>>>
>>>
>>>  The  root CA must be present in the verifiers CA database (cacertfile or
>> corresponding option for that client/server).
>>
>
> my 'cacertfile' (as given to the 'ssl' application) contains one and only
> one certificate which is self-signed.
>
>  what properties of CA are required?
>>> may we assume that "CA" and "a certificate file" are synonyms in the
>>> current context? otherwise, what is CA and how is it represented?
>>>
>>
>  Certificates and CA certificates are defined in RFC 5280. The are defined
>> by as ASN-1 specifications and can normaly be inputed as ASN-1 DER (binary
>> format) or
>> as a PEM file (a text file representaion of the "DER-blob").
>>
>
> I was asking something else.
> When 'ssl' application complains about a "CA" does it mean a corresponding
> certfile that represents a CA or something else?
> (Does it consider any other data sources besides those files provided by
> me?)
>
>
>
No, but you are not doing client certification verification as you did not
enable it.


Regards Ingela Erlang/OTP team - Ericsson AB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150201/5867eb9f/attachment.htm>

More information about the erlang-questions mailing list