[erlang-questions] Fwd: Figuring out proper ssl certificate settings with 17.3

Vincent de Phily vincent.dephily@REDACTED
Fri Feb 20 13:44:23 CET 2015

On Thursday 19 February 2015 18:43:26 Vincent de Phily wrote:
> On Thursday 22 January 2015 21:45:08 Ingela Andin wrote:
> > If you want to handle
> > incorrect clients  by building the chain to the client certificate on the
> > server side , if possible, you need to do that in the verify_fun when it
> > fails and then call public_key:pkix_path_validation again with the chain
> > that you built.
> I didn't try this yet, but I verified that
> > {partial_chain, fun(CAs) -> {trusted_ca,hd(CAs)} end}
> "solves" my issue but is basically a verify_none. It seems there's some
> functionality overlap between partial_chain and verify_fun, but I'm not 100%
> sure when to use which.

FWIW, I managed to get the behaviour I expect (can you spot a bug ?) using 
either verify_fun or partial_chain:

Verif = fun(Cert,{bad_cert, _}, _) ->
                case public_key:pkix_path_validation(TrustedCA,[Cert],[]) of
                    {ok, _} -> {valid, P};
                    {error, Reason} -> {fail, Reason}
           (_, {extension, Ex}, _) ->
                {unknown, []};
           (_, valid, _) ->
                {valid, []};
           (_, valid_peer, _) ->
                {valid, []}
Partial = fun(Chain) ->
                  case public_key:pkix_path_validation(TrustedCA,Chain,[]) of
                  {ok, _} -> {trusted_ca,hd(Chain)};
                  {error, Reason} -> Reason

Connecting with 
   {fail_if_no_peer_cert, true},
   {verify,               verify_peer},
   {cert,                 MyCert},
   {key,                  MyKey},
   {cacerts,              [TrustedCA]}
and either
   {verify_fun,           {Verif,[]}}
   {partial_chain,        Partial}
Same config for both the client and the server, only the values of TrustedCA 
and MyCert/MyKey change.

At this stage, I'm still unsure wether using verify_fun or partial_chain makes 
more sense (or is faster).

> I'd like OTP to do the "peer-sent cert chain is signed by one of the localy-
> trusted CAs" step for me. I realize that I could do it myself using the
> public_key module, but I find it very surprising that my usecase would be
> so unusual that it isn't supported out of the box. A peer that sends the
> smallest chain that can be verified by the other peer isn't "incorrect".

These concerns are still valid. If feels strange that my version of verify_fun 
does something different than OTP's version.

Vincent de Phily
Mobile Devices
+33 (0) 142 119 325
+353 (0) 85 710 6320 

This message (and any associated files) is intended only for the use of its
intended recipient and may contain information that is confidential, subject
to copyright or constitutes a trade secret. If you are not the intended
recipient you are hereby notified that any dissemination, copying or
distribution of this message, or files associated with this message, is
strictly prohibited. If you have received this message in error, please
notify us immediately by replying to the message and deleting it from your
computer. Any views or opinions presented are solely those of the author
vincent.dephily@REDACTED and do not necessarily represent those of 
the company. Although the company has taken reasonable precautions to ensure
no viruses are present in this email, the company cannot accept responsibility
for any loss or damage arising from the use of this email or attachments.

More information about the erlang-questions mailing list