[erlang-questions] SSL: "unknown ca"

Hugo Mills hugo@REDACTED
Sat Jan 31 11:28:34 CET 2015


On Sat, Jan 31, 2015 at 03:24:23AM +0100, e@REDACTED wrote:
> I have launched a server, i have fed it with all the certificates needed.
> i try to connect to the server by a client and *the server* (NOT THE
> CLIENT!!!) throws an error "unknown ca".
> 
> trying to figure out the reason behind this laconic formula, i came
> up with the following questions:
> 
> what particular application throws it?

   I can't answer that question, but hopefully the answers below will
help you work it out.

> what particular entity on *MY* server is referred to as "CA"?

   The CA is the Certificate Authority. It's the thing that signs
certificates. The CA issues one or more certificates of its own, which
can be used to verify that a public certificate that it has signed is
actually valid, according to that CA's internal rules and regulations.

   If you are signing your own certificates, you are acting as your
own CA, and will have access to both the CA's private key and public
certificate.

   Most commercial CAs these days have a hierarchy of certificates --
a top level (or "root") one for which the key is kept highly secure
(i.e. in a strong-room, never connected to the internet), and which is
only used to sign their next level down, which are the key/cert pairs
used to actually sign the certificates that they issue for their
customers to use. This sequence of certificates (root -> signing cert
-> user cert) is called a certificate chain, and in order to fully
verify the validity of a user certificate, you need to have all of the
other certificates available.

> to whom it is "unknown", and what is considered "knowledge" in this context?

   When a TLS connection is made, both sides of the connection get the
opportunity to pass a certificate to each other. Those certificates
are then validated using the certificate chain I spoke about above.

   Now, the entity which passes over its certificate to the other side
to be checked can (must) also pass the certificate chain that signed
that certificate. This is fine, except that then they could be passing
a complete certificate chain that they've just invented, and actually
they're intending on doing Bad Things. So, the receiving side of this
conversation typically keeps a list of the top level CA certificates
that are trusted to sign certificates in a reliable way. This list may
be the common list of CAs that are checked by the browser
manufacturers, or for your own application, it may simply contain your
own private CA cert that you used to sign your own certificates. It's
that list of "trusted" CAs that constitutes "knowledge".

   Hugo.

> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions

-- 
Hugo Mills             | Turning, pages turning in the widening bath,
hugo@REDACTED carfax.org.uk | The spine cannot bear the humidity.
http://carfax.org.uk/  | Books fall apart; the binding cannot hold.
PGP: 65E74AC0          | Page 129 is loosed upon the world.               Zarf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150131/c352619c/attachment.bin>


More information about the erlang-questions mailing list