[erlang-questions] SSL: "unknown ca"

Loïc Hoguin essen@REDACTED
Sat Jan 31 21:36:20 CET 2015


Replying through webmail because SMTP decided to stop working. Hope it's not too
terrible when it gets into your mailboxes.
 
> Le 31 janvier 2015 à 19:36, "e@REDACTED" <e@REDACTED> a écrit :
>
>
> On 01/31/2015 07:35 PM, Loïc Hoguin wrote:
> > On 01/31/2015 07:31 PM, e@REDACTED wrote:
> >> On 01/31/2015 07:28 PM, Loïc Hoguin wrote:
> >>> Don't look at me, we just have a wrapper on top of SSL, most SSL issues
> >>> are out of my league. :-)
> >>
> >> this wrapper is supposed to know everything about arguments it passes,
> >> may be there is one i am looking for is among them (hiding behind an
> >> incomprehensible name, for example)
> >
> > I don't know if this is what you need as I'm not sure what your issue is
> > exactly, but there is an option to define the verification fun
> > (verify_fun) as others have already pointed out in this thread. Have you
> > tried it yet?
>
> no, it sounds to me like a last resort solution.
> if i am to define this function i then have very little need in the SSL
> itself.
> shouldn't it work by-default?

I think you are missing the point of SSL. I will try to dumb it down.

SSL gives you both secrecy through encryption and authentication of the endpoint
you communicate with.

The latter is only possible precisely because of the certificate chain. It is
used to verify that the server's certificate has been signed by a trusted entity
or by an intermediary of the trusted entity. Therefore we can assume that the
server is who they say they are.

If you self sign a certificate then you lose this authentication aspect. Sure
you still have secrecy through encryption, but anyone between you and the server
can decide to decrypt and read what you send. This is called a man in the middle
attack.

By default SSL gives you secure connections, that means both encryption and
authentication. A browser or client that tries to connect to a server that uses
a self signed certificate will get an error until further steps are taken by the
user to confirm they really want to connect to it.

It works as intended by default.

Now I am not sure what you do, what certificate you have, what kind of client
you use, what options, so it is very hard to help.

If it is the client that rejects your server's self signed certificate though,
there's nothing you can do except getting a certificate from a trusted CA, or
use an option in the client to disable the certificate verification.
 
-- 
Loïc Hoguin
http://ninenines.eu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150131/a36ff3ac/attachment.htm>


More information about the erlang-questions mailing list