[erlang-questions] SSL Client CA Certs/chain validation

Benoit Chesneau bchesneau@REDACTED
Thu Jul 23 12:11:59 CEST 2015


On Thu, Jul 23, 2015 at 3:27 AM Tristan Sloughter <t@REDACTED> wrote:

>  For Erlang code I copied from Eric to implement the same for rebar3's
> hex client :)
>
>
> https://github.com/rebar/rebar3/blob/master/src/rebar_pkg_resource.erl#L127-L172
>
> and
>
> https://github.com/rebar/rebar3/blob/master/src/rebar_cacerts.erl
>
> --
> Tristan Sloughter
> t@REDACTED
>
>

Hrmm Are you sure it is actually working?

I tried similar code in hackney on the following URLS:

https://api.gateway.evercam.io/v1
https://api.twilio.com/2010-04-01/Accounts/

And I get an "unkown_ca" error...

Hackney changes are:
https://github.com/benoitc/hackney/pull/217

On which URLS did you tested it? How do you generate your CA file?

- benoit


>
>
> On Wed, Jul 22, 2015, at 08:15 PM, Eric Meadows-Jönsson wrote:
>
> I maintain a http client using httpc as part of the Hex package manager
> and have been trying to do proper HTTPS connections with it. In my
> experience there is a lot of things you have to implement yourself if you
> want to do it correctly and I have had many of the same questions you have.
> Many things are still not clear for me but hopefully I can answer some of
> your questions. I am going to be linking to Elixir code but I think it will
> be easy for an Erlang programmer to understand it.
>
> These are the SSL options I use:
> https://github.com/hexpm/hex/blob/98ebb655a3e4b494795f510c07e6b16f16650e91/lib/hex/api.ex#L54-L55
> .
>
> Interesting options are `verify_fun`, Erlang doesn't seem to support
> hostname verification so I use an Elixir port of
> https://github.com/deadtrickster/ssl_verify_hostname.erl for that, many
> thanks to Ilya Khaprov for creating that library. I pass in a CA
> certificate store via `cacerts`, it is generated from Mozilla's store with
> curl's mk-ca-bundle tool http://curl.haxx.se/docs/mk-ca-bundle.html, you
> can see how it is called here:
> https://github.com/hexpm/hex/blob/98ebb655a3e4b494795f510c07e6b16f16650e91/mix.exs#L61-L84
> .
>
> Finally, unless you implement the `partial_chain` function many websites
> wont work because they do not send a complete certificate chain.
> Disclaimer: I do not know the correct (and secure) way to implement this
> function, I even received a security bug report recently
> https://github.com/hexpm/hex/issues/108 because the old implementation
> was even more wrong. As you can see from the linked issue we are still not
> confident that this is a correct implementation. Reviews of this function
> from the OTP team or someone intimate with Erlang SSL would be very much
> appreciated.
>
> There are also the new options for SNI in OTP 18 which I have not
> implemented yet.
>
> As you can tell there is a lot of code you have to write yourself and
> Erlang's ssl application does not have very exhaustive documentation or any
> guides at all AFAICT, so it is very hard to implement this without any bugs
> exposing security holes and I am not very confident in my own code because
> of this.
>
> On Thu, Jul 23, 2015 at 2:28 AM, Kaiduan Xie <kaiduanx@REDACTED> wrote:
>
> The following articles explain thing very clearly,
>
>
> http://security.stackexchange.com/questions/59566/ssl-certificate-chain-verification
>
>
> http://security.stackexchange.com/questions/56389/ssl-certificate-framework-101-how-does-the-browser-actually-verify-the-validity
>
> /Kaiduan
>
>  On Wed, Jul 22, 2015 at 7:35 PM, Geoff Cant <nem@REDACTED> wrote:
>  > Hi all, I’m wondering if anyone has written a guide (or can link to
> example code) showing how they use OTP’s SSL library to connect to
> arbitrary TLS servers on the internet with x.509 cert chain validation.
>  >
>  > I know the default SSL library option is ‘verify_none’, and that there
> is a ‘cacertfile’ option, but a) it’s 2015 and you should verify cert
> chains, and b) are people really bundling all the standard public CA certs
> into a single giant cacertfile? If you are bundling say all of ubuntu’s
> /etc/certs, do you have any tooling for this (cat /etc/certs/*.pem >>
> get_me_everyone.cacerts)? Am I missing something and OTP automatically uses
> the contents of /etc/certs ?
>  >
>  > Also, are people writing utility libraries/code to wrap ssl:* in order
> to setup the connect/listen options they use? (I know I wrote one to do
> certificate pinning)
>  >
>  >
>  > I’m generally curious about your OTP ssl client use - particularly
> around cert chain validation.
>  >
>  > Cheers,
>  > -Geoff
>  > _______________________________________________
>  > erlang-questions mailing list
>  > erlang-questions@REDACTED
>  > http://erlang.org/mailman/listinfo/erlang-questions
>  _______________________________________________
>  erlang-questions mailing list
>  erlang-questions@REDACTED
>  http://erlang.org/mailman/listinfo/erlang-questions
>
>
>
>
> --
> Eric Meadows-Jönsson
>  *_______________________________________________*
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
>  _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150723/48bcc63d/attachment.htm>


More information about the erlang-questions mailing list