[erlang-questions] SSL Client CA Certs/chain validation

Benoit Chesneau bchesneau@REDACTED
Thu Jul 23 15:20:46 CEST 2015 

On Thu, Jul 23, 2015 at 2:29 PM Eric Meadows-Jönsson <
eric.meadows.jonsson@REDACTED> wrote:

> https://api.twilio.com/2010-04-01/Accounts/ works for me with Hex's http
> client. https://api.gateway.evercam.io/v1 doesn't work and the issue
> seems to be that they only send their own certificate without any
> intermediate certificates in the chain. Since `partial_chain` is supposed
> to claim trust for an intermediate certificate (and only for an
> intermediate in the provided chain, you cannot return your own intermediate
> from the CA store) this is impossible to do.
>

I did a minimal case there to test:
https://github.com/benoitc/test_ssl

So indeed I confirm the first url "
https://api.twilio.com/2010-04-01/Accounts/ " is working.  But not the
second one.

not sure now why it's not working in hackney now :/

But the interresting thing is that curl is returning different results:

     [test_ssl] curl --cacert priv/ca-bundle.crt
https://api.twilio.com/2010-04-01/Accounts/
     curl: (51) SSL: certificate verification failed (result: 5)

     [test_ssl] curl --cacert priv/ca-bundle.crt
https://api.gateway.evercam.io/v1
    <!DOCTYPE html>
    <html>
    ....

Probably because curl on osx is using keychain though. I will check for the
intermediate certificates.

- benoit


>
> On Thu, Jul 23, 2015 at 12:11 PM, Benoit Chesneau <bchesneau@REDACTED>
> wrote:
>
>>
>>
>> On Thu, Jul 23, 2015 at 3:27 AM Tristan Sloughter <t@REDACTED>
>> wrote:
>>
>>>  For Erlang code I copied from Eric to implement the same for rebar3's
>>> hex client :)
>>>
>>>
>>> https://github.com/rebar/rebar3/blob/master/src/rebar_pkg_resource.erl#L127-L172
>>>
>>> and
>>>
>>> https://github.com/rebar/rebar3/blob/master/src/rebar_cacerts.erl
>>>
>>> --
>>> Tristan Sloughter
>>> t@REDACTED
>>>
>>>
>>
>> Hrmm Are you sure it is actually working?
>>
>> I tried similar code in hackney on the following URLS:
>>
>> https://api.gateway.evercam.io/v1
>> https://api.twilio.com/2010-04-01/Accounts/
>>
>> And I get an "unkown_ca" error...
>>
>> Hackney changes are:
>> https://github.com/benoitc/hackney/pull/217
>>
>> On which URLS did you tested it? How do you generate your CA file?
>>
>> - benoit
>>
>>
>>>
>>>
>>> On Wed, Jul 22, 2015, at 08:15 PM, Eric Meadows-Jönsson wrote:
>>>
>>> I maintain a http client using httpc as part of the Hex package manager
>>> and have been trying to do proper HTTPS connections with it. In my
>>> experience there is a lot of things you have to implement yourself if you
>>> want to do it correctly and I have had many of the same questions you have.
>>> Many things are still not clear for me but hopefully I can answer some of
>>> your questions. I am going to be linking to Elixir code but I think it will
>>> be easy for an Erlang programmer to understand it.
>>>
>>> These are the SSL options I use:
>>> https://github.com/hexpm/hex/blob/98ebb655a3e4b494795f510c07e6b16f16650e91/lib/hex/api.ex#L54-L55
>>> .
>>>
>>> Interesting options are `verify_fun`, Erlang doesn't seem to support
>>> hostname verification so I use an Elixir port of
>>> https://github.com/deadtrickster/ssl_verify_hostname.erl for that, many
>>> thanks to Ilya Khaprov for creating that library. I pass in a CA
>>> certificate store via `cacerts`, it is generated from Mozilla's store with
>>> curl's mk-ca-bundle tool http://curl.haxx.se/docs/mk-ca-bundle.html,
>>> you can see how it is called here:
>>> https://github.com/hexpm/hex/blob/98ebb655a3e4b494795f510c07e6b16f16650e91/mix.exs#L61-L84
>>> .
>>>
>>> Finally, unless you implement the `partial_chain` function many websites
>>> wont work because they do not send a complete certificate chain.
>>> Disclaimer: I do not know the correct (and secure) way to implement this
>>> function, I even received a security bug report recently
>>> https://github.com/hexpm/hex/issues/108 because the old implementation
>>> was even more wrong. As you can see from the linked issue we are still not
>>> confident that this is a correct implementation. Reviews of this function
>>> from the OTP team or someone intimate with Erlang SSL would be very much
>>> appreciated.
>>>
>>> There are also the new options for SNI in OTP 18 which I have not
>>> implemented yet.
>>>
>>> As you can tell there is a lot of code you have to write yourself and
>>> Erlang's ssl application does not have very exhaustive documentation or any
>>> guides at all AFAICT, so it is very hard to implement this without any bugs
>>> exposing security holes and I am not very confident in my own code because
>>> of this.
>>>
>>> On Thu, Jul 23, 2015 at 2:28 AM, Kaiduan Xie <kaiduanx@REDACTED> wrote:
>>>
>>> The following articles explain thing very clearly,
>>>
>>>
>>> http://security.stackexchange.com/questions/59566/ssl-certificate-chain-verification
>>>
>>>
>>> http://security.stackexchange.com/questions/56389/ssl-certificate-framework-101-how-does-the-browser-actually-verify-the-validity
>>>
>>> /Kaiduan
>>>
>>>  On Wed, Jul 22, 2015 at 7:35 PM, Geoff Cant <nem@REDACTED> wrote:
>>>  > Hi all, I’m wondering if anyone has written a guide (or can link to
>>> example code) showing how they use OTP’s SSL library to connect to
>>> arbitrary TLS servers on the internet with x.509 cert chain validation.
>>>  >
>>>  > I know the default SSL library option is ‘verify_none’, and that
>>> there is a ‘cacertfile’ option, but a) it’s 2015 and you should verify cert
>>> chains, and b) are people really bundling all the standard public CA certs
>>> into a single giant cacertfile? If you are bundling say all of ubuntu’s
>>> /etc/certs, do you have any tooling for this (cat /etc/certs/*.pem >>
>>> get_me_everyone.cacerts)? Am I missing something and OTP automatically uses
>>> the contents of /etc/certs ?
>>>  >
>>>  > Also, are people writing utility libraries/code to wrap ssl:* in
>>> order to setup the connect/listen options they use? (I know I wrote one to
>>> do certificate pinning)
>>>  >
>>>  >
>>>  > I’m generally curious about your OTP ssl client use - particularly
>>> around cert chain validation.
>>>  >
>>>  > Cheers,
>>>  > -Geoff
>>>  > _______________________________________________
>>>  > erlang-questions mailing list
>>>  > erlang-questions@REDACTED
>>>  > http://erlang.org/mailman/listinfo/erlang-questions
>>>  _______________________________________________
>>>  erlang-questions mailing list
>>>  erlang-questions@REDACTED
>>>  http://erlang.org/mailman/listinfo/erlang-questions
>>>
>>>
>>>
>>>
>>> --
>>> Eric Meadows-Jönsson
>>>  *_______________________________________________*
>>> erlang-questions mailing list
>>> erlang-questions@REDACTED
>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>
>>>
>>>  _______________________________________________
>>> erlang-questions mailing list
>>> erlang-questions@REDACTED
>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>
>>
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>>
>
>
> --
> Eric Meadows-Jönsson
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150723/71125bf6/attachment.htm>

More information about the erlang-questions mailing list