[erlang-questions] SSL Client CA Certs/chain validation

Benoit Chesneau bchesneau@REDACTED
Thu Jul 23 15:32:14 CEST 2015


and my bad... I was silently removing the partial_chain option ;). Anyway
thanks for the explanation :)

- benoit

On Thu, Jul 23, 2015 at 3:20 PM Benoit Chesneau <bchesneau@REDACTED> wrote:

> On Thu, Jul 23, 2015 at 2:29 PM Eric Meadows-Jönsson <
> eric.meadows.jonsson@REDACTED> wrote:
>
>> https://api.twilio.com/2010-04-01/Accounts/ works for me with Hex's http
>> client. https://api.gateway.evercam.io/v1 doesn't work and the issue
>> seems to be that they only send their own certificate without any
>> intermediate certificates in the chain. Since `partial_chain` is supposed
>> to claim trust for an intermediate certificate (and only for an
>> intermediate in the provided chain, you cannot return your own intermediate
>> from the CA store) this is impossible to do.
>>
>
> I did a minimal case there to test:
> https://github.com/benoitc/test_ssl
>
> So indeed I confirm the first url "
> https://api.twilio.com/2010-04-01/Accounts/ " is working.  But not the
> second one.
>
> not sure now why it's not working in hackney now :/
>
> But the interresting thing is that curl is returning different results:
>
>      [test_ssl] curl --cacert priv/ca-bundle.crt
> https://api.twilio.com/2010-04-01/Accounts/
>      curl: (51) SSL: certificate verification failed (result: 5)
>
>      [test_ssl] curl --cacert priv/ca-bundle.crt
> https://api.gateway.evercam.io/v1
>     <!DOCTYPE html>
>     <html>
>     ....
>
> Probably because curl on osx is using keychain though. I will check for
> the intermediate certificates.
>
> - benoit
>
>
>>
>> On Thu, Jul 23, 2015 at 12:11 PM, Benoit Chesneau <bchesneau@REDACTED>
>> wrote:
>>
>>>
>>>
>>> On Thu, Jul 23, 2015 at 3:27 AM Tristan Sloughter <t@REDACTED>
>>> wrote:
>>>
>>>>  For Erlang code I copied from Eric to implement the same for rebar3's
>>>> hex client :)
>>>>
>>>>
>>>> https://github.com/rebar/rebar3/blob/master/src/rebar_pkg_resource.erl#L127-L172
>>>>
>>>> and
>>>>
>>>> https://github.com/rebar/rebar3/blob/master/src/rebar_cacerts.erl
>>>>
>>>> --
>>>> Tristan Sloughter
>>>> t@REDACTED
>>>>
>>>>
>>>
>>> Hrmm Are you sure it is actually working?
>>>
>>> I tried similar code in hackney on the following URLS:
>>>
>>> https://api.gateway.evercam.io/v1
>>> https://api.twilio.com/2010-04-01/Accounts/
>>>
>>> And I get an "unkown_ca" error...
>>>
>>> Hackney changes are:
>>> https://github.com/benoitc/hackney/pull/217
>>>
>>> On which URLS did you tested it? How do you generate your CA file?
>>>
>>> - benoit
>>>
>>>
>>>>
>>>>
>>>> On Wed, Jul 22, 2015, at 08:15 PM, Eric Meadows-Jönsson wrote:
>>>>
>>>> I maintain a http client using httpc as part of the Hex package manager
>>>> and have been trying to do proper HTTPS connections with it. In my
>>>> experience there is a lot of things you have to implement yourself if you
>>>> want to do it correctly and I have had many of the same questions you have.
>>>> Many things are still not clear for me but hopefully I can answer some of
>>>> your questions. I am going to be linking to Elixir code but I think it will
>>>> be easy for an Erlang programmer to understand it.
>>>>
>>>> These are the SSL options I use:
>>>> https://github.com/hexpm/hex/blob/98ebb655a3e4b494795f510c07e6b16f16650e91/lib/hex/api.ex#L54-L55
>>>> .
>>>>
>>>> Interesting options are `verify_fun`, Erlang doesn't seem to support
>>>> hostname verification so I use an Elixir port of
>>>> https://github.com/deadtrickster/ssl_verify_hostname.erl for that,
>>>> many thanks to Ilya Khaprov for creating that library. I pass in a CA
>>>> certificate store via `cacerts`, it is generated from Mozilla's store with
>>>> curl's mk-ca-bundle tool http://curl.haxx.se/docs/mk-ca-bundle.html,
>>>> you can see how it is called here:
>>>> https://github.com/hexpm/hex/blob/98ebb655a3e4b494795f510c07e6b16f16650e91/mix.exs#L61-L84
>>>> .
>>>>
>>>> Finally, unless you implement the `partial_chain` function many
>>>> websites wont work because they do not send a complete certificate chain.
>>>> Disclaimer: I do not know the correct (and secure) way to implement this
>>>> function, I even received a security bug report recently
>>>> https://github.com/hexpm/hex/issues/108 because the old implementation
>>>> was even more wrong. As you can see from the linked issue we are still not
>>>> confident that this is a correct implementation. Reviews of this function
>>>> from the OTP team or someone intimate with Erlang SSL would be very much
>>>> appreciated.
>>>>
>>>> There are also the new options for SNI in OTP 18 which I have not
>>>> implemented yet.
>>>>
>>>> As you can tell there is a lot of code you have to write yourself and
>>>> Erlang's ssl application does not have very exhaustive documentation or any
>>>> guides at all AFAICT, so it is very hard to implement this without any bugs
>>>> exposing security holes and I am not very confident in my own code because
>>>> of this.
>>>>
>>>> On Thu, Jul 23, 2015 at 2:28 AM, Kaiduan Xie <kaiduanx@REDACTED>
>>>> wrote:
>>>>
>>>> The following articles explain thing very clearly,
>>>>
>>>>
>>>> http://security.stackexchange.com/questions/59566/ssl-certificate-chain-verification
>>>>
>>>>
>>>> http://security.stackexchange.com/questions/56389/ssl-certificate-framework-101-how-does-the-browser-actually-verify-the-validity
>>>>
>>>> /Kaiduan
>>>>
>>>>  On Wed, Jul 22, 2015 at 7:35 PM, Geoff Cant <nem@REDACTED>
>>>> wrote:
>>>>  > Hi all, I’m wondering if anyone has written a guide (or can link to
>>>> example code) showing how they use OTP’s SSL library to connect to
>>>> arbitrary TLS servers on the internet with x.509 cert chain validation.
>>>>  >
>>>>  > I know the default SSL library option is ‘verify_none’, and that
>>>> there is a ‘cacertfile’ option, but a) it’s 2015 and you should verify cert
>>>> chains, and b) are people really bundling all the standard public CA certs
>>>> into a single giant cacertfile? If you are bundling say all of ubuntu’s
>>>> /etc/certs, do you have any tooling for this (cat /etc/certs/*.pem >>
>>>> get_me_everyone.cacerts)? Am I missing something and OTP automatically uses
>>>> the contents of /etc/certs ?
>>>>  >
>>>>  > Also, are people writing utility libraries/code to wrap ssl:* in
>>>> order to setup the connect/listen options they use? (I know I wrote one to
>>>> do certificate pinning)
>>>>  >
>>>>  >
>>>>  > I’m generally curious about your OTP ssl client use - particularly
>>>> around cert chain validation.
>>>>  >
>>>>  > Cheers,
>>>>  > -Geoff
>>>>  > _______________________________________________
>>>>  > erlang-questions mailing list
>>>>  > erlang-questions@REDACTED
>>>>  > http://erlang.org/mailman/listinfo/erlang-questions
>>>>  _______________________________________________
>>>>  erlang-questions mailing list
>>>>  erlang-questions@REDACTED
>>>>  http://erlang.org/mailman/listinfo/erlang-questions
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Eric Meadows-Jönsson
>>>>  *_______________________________________________*
>>>> erlang-questions mailing list
>>>> erlang-questions@REDACTED
>>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>>
>>>>
>>>>  _______________________________________________
>>>> erlang-questions mailing list
>>>> erlang-questions@REDACTED
>>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>>
>>>
>>> _______________________________________________
>>> erlang-questions mailing list
>>> erlang-questions@REDACTED
>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>
>>>
>>
>>
>> --
>> Eric Meadows-Jönsson
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150723/ef4dcb1c/attachment.htm>


More information about the erlang-questions mailing list