[erlang-questions] question about cacertfiles option

Eric Meadows-Jönsson eric.meadows.jonsson@REDACTED
Mon Jun 22 16:47:35 CEST 2015


Erlang will always verify the certificate chain to the root. If an
intermediate certificate is trusted but the root is not trusted the
verification will fail. The partial_chain option can be used to terminate
the verification at the first trusted certificate.

On Mon, Jun 22, 2015 at 4:06 PM, Robert Raschke <rtrlists@REDACTED>
wrote:

> This is checking the cert from twilio, though. Right? So there's something
> in their ca chain, that ends up unknown. Or am I getting the wrong end of
> the stick.
>
> /Robby
> On Jun 22, 2015 10:05 AM, "Benoit Chesneau" <bchesneau@REDACTED> wrote:
>
>> In hackney, by default the HTTPS connection  is using the following
>> options:
>>
>>     [{verify_fun, {fun ssl_verify_hostname:verify_fun/3,
>>                                    [{check_hostname, Host}]}},
>>     {cacertfile, CACertFile },
>>     {server_name_indication, Host},
>>     {verify, verify_peer}, {depth, 99},
>>     {reuse_sessions, true}]
>>
>> Where the Host is based on the Url. CaCertFile is this one:
>> https://github.com/benoitc/hackney/blob/master/priv/ca-bundle.crt
>>
>> And  the verify_fun is here:
>> https://github.com/deadtrickster/ssl_verify_hostname.erl/blob/master/src/ssl_verify_hostname.erl
>>
>> It works in most cases but when connecting to Twillio I get the following
>> error:
>>
>>     2> hackney:get("https://api.twilio.com/2010-04-01/Accounts/").
>>
>>     =ERROR REPORT==== 22-Jun-2015::10:46:28 ===
>>     SSL: certify: ssl_handshake.erl:1403:Fatal error: unknown ca
>>     {error,{tls_alert,"unknown ca"}}
>>
>> When checking the CA files it seems it contains the thawte certificaes:
>>
>>     $ cat priv/ca-bundle.crt|grep thawte
>>     thawte Primary Root CA
>>     thawte Primary Root CA - G2
>>     thawte Primary Root CA - G3
>>
>> Before opening a ticket I was wondering if I missed something in my
>> configuration? Is there anything wrong in the CA file? Any option is
>> missing?
>>
>> - benoit
>>
>>
>>
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>


-- 
Eric Meadows-Jönsson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150622/33e247e2/attachment.htm>


More information about the erlang-questions mailing list