[erlang-questions] example of partial_chain in SSL

Ingela Andin ingela.andin@REDACTED
Thu Jun 25 16:22:45 CEST 2015 

Hi!

2015-06-24 19:52 GMT+02:00 Benoit Chesneau <bchesneau@REDACTED>:

> Hi,
>
> I tried to use the partial_chain option in SSL to fix an unknown_ca issue
> but the  function is never executed:
>
>

The partial chain function lets you shorten the certificate chain by
accepting an intermediate cert sent to you by the peer as trusted. This is
not the same as ignoring unknown_ca errors.
If you want to handle incorrect clients (sending incomplete chains) by
building the chain to the client certificate on the server side , if
possible, you need to do that in the verify_fun when it fails and then call
public_key:pkix_path_validation again with the chain that you built.


Regards Ingela Erlang/OTP Team - Ericsson AB



> The code is:
>
>     enum_cacerts([], _Certs) ->
>         unknown_ca;
>     enum_cacerts([Cert| Rest], Certs) ->
>         case lists:member(Cert, Certs) of
>             true -> {trusted_ca, Cert};
>             false -> enum_cacerts(Rest, Certs)
>         end.
>
>
>         CACertFile = filename:join(hackney_util:privdir(),
>  "ca-bundle.crt"),
>         {ok, ServerCAs} = file:read_file(CACertFile),
>         Pems = public_key:pem_decode(ServerCAs),
>         CaCerts = lists:map(fun({_, Der, _}) -> Der end, Pems),
>
>         PartialChain =  fun(ChainCerts) ->
>                             enum_cacerts(CaCerts, ChainCerts)
>                     end,
>
> And the SSL options are:
>
>                     [{partial_chain, PartialChain},
>                      {cacerts, CaCerts},
>                      {server_name_indication, Host},
>                      {verify_fun, {fun ssl_verify_hostname:verify_fun/3,
>                                    [{check_hostname, Host}]}},
>                      {verify, verify_peer},
>                      {depth, 99}];
>
> What am I doing wrong? I am not sure actually why the function is never
> executed. Any idea is welcome...
>
> - benoit
>
>
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150625/b3eb8d82/attachment.htm>

More information about the erlang-questions mailing list