[erlang-questions] example of partial_chain in SSL

Ingela Andin ingela.andin@REDACTED
Mon Jun 29 10:46:55 CEST 2015


Hi!

2015-06-27 11:38 GMT+02:00 Benoit Chesneau <bchesneau@REDACTED>:

> Ingela,
>
> So it's not clear yet if the it was t-is the exact error here. It have
> been fixed by updating the list of PEM in the file in hackney using apple
> certificates store. The error I am referring has been reported here:
> https://github.com/benoitc/hackney/issues/196
>
> So it is probably that apple is including an intermediate certificate that
> is not in the list provided by Mozilla.
>
> To be sure to understand, when a peer is not trusted by the validation
> function, will the partial_chain function still be executed? What is the
> order? I thought the partial_chain function would be executed first
> returning one of the certificate in the chain? In that case why it's not
> executed in the code snippet above? (i can provide you a full branch if it
> helps)
>
> More generally what is the common pattern in that case if any?
>
>
The partial_chain function will be called if the "top"-certificate in the
certificate chain  sent by the peer is not self-signed and found in the
trusted CA-store. This is done before calling the
public_key:path_validation. The partial_chain function may claim one of
the  certificates present in the chain to be trusted, then that certificate
will be used as the trusted CA in the
path_validation and certificates above the claimed certificate in the chain
will be disregarded and the once below will be path-validated.

As for your particular problem it hard to say unless I can see all the
inputs.

Regards Ingela Erlang/OTP team - Ericsson AB





> - benoit
>
>
>
> On Thu, Jun 25, 2015 at 4:22 PM Ingela Andin <ingela.andin@REDACTED>
> wrote:
>
>> Hi!
>>
>> 2015-06-24 19:52 GMT+02:00 Benoit Chesneau <bchesneau@REDACTED>:
>>
>>> Hi,
>>>
>>> I tried to use the partial_chain option in SSL to fix an unknown_ca
>>> issue but the  function is never executed:
>>>
>>>
>>
>> The partial chain function lets you shorten the certificate chain by
>> accepting an intermediate cert sent to you by the peer as trusted. This is
>> not the same as ignoring unknown_ca errors.
>> If you want to handle incorrect clients (sending incomplete chains) by
>> building the chain to the client certificate on the server side , if
>> possible, you need to do that in the verify_fun when it fails and then call
>> public_key:pkix_path_validation again with the chain that you built.
>>
>>
>> Regards Ingela Erlang/OTP Team - Ericsson AB
>>
>>
>>
>>> The code is:
>>>
>>>     enum_cacerts([], _Certs) ->
>>>         unknown_ca;
>>>     enum_cacerts([Cert| Rest], Certs) ->
>>>         case lists:member(Cert, Certs) of
>>>             true -> {trusted_ca, Cert};
>>>             false -> enum_cacerts(Rest, Certs)
>>>         end.
>>>
>>>
>>>         CACertFile = filename:join(hackney_util:privdir(),
>>>  "ca-bundle.crt"),
>>>         {ok, ServerCAs} = file:read_file(CACertFile),
>>>         Pems = public_key:pem_decode(ServerCAs),
>>>         CaCerts = lists:map(fun({_, Der, _}) -> Der end, Pems),
>>>
>>>         PartialChain =  fun(ChainCerts) ->
>>>                             enum_cacerts(CaCerts, ChainCerts)
>>>                     end,
>>>
>>> And the SSL options are:
>>>
>>>                     [{partial_chain, PartialChain},
>>>                      {cacerts, CaCerts},
>>>                      {server_name_indication, Host},
>>>                      {verify_fun, {fun ssl_verify_hostname:verify_fun/3,
>>>                                    [{check_hostname, Host}]}},
>>>                      {verify, verify_peer},
>>>                      {depth, 99}];
>>>
>>> What am I doing wrong? I am not sure actually why the function is never
>>> executed. Any idea is welcome...
>>>
>>> - benoit
>>>
>>>
>>>
>>> _______________________________________________
>>> erlang-questions mailing list
>>> erlang-questions@REDACTED
>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150629/018ffb3c/attachment.htm>


More information about the erlang-questions mailing list