[erlang-questions] SSL certificate examination (otp/lib/ssl and otp/lib/public_key questions)

Red Davies <>
Fri May 1 16:35:49 CEST 2015


I'm wanting to write code which makes an SSL connection to a remote
server in order to download an analyze the certificate and the
certificate chain.  As OTP already has functions for doing certificate
validation given a chunk of CA certificates I didn't want to re-invent
that wheel with my own "personal brand" of bugs.

The issue I'm having is that I'm failing SSL certificate validation
for some websites for reasons that I don't seem to be able to
ascertain using verify_peer and providing a cacertfile.

Specifically, I get the following error:
10:06:19.142 [error] SSL: :certify: ssl_handshake.erl:1403:Fatal
error: handshake failure
and the following tuple:  {:tls_alert, 'handshake failure'}

When I see that kind of message it makes me think of protocol
negotiation errors such as not being able to agree on a cipher.
Certificate failures I would expect to come in the format found in

My confusion lies in when I run the same request without any
verification (empty options) and the connection negotiates flawlessly.

When I watch the SSL negotiation on the wire using wireshark it all
seems to be going well until the client (erlang) terminates the
session with a handshake-failure.

I'm still very VERY new to the erlang ecosystem so please forgive my
questions if they lean too far on the elementary side but I'm looking
for guidance on how to further debug this.

Ideally, I would like to find out exactly where in ssl/public_key the
negotiation is failing but I don't have sufficient experience in the
language to know how to approach this.  Looking at the sources and
following along in my head I'm pretty sure it's failing in
public_key.erl in one of the catch-all clauses but I have no idea how
to approach tracing activity through such a module so I can either fix
it or supply an additional untested failure-mode upstream.

Can I step through otp library code execution and examine values at
each step?  Is this even a good idea?

If the answer is a thousand lines of debugging is there a
best-practice for making such (temporary) modifications for debugging?
 Am I going in completely the wrong direction?

Any pointers to resources that could help me take this debugging
process to the next level would be appreciated.

If it make any difference, the certificate it's failing on is
intermittently www.google.com and gmail.com (intermittent because the
IPs keep moving, not because behaviour is changing in the

The certificate for my website validates flawlessly consistently.



More information about the erlang-questions mailing list