[erlang-questions] bad certificate if trying to verify StartSsl certificate

Benoit Chesneau <>
Thu Sep 10 11:47:40 CEST 2015


I have tested the SSL certificate on

ssllab:

https://www.ssllabs.com/ssltest/analyze.html?d=rest%2dapi.pay.nl&s=37.46.137.138&hideResults=on


and the certificate seems OK. Not sure what is the issue then. For
information, the CA bundle used come from the curl project itself:
https://github.com/bagder/ca-bundle and I am using Erlang 18.0.3 .



On Thu, Sep 10, 2015 at 11:02 AM Benoit Chesneau <>
wrote:

> I
> On Tue, Aug 11, 2015 at 9:54 AM Ingela Andin <>
> wrote:
>
>> Hi!
>>
>> 2015-07-16 11:16 GMT+02:00 Alex Hudich <>:
>>
>>> Hi!
>>>
>>>
>>>
>>> wget http://curl.haxx.se/ca/cacert.pem
>>>
>>> and then
>>>
>>> ssl:connect( "www.nicemine.ru", 443,
>>> [{verify,verify_peer},{server_name_indication,"www.nicemine.ru"},{depth,2},{cacertfile,"cacert.pem"}]
>>> ).
>>>
>>> gives me {error,{tls_alert,"bad certificate"}}
>>>
>>>
>>>
>>>
>> This site is not sending a correct certificate chain,  I get all the
>> certificates that shall be in the chain but scrambled around and not in the
>> correct order, this is breaking the
>> SSL/TLS-protocol. OpenSSL will also get the error above when trying to
>> verify that chain, but later versions of OpenSSL and also other
>> implementations obviously tries to work around this by attempting to sort
>> them and run the validation again.
>>
>> You could do that too using the verify_fun if you really want to. We
>> would rather not make that a default feature as breaking security protocols
>> is usually a bad idea that could lead to vulnerabilities.
>>
>>
>> Regards Ingela Erlang/OTP Team - Ericsson AB
>>
>>
>
> I have the same issue on another host: rest-api.pay.nl:
>
> 15> ssl:connect( "rest-api.pay.nl", 443,
> [{verify,verify_peer},{server_name_indication,"rest-api.pay.nl"},{depth,2},{cacertfile,
> "priv/ca-bundle.crt"}] ).
>
> =ERROR REPORT==== 10-Sep-2015::11:01:31 ===
> SSL: certify: ssl_handshake.erl:1476:Fatal error: bad certificate
> {error,{tls_alert,"bad certificate"}}
>
>
> the chain looks correct for me and curl handle it without issue. What do
> you mean by sorting certificates ? Any example?
>
> - benoit
>
>
>
>
>>
>>
>>> Why? Site can be opened ok in the browser.
>>>
>>> Erlang/OTP 17 [erts-6.3]
>>>
>>>
>>> _______________________________________________
>>> erlang-questions mailing list
>>> 
>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>
>> _______________________________________________
>> erlang-questions mailing list
>> 
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150910/58b755ee/attachment.html>


More information about the erlang-questions mailing list