[erlang-questions] bad certificate if trying to verify StartSsl certificate

Benoit Chesneau <>
Thu Sep 10 18:46:14 CEST 2015


On Thu, Sep 10, 2015 at 12:44 PM Ben Murphy <> wrote:

> I have a verify function that hacks around this problem. It adds the
> certs to a list during the 'verification' then it resorts and passes
> it off to the path validation. However, this function only supports
> validation from a single root cert because we are using it in
> production to connect to a server that has a chain signed by a
> non-public CA. You use it like: {verify_fun,
> fixed_root_lenient_verifier:create_verify_function(DerCaCert, 10)}
>
> Use this module at your own risk it may effectively disable your SSL
> security. I really think this resorting should be done in OTP or OTP
> should supply a cleaner hook for resorting. A hook that gives you the
> chain and the cacerts and lets you send back a new chain would be
> perfect :)
>


ThanksBen! At least your code gave me some hints. I came to a simpler
solution for now:

https://github.com/benoitc/hackney/pull/241

Though I am not really sure it's correct. The only thing it does is to skip
the self signed certificate and try to find a good one. Any feedback is
appreciated.

What would be the best way to reorder the certificate chain?

- benoit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150910/abdd3c9d/attachment.html>


More information about the erlang-questions mailing list