[erlang-questions] "Unknown CA" with ssl:connect/3 but "openssl s_client" succeeds
Luke Bakken
luke@REDACTED
Tue Dec 5 00:39:06 CET 2017
Hello everyone,
I'm having a heck of a time getting ssl:connect/3 to verify the server
certificate correctly using my system CA bundle.
I'm using kerl-built Erlang 20.1.7 on Arch Linux. I also see the same
behavior using the ESL-packaged Erlang 20 on Ubuntu 16.
This is what is failing (on Ubuntu the cacertfile path is
"/etc/ssl/certs/ca-certificates.crt"):
----
application:ensure_all_started(ssl), ssl:connect("google.com", 443,
[{verify,verify_peer},{reuse_sessions,false},{cacertfile,"/etc/ssl/cert.pem"},{depth,99}]).
=INFO REPORT==== 4-Dec-2017::15:07:45 ===
TLS client: In state certify at ssl_handshake.erl:1626 generated
CLIENT ALERT: Fatal - Unknown CA
{error,{tls_alert,"unknown ca"}}
----
However, the following succeeds on both Arch Linux as well as Ubuntu 16:
Arch Linux command:
openssl s_client -verify 99 -connect google.com:443 -CAfile /etc/ssl/cert.pem
Ubuntu 16 command:
openssl s_client -verify 99 -connect google.com:443 -CAfile
/etc/ssl/certs/ca-certificates.crt
The command returns success: "Verify return code: 0 (ok)"
If I run ssl_pkix_db:extract_trusted_certs("/etc/ssl/cert.pem") it
does return 140 decoded certificates, which is the expected number:
$ fgrep BEGIN /etc/ssl/cert.pem |wc -l
140
I did a little bit of digging and found that
ssl_certificate:find_issuer/4 is returning {error,issuer_not_found}.
Thanks in advance and let me know how I can help further, or if I
missed something obvious!
Luke
More information about the erlang-questions
mailing list