[erlang-questions] "Unknown CA" with ssl:connect/3 but "openssl s_client" succeeds

Luke Bakken luke@REDACTED
Tue Dec 5 03:31:23 CET 2017


Hello again -

With more investigation, this appears to be related to the certificate
bundles themselves. The commands I provide below work fine on OS X
10.12.6, for instance. But, they fail using the following CA bundle:

https://curl.haxx.se/docs/caextract.html

curl works fine with that file when connecting to google.com:443, but
openssl and Erlang don't.

Anyway, if I figure out exactly what certs are missing in these files,
or what formatting within them causes issues, or what people can look
out for I will follow up here.

Luke

On Mon, Dec 4, 2017 at 3:39 PM, Luke Bakken <luke@REDACTED> wrote:
> Hello everyone,
>
> I'm having a heck of a time getting ssl:connect/3 to verify the server
> certificate correctly using my system CA bundle.
>
> I'm using kerl-built Erlang 20.1.7 on Arch Linux. I also see the same
> behavior using the ESL-packaged Erlang 20 on Ubuntu 16.
>
> This is what is failing (on Ubuntu the cacertfile path is
> "/etc/ssl/certs/ca-certificates.crt"):
>
> ----
>
> application:ensure_all_started(ssl), ssl:connect("google.com", 443,
> [{verify,verify_peer},{reuse_sessions,false},{cacertfile,"/etc/ssl/cert.pem"},{depth,99}]).
>
> =INFO REPORT==== 4-Dec-2017::15:07:45 ===
> TLS client: In state certify at ssl_handshake.erl:1626 generated
> CLIENT ALERT: Fatal - Unknown CA
>
> {error,{tls_alert,"unknown ca"}}
>
> ----
>
> However, the following succeeds on both Arch Linux as well as Ubuntu 16:
>
> Arch Linux command:
>
> openssl s_client -verify 99 -connect google.com:443 -CAfile /etc/ssl/cert.pem
>
> Ubuntu 16 command:
>
> openssl s_client -verify 99 -connect google.com:443 -CAfile
> /etc/ssl/certs/ca-certificates.crt
>
> The command returns success: "Verify return code: 0 (ok)"
>
> If I run ssl_pkix_db:extract_trusted_certs("/etc/ssl/cert.pem") it
> does return 140 decoded certificates, which is the expected number:
>
> $ fgrep BEGIN /etc/ssl/cert.pem |wc -l
> 140
>
> I did a little bit of digging and found that
> ssl_certificate:find_issuer/4 is returning {error,issuer_not_found}.
>
> Thanks in advance and let me know how I can help further, or if I
> missed something obvious!
> Luke



More information about the erlang-questions mailing list