[erlang-questions] SSL Out of Order Cert Chain Question (9.2)

Curtis J Schofield curtis@REDACTED
Sat Nov 2 01:12:57 CET 2019


Just curious if there is an update on out of order certs.

The example has id0, id1, id2, id3  certs with id1 being the natural
root of id2 who is the root of id3, who is the root of id0.

We can correct the out of order problem by including id1,id2,id3 certs
in our chain.

It would be nice to hear from the erlang maintainers around what kind of
"out of order" erlang can handle nicely and if there is planned support for
our case!

Thank you again,


Sent through [ProtonMail](https://protonmail.com) Encrypted Email Channel.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Saturday, October 19, 2019 4:34 PM, Curtis J Schofield <curtis@REDACTED> wrote:

> Hi! Thank you.
> I included the root cert in the example. The root cert is id1 in cert chain - this is evident in the other file.
> It seems because the root cert is out of order - the cert chain is invalid - IIRC this may be true for tls1.2 - however the negotiation is at TLS1.2
> Thank you for your consideration!
> Sent from ProtonMail Mobile
> On Sat, Oct 19, 2019 at 10:51 AM, Ingela Andin <ingela.andin@REDACTED> wrote:
>> Hi!
>> "Unknown CA"  means that you did not have the ROOT certificate of the chian in your   "trusted store" (cacerts option).
>> If you do not own the ROOT certificate you can not trust the chain.
>> Regards Ingela Erlang/OTP Team - Ericsson AB
>> Den fre 18 okt. 2019 kl 21:52 skrev Curtis J Schofield <curtis@REDACTED>:
>>> Dear Erlang Questions:
>>> SSL 9.0.2 mentions a patch to fix out of order cert chains
>>> In SSL 9.2 we have a root CA and an out of order cert chain
>>> for host hooks.glip.com.
>>> When we try to verify peer with the out of order cert
>>> chain we get 'Unknown CA'.
>>> Is this expected behaviour for Erlang SSL 9.2 with verify_peer ?
>>> The http://erlang.org/doc/apps/ssl/notes.html#ssl-9.0.2 notes
>>> mention that other care may need to be taken to ensure compatibility.
>>> Reproduce error:
>>> https://github.com/robotarmy/out-of-order-ssl
>>> Thank you,
>>> Curtis and Team DevEco
>>> Sent through ProtonMail Encrypted Email Channel.
>>> _______________________________________________
>>> erlang-questions mailing list
>>> erlang-questions@REDACTED
>>> http://erlang.org/mailman/listinfo/erlang-questions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20191102/d04824b9/attachment.htm>

More information about the erlang-questions mailing list