[erlang-questions] SSL Out of Order Cert Chain Question (9.2)

Mark Reynolds beastie@REDACTED
Thu Nov 7 19:45:45 CET 2019 

If that helps, SSLLabs reports "Incorrect order, contains anchor" for this one. Maybe it's related to the anchor? 

On Thu, Nov 7, 2019, at 19:35, Michael Viveros wrote:
> Hi Ingela,
> 
> Curtis' example server from his first message, hooks.glip.com, presents its certificates out-of-order. The correct order is Peer -> Intermediate CA 1 - > Intermediate CA 2 -> Root CA but they get presented as Peer -> Root CA -> Intermediate CA 2 -> Intermediate CA 1 and this returns the "Unknown CA" error. You can confirm this by running `openssl s_client -connect hooks.glip.com:443`.
> 
> On Thu, Nov 7, 2019 at 1:23 PM Curtis J Schofield <curtis@REDACTED> wrote:
>> Hi Ingela
>> 
>> Thank you for your attention- perhaps Micheal can explain this better.. ____
>> 
>> Sent from ProtonMail Mobile
>> 
>> 
>> On Thu, Nov 7, 2019 at 6:55 AM, Ingela Andin <ingela.andin@REDACTED> wrote:
>>> Hi!
>>> 
>>> I tried this out and it is not out of order, it sends the peer cert followed by the intermediate cert repeated, that is the chain looks like [Peer, CA1, CA1].
>>> Looking at TLS-1.3 RFC it looks like extra certs should ignored too, so I suppose we need to add that.
>>> 
>>> Regards Ingela Erlang/OTP team - Ericsson AB
>>> 
>>> Den lör 2 nov. 2019 kl 15:24 skrev Mark Reynolds <beastie@REDACTED>:
>>>> __
>>>> Hey,
>>>> 
>>>> I confirm that out of order certs does not seems to be fixed, and it fails with 'Unknown CA' error:
>>>> 
>>>> 
>>>> iex(2)> :hackney.get("https://social.fluffel.io")
>>>> {:error,
>>>> {:tls_alert, {:unknown_ca, 'received CLIENT ALERT: Fatal - Unknown CA'}}}
>>>> 
>>>> 
>>>> the only issue with this server TLS certificates is the chain order (CA is Letsencrypt): https://www.ssllabs.com/ssltest/analyze.html?d=social.fluffel.io
>>>> 
>>>> 
>>>> On Sat, Nov 2, 2019, at 01:12, Curtis J Schofield wrote:
>>>>> Hi!
>>>>> 
>>>>> Just curious if there is an update on out of order certs.
>>>>> 
>>>>> The example has id0, id1, id2, id3 certs with id1 being the natural
>>>>> root of id2 who is the root of id3, who is the root of id0.
>>>>> 
>>>>> We can correct the out of order problem by including id1,id2,id3 certs
>>>>> in our chain.
>>>>> 
>>>>> It would be nice to hear from the erlang maintainers around what kind of
>>>>> "out of order" erlang can handle nicely and if there is planned support for
>>>>> our case!
>>>>> 
>>>>> Thank you again,
>>>>> 
>>>>> Curtis.
>>>>> 
>>>>> 
>>>>> Sent through ProtonMail <https://protonmail.com/> Encrypted Email Channel.
>>>>> 
>>>>> 
>>>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>>>> On Saturday, October 19, 2019 4:34 PM, Curtis J Schofield <curtis@REDACTED> wrote:
>>>>> 
>>>>>> Hi! Thank you.
>>>>>> 
>>>>>> 
>>>>>> I included the root cert in the example. The root cert is id1 in cert chain - this is evident in the other file. 
>>>>>> 
>>>>>> It seems because the root cert is out of order - the cert chain is invalid - IIRC this may be true for tls1.2 - however the negotiation is at TLS1.2
>>>>>> 
>>>>>> 
>>>>>> Thank you for your consideration!
>>>>>> 
>>>>>> 
>>>>>> Sent from ProtonMail Mobile
>>>>>> 
>>>>>> 
>>>>>> On Sat, Oct 19, 2019 at 10:51 AM, Ingela Andin <ingela.andin@REDACTED> wrote:
>>>>>>> 
>>>>>>> Hi!
>>>>>>> 
>>>>>>> "Unknown CA" means that you did not have the ROOT certificate of the chian in your "trusted store" (cacerts option).
>>>>>>> If you do not own the ROOT certificate you can not trust the chain.
>>>>>>> 
>>>>>>> Regards Ingela Erlang/OTP Team - Ericsson AB
>>>>>>> 
>>>>>>> Den fre 18 okt. 2019 kl 21:52 skrev Curtis J Schofield <curtis@REDACTED>:
>>>>>>>> Dear Erlang Questions:
>>>>>>>> 
>>>>>>>> 
>>>>>>>> SSL 9.0.2 mentions a patch to fix out of order cert chains
>>>>>>>> 
>>>>>>>> In SSL 9.2 we have a root CA and an out of order cert chain
>>>>>>>> for host hooks.glip.com.
>>>>>>>> 
>>>>>>>> When we try to verify peer with the out of order cert
>>>>>>>> chain we get 'Unknown CA'.
>>>>>>>> 
>>>>>>>> Is this expected behaviour for Erlang SSL 9.2 with verify_peer ?
>>>>>>>> 
>>>>>>>> The http://erlang.org/doc/apps/ssl/notes.html#ssl-9.0.2 notes
>>>>>>>> mention that other care may need to be taken to ensure compatibility.
>>>>>>>> 
>>>>>>>> Reproduce error:
>>>>>>>> 
>>>>>>>> https://github.com/robotarmy/out-of-order-ssl
>>>>>>>> 
>>>>>>>> Thank you,
>>>>>>>> Curtis and Team DevEco
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Sent through ProtonMail Encrypted Email Channel.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> _______________________________________________
>>>>>>>> erlang-questions mailing list
>>>>>>>> erlang-questions@REDACTED
>>>>>>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>> 
>> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20191107/93423ae4/attachment.htm>

More information about the erlang-questions mailing list