[erlang-questions] SSL Out of Order Cert Chain Question (9.2)

Ingela Andin ingela.andin@REDACTED
Thu Nov 7 20:53:37 CET 2019 

Hi!

Den tors 7 nov. 2019 kl 19:35 skrev Michael Viveros <
michaelviveros@REDACTED>:

> Hi Ingela,
>
> Curtis' example server from his first message, hooks.glip.com, presents
> its certificates out-of-order. The correct order is Peer -> Intermediate CA
> 1 - > Intermediate CA 2 -> Root CA but they get presented as Peer -> Root
> CA -> Intermediate CA 2 -> Intermediate CA 1 and this returns the "Unknown
> CA" error. You can confirm this by running `openssl s_client -connect
> hooks.glip.com:443`.
>
>
Yes I agree that this is an out of order chain, in contrast to the
social.fluffel.io.   I will look into it at work tomorrow.

Regards Ingela Erlang/OTP Team - Ericsson AB



> On Thu, Nov 7, 2019 at 1:23 PM Curtis J Schofield <curtis@REDACTED> wrote:
>
>> Hi Ingela
>>
>> Thank you for your attention- perhaps Micheal can explain this better..
>>
>> Sent from ProtonMail Mobile
>>
>>
>> On Thu, Nov 7, 2019 at 6:55 AM, Ingela Andin <ingela.andin@REDACTED>
>> wrote:
>>
>> Hi!
>>
>> I tried this out and it is not out of order, it sends the peer cert
>> followed by the intermediate cert repeated, that is the chain looks like
>> [Peer, CA1, CA1].
>> Looking at TLS-1.3 RFC it looks like extra certs should ignored too, so I
>> suppose we need to add that.
>>
>> Regards Ingela Erlang/OTP team - Ericsson AB
>>
>> Den lör 2 nov. 2019 kl 15:24 skrev Mark Reynolds <beastie@REDACTED>:
>>
>>> Hey,
>>>
>>> I confirm that out of order certs does not seems to be fixed, and it
>>> fails with 'Unknown CA' error:
>>>
>>>
>>> iex(2)> :hackney.get("https://social.fluffel.io")
>>> {:error,
>>> {:tls_alert, {:unknown_ca, 'received CLIENT ALERT: Fatal - Unknown CA'}}}
>>>
>>>
>>> the only issue with this server TLS certificates is the chain order (CA
>>> is Letsencrypt):
>>> https://www.ssllabs.com/ssltest/analyze.html?d=social.fluffel.io
>>>
>>>
>>> On Sat, Nov 2, 2019, at 01:12, Curtis J Schofield wrote:
>>>
>>> Hi!
>>>
>>> Just curious if there is an update on out of order certs.
>>>
>>> The example has id0, id1, id2, id3  certs with id1 being the natural
>>> root of id2 who is the root of id3, who is the root of id0.
>>>
>>> We can correct the out of order problem by including id1,id2,id3 certs
>>> in our chain.
>>>
>>> It would be nice to hear from the erlang maintainers around what kind of
>>> "out of order" erlang can handle nicely and if there is planned support
>>> for
>>> our case!
>>>
>>> Thank you again,
>>>
>>> Curtis.
>>>
>>>
>>> Sent through ProtonMail <https://protonmail.com> Encrypted Email
>>> Channel.
>>>
>>>
>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>> On Saturday, October 19, 2019 4:34 PM, Curtis J Schofield <curtis@REDACTED>
>>> wrote:
>>>
>>> Hi! Thank you.
>>>
>>>
>>> I included the root cert in the example. The root cert is id1 in cert
>>> chain - this is evident in the other file.
>>>
>>> It seems because the root cert is out of order - the cert chain is
>>> invalid - IIRC this may be true for tls1.2 - however the negotiation is at
>>> TLS1.2
>>>
>>>
>>> Thank you for your consideration!
>>>
>>>
>>> Sent from ProtonMail Mobile
>>>
>>>
>>> On Sat, Oct 19, 2019 at 10:51 AM, Ingela Andin <ingela.andin@REDACTED>
>>> wrote:
>>>
>>>
>>> Hi!
>>>
>>> "Unknown CA"  means that you did not have the ROOT certificate of the
>>> chian in your   "trusted store" (cacerts option).
>>> If you do not own the ROOT certificate you can not trust the chain.
>>>
>>> Regards Ingela Erlang/OTP Team - Ericsson AB
>>>
>>> Den fre 18 okt. 2019 kl 21:52 skrev Curtis J Schofield <curtis@REDACTED>:
>>>
>>> Dear Erlang Questions:
>>>
>>>
>>> SSL 9.0.2 mentions a patch to fix out of order cert chains
>>>
>>> In SSL 9.2 we have a root CA and an out of order cert chain
>>> for host hooks.glip.com.
>>>
>>> When we try to verify peer with the out of order cert
>>> chain we get 'Unknown CA'.
>>>
>>> Is this expected behaviour for Erlang SSL 9.2 with verify_peer ?
>>>
>>> The http://erlang.org/doc/apps/ssl/notes.html#ssl-9.0.2 notes
>>> mention that other care may need to be taken to ensure compatibility.
>>>
>>> Reproduce error:
>>>
>>> https://github.com/robotarmy/out-of-order-ssl
>>>
>>> Thank you,
>>> Curtis and Team DevEco
>>>
>>>
>>>
>>>
>>> Sent through ProtonMail Encrypted Email Channel.
>>>
>>>
>>> _______________________________________________
>>> erlang-questions mailing list
>>> erlang-questions@REDACTED
>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20191107/af2e4e0b/attachment.htm>

More information about the erlang-questions mailing list