[erlang-questions] SSL Out of Order Cert Chain Question (9.2)

Ingela Andin ingela.andin@REDACTED
Mon Nov 11 11:16:59 CET 2019 

Hi!

I have a patch that solves the problem.  I have pushed it to my gitrepo
https://github.com/IngelaAndin/otp/tree/ingela/ssl/unorded-chain

I had to set the options {depth, 2} and {customize_hostname_check,
[{match_fun, CustomFun}]
where CustomFun = public_key:pkix_verify_hostname_match_fun(https)  as the
peer certificate is a wildcard cert.


Regard Ingela Erlang/OTP team


Den fre 8 nov. 2019 kl 21:46 skrev Curtis J Schofield <curtis@REDACTED>:

> Oh this is wonderful news!! Glad you were able to identify the code not
> reached !!
>
> Deeply appreciate your support and expertise!
>
> Best,
> Curtis
>
> Sent from ProtonMail Mobile
>
>
> On Fri, Nov 8, 2019 at 12:15 PM, Ingela Andin <ingela.andin@REDACTED>
> wrote:
>
> Hi!
>
> I think I am on to the problem, we have only  whitebox tested the unorded
> chain functionality (we intend to create a blackbox but that is a bigger
> job as we need to find some introp software that can create such chains or
> create a simulation modle),
> so I am positive  I found that we do not reach the code for sorting the
> chain.  I will try to fix it next week. It is easier now that I at least I
> got a server that I can manually blackbox  test with :)
>
> Regards Ingela Erlang/OTP Team - Ericsson AB
>
> Den tors 7 nov. 2019 kl 20:53 skrev Ingela Andin <ingela.andin@REDACTED>:
>
>> Hi!
>>
>> Den tors 7 nov. 2019 kl 19:35 skrev Michael Viveros <
>> michaelviveros@REDACTED>:
>>
>>> Hi Ingela,
>>>
>>> Curtis' example server from his first message, hooks.glip.com, presents
>>> its certificates out-of-order. The correct order is Peer -> Intermediate CA
>>> 1 - > Intermediate CA 2 -> Root CA but they get presented as Peer -> Root
>>> CA -> Intermediate CA 2 -> Intermediate CA 1 and this returns the "Unknown
>>> CA" error. You can confirm this by running `openssl s_client -connect
>>> hooks.glip.com:443`.
>>>
>>>
>> Yes I agree that this is an out of order chain, in contrast to the
>> social.fluffel.io.   I will look into it at work tomorrow.
>>
>> Regards Ingela Erlang/OTP Team - Ericsson AB
>>
>>
>>
>>> On Thu, Nov 7, 2019 at 1:23 PM Curtis J Schofield <curtis@REDACTED>
>>> wrote:
>>>
>>>> Hi Ingela
>>>>
>>>> Thank you for your attention- perhaps Micheal can explain this better..
>>>>
>>>> Sent from ProtonMail Mobile
>>>>
>>>>
>>>> On Thu, Nov 7, 2019 at 6:55 AM, Ingela Andin <ingela.andin@REDACTED>
>>>> wrote:
>>>>
>>>> Hi!
>>>>
>>>> I tried this out and it is not out of order, it sends the peer cert
>>>> followed by the intermediate cert repeated, that is the chain looks like
>>>> [Peer, CA1, CA1].
>>>> Looking at TLS-1.3 RFC it looks like extra certs should ignored too, so
>>>> I suppose we need to add that.
>>>>
>>>> Regards Ingela Erlang/OTP team - Ericsson AB
>>>>
>>>> Den lör 2 nov. 2019 kl 15:24 skrev Mark Reynolds <beastie@REDACTED>:
>>>>
>>>>> Hey,
>>>>>
>>>>> I confirm that out of order certs does not seems to be fixed, and it
>>>>> fails with 'Unknown CA' error:
>>>>>
>>>>>
>>>>> iex(2)> :hackney.get("https://social.fluffel.io")
>>>>> {:error,
>>>>> {:tls_alert, {:unknown_ca, 'received CLIENT ALERT: Fatal - Unknown
>>>>> CA'}}}
>>>>>
>>>>>
>>>>> the only issue with this server TLS certificates is the chain order
>>>>> (CA is Letsencrypt):
>>>>> https://www.ssllabs.com/ssltest/analyze.html?d=social.fluffel.io
>>>>>
>>>>>
>>>>> On Sat, Nov 2, 2019, at 01:12, Curtis J Schofield wrote:
>>>>>
>>>>> Hi!
>>>>>
>>>>> Just curious if there is an update on out of order certs.
>>>>>
>>>>> The example has id0, id1, id2, id3  certs with id1 being the natural
>>>>> root of id2 who is the root of id3, who is the root of id0.
>>>>>
>>>>> We can correct the out of order problem by including id1,id2,id3 certs
>>>>> in our chain.
>>>>>
>>>>> It would be nice to hear from the erlang maintainers around what kind
>>>>> of
>>>>> "out of order" erlang can handle nicely and if there is planned
>>>>> support for
>>>>> our case!
>>>>>
>>>>> Thank you again,
>>>>>
>>>>> Curtis.
>>>>>
>>>>>
>>>>> Sent through ProtonMail <https://protonmail.com> Encrypted Email
>>>>> Channel.
>>>>>
>>>>>
>>>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>>>> On Saturday, October 19, 2019 4:34 PM, Curtis J Schofield
>>>>> <curtis@REDACTED> wrote:
>>>>>
>>>>> Hi! Thank you.
>>>>>
>>>>>
>>>>> I included the root cert in the example. The root cert is id1 in cert
>>>>> chain - this is evident in the other file.
>>>>>
>>>>> It seems because the root cert is out of order - the cert chain is
>>>>> invalid - IIRC this may be true for tls1.2 - however the negotiation is at
>>>>> TLS1.2
>>>>>
>>>>>
>>>>> Thank you for your consideration!
>>>>>
>>>>>
>>>>> Sent from ProtonMail Mobile
>>>>>
>>>>>
>>>>> On Sat, Oct 19, 2019 at 10:51 AM, Ingela Andin <ingela.andin@REDACTED>
>>>>> wrote:
>>>>>
>>>>>
>>>>> Hi!
>>>>>
>>>>> "Unknown CA"  means that you did not have the ROOT certificate of the
>>>>> chian in your   "trusted store" (cacerts option).
>>>>> If you do not own the ROOT certificate you can not trust the chain.
>>>>>
>>>>> Regards Ingela Erlang/OTP Team - Ericsson AB
>>>>>
>>>>> Den fre 18 okt. 2019 kl 21:52 skrev Curtis J Schofield <curtis@REDACTED
>>>>> >:
>>>>>
>>>>> Dear Erlang Questions:
>>>>>
>>>>>
>>>>> SSL 9.0.2 mentions a patch to fix out of order cert chains
>>>>>
>>>>> In SSL 9.2 we have a root CA and an out of order cert chain
>>>>> for host hooks.glip.com.
>>>>>
>>>>> When we try to verify peer with the out of order cert
>>>>> chain we get 'Unknown CA'.
>>>>>
>>>>> Is this expected behaviour for Erlang SSL 9.2 with verify_peer ?
>>>>>
>>>>> The http://erlang.org/doc/apps/ssl/notes.html#ssl-9.0.2 notes
>>>>> mention that other care may need to be taken to ensure compatibility.
>>>>>
>>>>> Reproduce error:
>>>>>
>>>>> https://github.com/robotarmy/out-of-order-ssl
>>>>>
>>>>> Thank you,
>>>>> Curtis and Team DevEco
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Sent through ProtonMail Encrypted Email Channel.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> erlang-questions mailing list
>>>>> erlang-questions@REDACTED
>>>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20191111/a3abb95b/attachment.htm>

More information about the erlang-questions mailing list