[erlang-questions] SSL Out of Order Cert Chain Question (9.2)

Curtis J Schofield curtis@REDACTED
Sun Oct 20 01:34:49 CEST 2019


Hi! Thank you.

I included the root cert in the example. The root cert is id1 in cert chain - this is evident in the other file.

It seems because the root cert is out of order - the cert chain is invalid - IIRC this may be true for tls1.2 - however the negotiation is at TLS1.2

Thank you for your consideration!

Sent from ProtonMail Mobile

On Sat, Oct 19, 2019 at 10:51 AM, Ingela Andin <ingela.andin@REDACTED> wrote:

> Hi!
>
> "Unknown CA"  means that you did not have the ROOT certificate of the chian in your   "trusted store" (cacerts option).
> If you do not own the ROOT certificate you can not trust the chain.
>
> Regards Ingela Erlang/OTP Team - Ericsson AB
>
> Den fre 18 okt. 2019 kl 21:52 skrev Curtis J Schofield <curtis@REDACTED>:
>
>> Dear Erlang Questions:
>>
>> SSL 9.0.2 mentions a patch to fix out of order cert chains
>>
>> In SSL 9.2 we have a root CA and an out of order cert chain
>> for host hooks.glip.com.
>>
>> When we try to verify peer with the out of order cert
>> chain we get 'Unknown CA'.
>>
>> Is this expected behaviour for Erlang SSL 9.2 with verify_peer ?
>>
>> The http://erlang.org/doc/apps/ssl/notes.html#ssl-9.0.2 notes
>> mention that other care may need to be taken to ensure compatibility.
>>
>> Reproduce error:
>>
>> https://github.com/robotarmy/out-of-order-ssl
>>
>> Thank you,
>> Curtis and Team DevEco
>>
>> Sent through ProtonMail Encrypted Email Channel.
>>
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20191019/e9846d9d/attachment.htm>


More information about the erlang-questions mailing list