<div dir="ltr"><div>We are using httpc with the `{verify, verify_peer}` option for SSL connections. We also provide CA certificates through the `cacertfile` option. The certificate store we are using is from Mozilla [1] where we extract all certificates that been set as trusted for issuing new certificates.</div><div><br></div><div>Using this set of certificates, when accessing <a href="https://s3.amazonaws.com">https://s3.amazonaws.com</a>, gives us the following error:</div><div><br></div><div> 17:03:17.397 [error] SSL: :certify: ssl_handshake.erl:1389:Fatal error: unknown ca</div><div><br></div><div>Using the same certificate file with curl, python's built-in http client or ruby's http client produces no error and the connection is successful. I believe this happens because the root certificate in amazon's certificate chain is not include the certificate file. The intermediate certificate is included though, so it is trusted. It seems erlang's SSL implementation does not handle this scenario even though most HTTP clients and browsers do. From what I can read about path validation it is recommended to stop validation when a trusted certificate is found in the chain and not continue to the root and check it as well.</div><div><br></div>-- <br>Eric Meadows-Jönsson
</div>