<div dir="ltr"><div><div>How are you using curl against your custom certificate? Hackney is very strict by default unless you told it to be not and check only against valid cerificates. There are too way to bypass this protection:<br><br></div>- use the option `insecure` ewhen you do a request<br></div>- use your own SSL options. <br><div><div><div><br></div><div>Feel free to join me directly if you need it.<br><br></div><div>- benoit<br></div><div><br></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jan 21, 2015 at 2:59 PM, Rad Gruchalski <span dir="ltr"><<a href="mailto:radek@gruchalski.com" target="_blank">radek@gruchalski.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                <div>
                    Hi everyone,</div><div><br></div><div>This is my first question on this mailing list. I have hit a wall while writing a bit of software which does the following: I have a REST-like server running on cowboy which runs on SSL, I’m using a self signed certificate generated by my own certificate authority, the settings I’m using in cowboy are:</div><div><font face="Monaco"><br></font></div><div><font face="Monaco">[ { port, … },</font></div><div><font face="Monaco">  { cacertfile, absolute-path-to-the-public-cacert },</font></div><div><font face="Monaco">  </font><span style="font-family:Monaco">{ certfile, </span><span style="font-family:Monaco">absolute-</span><span style="font-family:Monaco">path-to-cert.pem },</span></div><div><span style="font-family:Monaco">  </span><span style="font-family:Monaco">{ keyfile, </span><span style="font-family:Monaco">absolute-</span><span style="font-family:Monaco">path-to-key.pem }</span><span style="font-family:Monaco"> ]</span></div><div><span style="font-family:Monaco"><br></span></div><div>Cowboy starts fine, any request coming from CURL or Chrome browser is working fine, the clients are served, no issues whatsoever.</div><div><br></div><div>One of the parts of this software is a set of unit tests for the REST-like API. I am intending on using hackney for this. What happens is that when hackney client hits the API, cowboy fails with the following error message:</div><div><span style="font-family:Monaco"><br></span></div><div><font face="Monaco">[error] SSL: certify: ssl_alert.erl:92:Fatal error: bad certificate</font></div><div><font face="Monaco"><br></font></div><div>The error happens when hackney uses SSL options as cowboy server and with no SSL options.</div><div><br></div><div>I have verified my certificates in the following way: added it as a trusted cert in Chrome and Chrome does not complain about anything regarding the certificate anymore. I’ve also done the following:</div><div><font face="Monaco"><br></font></div><div><span style="font-family:Monaco">openssl s_server -accept 8080 -cert ...cert.pem -key ...key.pem -CAfile …_ca.crt</span></div><div><div style="font-family:Monaco">Using default temp DH parameters</div><div style="font-family:Monaco">Using default temp ECDH parameters</div><div style="font-family:Monaco">ACCEPT</div><div style="font-family:Monaco">-----BEGIN SSL SESSION PARAMETERS-----</div><div style="font-family:Monaco">MHUCAQECAgMBBAIAOQQgzGrVgGBoyIRc9v3w3bqmiFQS3t6RjUfmaaa6AyCLsMgE</div><div style="font-family:Monaco">MFf7Tw9pR21yhGRTzuhEr8tXfOnlWKkl08eRS3bhld2jhHm3PgqB/0hinTw/f4CT</div><div style="font-family:Monaco">rqEGAgRUvyw9ogQCAgEspAYEBAEAAAA=</div><div style="font-family:Monaco">-----END SSL SESSION PARAMETERS-----</div><div style="font-family:Monaco">Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:SEED-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5</div><div style="font-family:Monaco">CIPHER is DHE-RSA-AES256-SHA</div><div style="font-family:Monaco">Secure Renegotiation IS supported</div><div style="font-family:Monaco"><br></div><div style="font-family:Monaco">openssl s_client -connect localhost:8080  -cert ...cert.pem -key ...key.pem -CAfile …_ca.crt</div><div><div style="font-family:Monaco">CONNECTED(00000003)</div><div style="font-family:Monaco">depth=0 /CN=localhost/ST=Rheinland-Pfalz/C=DE/emailAddress=<a href="http://dev@somewhere.com/O=dev@somewhere.com" target="_blank">dev@somewhere.com/O=dev@somewhere.com</a></div><div style="font-family:Monaco">verify error:num=18:self signed certificate</div><div style="font-family:Monaco">verify return:1</div><div style="font-family:Monaco">depth=0 /CN=localhost/ST=Rheinland-Pfalz/C=DE/emailAddress=<a href="http://dev@somewhere.com/O=dev@somewhere.com" target="_blank">dev@somewhere.com/O=dev@somewhere.com</a></div><div style="font-family:Monaco">verify return:1</div><div style="font-family:Monaco">---</div><div style="font-family:Monaco">Certificate chain</div><div style="font-family:Monaco"> 0 s:/CN=localhost/ST=Rheinland-Pfalz/C=DE/emailAddress=<a href="http://dev@somewhere.com/O=dev@somewhere.com" target="_blank">dev@somewhere.com/O=dev@somewhere.com</a></div><div style="font-family:Monaco">   i:/CN=localhost/ST=Rheinland-Pfalz/C=DE/emailAddress=<a href="http://dev@somewhere.com/O=dev@somewhere.com" target="_blank">dev@somewhere.com/O=dev@somewhere.com</a></div><div style="font-family:Monaco">---</div><div style="font-family:Monaco">Server certificate</div><div style="font-family:Monaco">-----BEGIN CERTIFICATE-----</div><div style="font-family:Monaco">MIIFhTCCA22gAwIBAgIJANOPgonG2vS4MA0GCSqGSIb3DQEBCwUAMHkxEjAQBgNV</div><div style="font-family:Monaco">BAMTCWxvY2FsaG9zdDEYMBYGA1UECBMPUmhlaW5sYW5kLVBmYWx6MQswCQYDVQQG</div><div style="font-family:Monaco">EwJERTEgMB4GCSqGSIb3DQEJARYRZGV2QGdvc3NpcGVybC5jb20xGjAYBgNVBAoU</div><div style="font-family:Monaco">EWRldkBnb3NzaXBlcmwuY29tMB4XDTE1MDEyMTAxMjkyN1oXDTE2MDEyMTAxMjky</div><div style="font-family:Monaco">N1oweTESMBAGA1UEAxMJbG9jYWxob3N0MRgwFgYDVQQIEw9SaGVpbmxhbmQtUGZh</div><div style="font-family:Monaco">bHoxCzAJBgNVBAYTAkRFMSAwHgYJKoZIhvcNAQkBFhFkZXZAZ29zc2lwZXJsLmNv</div><div style="font-family:Monaco">bTEaMBgGA1UEChQRZGV2QGdvc3NpcGVybC5jb20wggIiMA0GCSqGSIb3DQEBAQUA</div><div style="font-family:Monaco">A4ICDwAwggIKAoICAQDSPEXcaq4gdKyB6nGmac91sLNW2ZfBqJOWmkCIpYQnGB27</div><div style="font-family:Monaco">EUQTsdxqTtDkfEXlNjf6o4NupytDMqx7lRdVHh+Cqv38S8/Sb9FtyYtsxab4X9hv</div><div style="font-family:Monaco">vf063O455MKVGCeQGqOTmmQTfybCsiQAa8UYK/chS8wQeBLAIAAaVOcNtmEhbUpb</div><div style="font-family:Monaco">OaOkwInrjfK9lemD5J8G3z1oUDoiuxwoepyrEWGsmDEWLQKWNJmD6RLeHANH1/UQ</div><div style="font-family:Monaco">V0PNWqwwYPrkEp9hEgau25/NHrglE9OW1SJmL79Cy3DKvLGxwaH1U0K9vh4rEW3A</div><div style="font-family:Monaco">Vc36/TCVSpWXkxMUUDYHFihmR2oxyXSgs6/XKWSeV+xJD7VogljVJxl1IzAYcjlV</div><div style="font-family:Monaco">EbYT4KNqZaqAdSeriRAMSJ5LlZ+7/uknOfdqKcAwUUwdYKKdb1IHpiRmGjFso0zF</div><div style="font-family:Monaco">icMdKudNLZu854PIkSslh2/SJUhj2fiNwZ8QaGrnklJSEUE6jgjPBcAWbkY6M0Xm</div><div style="font-family:Monaco">QUON8LcuDGivh1HPOzgiHiWnkd2zGqwAg1u5vsLcraspXBPfgQc+v+oek5xi5OVL</div><div style="font-family:Monaco">K4YvB8iVf1dg8NQ1Xm3S+aPthi/eI/6UxSx3hSV2fPfydJ8JHoeRx2YWV3Q3dClG</div><div style="font-family:Monaco">iJJLg36pOoFmO6nMwDDIZpSvPwZsfa/S9A69ZuQMv7ra6o8rzfXo7ZtSvy2X0QID</div><div style="font-family:Monaco">AQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCoinw+YKNs</div><div style="font-family:Monaco">0amglVRGcgDJ4kQlz4HN9Z7phmc5MoEUzeo1vSUH/dvKu9tfgzdArRndXIVMOhqM</div><div style="font-family:Monaco">UiOJvfIFua+IZIO2VWqSgIiyuJ1NYYk3trceVu9BZFb8GC0zymG54kXfzcCejDxZ</div><div style="font-family:Monaco">K8hm3eSnTqHJWSFwqGW8OGDzoxfJJCtn6hivZJcyvz6lV0Gp+GxkKHqtDZxQpjCl</div><div style="font-family:Monaco">4I7qyz9i7KOfARtca3VTNwQfaMWZSBZ9A7DoYEFvpIGu0faNmy4zbIM7eIKNhBid</div><div style="font-family:Monaco">v4xqkQHG8f/XTRhNYebBgCzmittKlQc61NodCGnQJXTcS/xZO8NVweAMmqzaR3A9</div><div style="font-family:Monaco">BAn9PZ1b/2hScDSAGtJEon3EToqzb5g2ijbKknshbNTe+Nt3J+Riyll115LZRSxg</div><div style="font-family:Monaco">qwFnPv56WRvL1wJLfYW/S2q9Vwa/RzTiPpPBHPdJw7TETh8Z3UshjSeDVDGmdiQC</div><div style="font-family:Monaco">V+vFxdMAVtvV7krfuwLa04NQ3mG+WrWfnbPUli7OzZ7NlUxG3Koc0QahABrIahlo</div><div style="font-family:Monaco">ZDe1yV1OxeSJZByBcM57N04LVDkK29TuqaQsieW/A80g9EN1Q6Y3AJOLhhyZ1Euq</div><div style="font-family:Monaco">bDg24BJ0P6FiuBz/WFtDRmjwfxhmPiZICfBqpQeltgKsungE4Lg8sMuxPFc7pJpm</div><div style="font-family:Monaco">hIedZIKnykXzT2wkzRuBz9F9EqyYNRA7BQ==</div><div style="font-family:Monaco">-----END CERTIFICATE-----</div><div style="font-family:Monaco">subject=/CN=localhost/ST=Rheinland-Pfalz/C=DE/emailAddress=<a href="http://dev@somewhere.com/O=dev@somewhere.com" target="_blank">dev@somewhere.com/O=dev@somewhere.com</a></div><div style="font-family:Monaco">issuer=/CN=localhost/ST=Rheinland-Pfalz/C=DE/emailAddress=<a href="http://dev@somewhere.com/O=dev@somewhere.com" target="_blank">dev@somewhere.com/O=dev@somewhere.com</a></div><div style="font-family:Monaco">---</div><div style="font-family:Monaco">No client certificate CA names sent</div><div style="font-family:Monaco">---</div><div style="font-family:Monaco">SSL handshake has read 2244 bytes and written 264 bytes</div><div style="font-family:Monaco">---</div><div style="font-family:Monaco">New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA</div><div style="font-family:Monaco">Server public key is 4096 bit</div><div style="font-family:Monaco">Secure Renegotiation IS supported</div><div style="font-family:Monaco">Compression: NONE</div><div style="font-family:Monaco">Expansion: NONE</div><div style="font-family:Monaco">SSL-Session:</div><div style="font-family:Monaco">    Protocol  : TLSv1</div><div style="font-family:Monaco">    Cipher    : DHE-RSA-AES256-SHA</div><div style="font-family:Monaco">    Session-ID: CC6AD5806068C8845CF6FDF0DDBAA6885412DEDE918D47E669A6BA03208BB0C8</div><div style="font-family:Monaco">    Session-ID-ctx:</div><div style="font-family:Monaco">    Master-Key: 57FB4F0F69476D72846453CEE844AFCB577CE9E558A925D3C7914B76E195DDA38479B73E0A81FF48629D3C3F7F8093AE</div><div style="font-family:Monaco">    Key-Arg   : None</div><div style="font-family:Monaco">    Start Time: 1421814845</div><div style="font-family:Monaco">    Timeout   : 300 (sec)</div><div style="font-family:Monaco">    Verify return code: 18 (self signed certificate)</div><div style="font-family:Monaco">—</div><div style="font-family:Monaco"><br></div><div style="font-family:Monaco">ssl:versions().</div><div style="font-family:Monaco"><br></div><div><div><font face="Monaco">[{ssl_app,"5.3.8"},</font></div><div><font face="Monaco"> {supported,['tlsv1.2','tlsv1.1',tlsv1,sslv3]},</font></div><div><font face="Monaco"> {available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]}]</font></div></div><div style="font-family:Monaco"><br></div><div>I am trying to understand why Erlang has a problem with it. I read that Erlang had a problem with sha256 signed certs but I am not sure if this is still a problem? I am using OTP 17.4 for these tests. The error happens in some unidentified place, I tried modifying OTP to log the error message in a place where there’s only reference to ?BAD_CERTIFICATE (via call to path_validation_alert function in ssl_handshake.erl) but I get no log - the modification can be seen here:  <a href="https://github.com/gossiperl/otp/blob/b446bcc3ece0367c96b54af96577b23e4fa43ee4/lib/ssl/src/ssl_handshake.erl#L433" target="_blank">https://github.com/gossiperl/otp/blob/b446bcc3ece0367c96b54af96577b23e4fa43ee4/lib/ssl/src/ssl_handshake.erl#L433</a> and I am 100% that the installation of Erlang I’m using is the one with the modified code. Of course it could be an issue with my certificate.</div><div><br></div><div>I would appreciate any pointers.</div></div></div><div>
                
                
                


<p style="font-family:Helvetica;font-size:10pt;margin-bottom:0cm">
                
                
                


</p><p style="font-family:Helvetica;font-size:10pt;margin-bottom:0cm">
                
                
                


</p><p style="margin-bottom:0cm">
                
                
                


</p><p style="margin-bottom:0cm"><font color="#000000"><font face="Helvetica, sans-serif"><font style="font-size:9pt">Kind
regards,
<br>Radek
Gruchalski<br>
</font></font></font><font face="Helvetica, sans-serif"><font style="font-size:9pt"><a href="mailto:radek@gruchalski.com" target="_blank">radek@gruchalski.com</a><a href="mailto:radek@gruchalski.com" target="_blank">
</a></font></font><font color="#0084d1"><font face="Helvetica, sans-serif"><font style="font-size:9pt"><br></font></font></font><a href="http://de.linkedin.com/in/radgruchalski/" target="_blank"><font color="#0084d1"><font face="Helvetica, sans-serif"><font style="font-size:9pt">de.linkedin.com/in/radgruchalski/</font></font></font></a><font color="#0084d1"><font face="Helvetica, sans-serif"><font style="font-size:9pt"><u><br></u></font></font></font><font color="#000000"><font face="Helvetica, sans-serif"><font style="font-size:9pt"><a href="tel:%2B4917685656526" value="+4917685656526" target="_blank">+4917685656526</a><br><br></font></font></font><font color="#878787"><font face="Helvetica, sans-serif"><font style="font-size:8pt"><b>Confidentiality:<br></b></font></font></font><font color="#878787"><font face="Helvetica, sans-serif"><font style="font-size:8pt">This
communication is intended for the above-named person and may be
confidential and/or legally privileged.<br>If it has come to you in
error you must take no action based on it, nor must you copy or show
it to anyone; please delete/destroy and inform the sender
immediately.</font></font></font></p></div>
            <br>_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
<br></blockquote></div><br></div>