<div>
Hi everyone,</div><div><br></div><div>This is my first question on this mailing list. I have hit a wall while writing a bit of software which does the following: I have a REST-like server running on cowboy which runs on SSL, I’m using a self signed certificate generated by my own certificate authority, the settings I’m using in cowboy are:</div><div><font face="Monaco"><br></font></div><div><font face="Monaco">[ { port, … },</font></div><div><font face="Monaco"> { cacertfile, absolute-path-to-the-public-cacert },</font></div><div><font face="Monaco"> </font><span style="font-family: Monaco;">{ certfile, </span><span style="font-family: Monaco;">absolute-</span><span style="font-family: Monaco;">path-to-cert.pem },</span></div><div><span style="font-family: Monaco;"> </span><span style="font-family: Monaco;">{ keyfile, </span><span style="font-family: Monaco;">absolute-</span><span style="font-family: Monaco;">path-to-key.pem }</span><span style="font-family: Monaco;"> ]</span></div><div><span style="font-family: Monaco;"><br></span></div><div>Cowboy starts fine, any request coming from CURL or Chrome browser is working fine, the clients are served, no issues whatsoever.</div><div><br></div><div>One of the parts of this software is a set of unit tests for the REST-like API. I am intending on using hackney for this. What happens is that when hackney client hits the API, cowboy fails with the following error message:</div><div><span style="font-family: Monaco;"><br></span></div><div><font face="Monaco">[error] SSL: certify: ssl_alert.erl:92:Fatal error: bad certificate</font></div><div><font face="Monaco"><br></font></div><div>The error happens when hackney uses SSL options as cowboy server and with no SSL options.</div><div><br></div><div>I have verified my certificates in the following way: added it as a trusted cert in Chrome and Chrome does not complain about anything regarding the certificate anymore. I’ve also done the following:</div><div><font face="Monaco"><br></font></div><div><span style="font-family: Monaco;">openssl s_server -accept 8080 -cert ...cert.pem -key ...key.pem -CAfile …_ca.crt</span></div><div><div style="font-family: Monaco;">Using default temp DH parameters</div><div style="font-family: Monaco;">Using default temp ECDH parameters</div><div style="font-family: Monaco;">ACCEPT</div><div style="font-family: Monaco;">-----BEGIN SSL SESSION PARAMETERS-----</div><div style="font-family: Monaco;">MHUCAQECAgMBBAIAOQQgzGrVgGBoyIRc9v3w3bqmiFQS3t6RjUfmaaa6AyCLsMgE</div><div style="font-family: Monaco;">MFf7Tw9pR21yhGRTzuhEr8tXfOnlWKkl08eRS3bhld2jhHm3PgqB/0hinTw/f4CT</div><div style="font-family: Monaco;">rqEGAgRUvyw9ogQCAgEspAYEBAEAAAA=</div><div style="font-family: Monaco;">-----END SSL SESSION PARAMETERS-----</div><div style="font-family: Monaco;">Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:SEED-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5</div><div style="font-family: Monaco;">CIPHER is DHE-RSA-AES256-SHA</div><div style="font-family: Monaco;">Secure Renegotiation IS supported</div><div style="font-family: Monaco;"><br></div><div style="font-family: Monaco;">openssl s_client -connect localhost:8080 -cert ...cert.pem -key ...key.pem -CAfile …_ca.crt</div><div><div style="font-family: Monaco;">CONNECTED(00000003)</div><div style="font-family: Monaco;">depth=0 /CN=localhost/ST=Rheinland-Pfalz/C=DE/emailAddress=dev@somewhere.com/O=dev@somewhere.com</div><div style="font-family: Monaco;">verify error:num=18:self signed certificate</div><div style="font-family: Monaco;">verify return:1</div><div style="font-family: Monaco;">depth=0 /CN=localhost/ST=Rheinland-Pfalz/C=DE/emailAddress=dev@somewhere.com/O=dev@somewhere.com</div><div style="font-family: Monaco;">verify return:1</div><div style="font-family: Monaco;">---</div><div style="font-family: Monaco;">Certificate chain</div><div style="font-family: Monaco;"> 0 s:/CN=localhost/ST=Rheinland-Pfalz/C=DE/emailAddress=dev@somewhere.com/O=dev@somewhere.com</div><div style="font-family: Monaco;"> i:/CN=localhost/ST=Rheinland-Pfalz/C=DE/emailAddress=dev@somewhere.com/O=dev@somewhere.com</div><div style="font-family: Monaco;">---</div><div style="font-family: Monaco;">Server certificate</div><div style="font-family: Monaco;">-----BEGIN CERTIFICATE-----</div><div style="font-family: Monaco;">MIIFhTCCA22gAwIBAgIJANOPgonG2vS4MA0GCSqGSIb3DQEBCwUAMHkxEjAQBgNV</div><div style="font-family: Monaco;">BAMTCWxvY2FsaG9zdDEYMBYGA1UECBMPUmhlaW5sYW5kLVBmYWx6MQswCQYDVQQG</div><div style="font-family: Monaco;">EwJERTEgMB4GCSqGSIb3DQEJARYRZGV2QGdvc3NpcGVybC5jb20xGjAYBgNVBAoU</div><div style="font-family: Monaco;">EWRldkBnb3NzaXBlcmwuY29tMB4XDTE1MDEyMTAxMjkyN1oXDTE2MDEyMTAxMjky</div><div style="font-family: Monaco;">N1oweTESMBAGA1UEAxMJbG9jYWxob3N0MRgwFgYDVQQIEw9SaGVpbmxhbmQtUGZh</div><div style="font-family: Monaco;">bHoxCzAJBgNVBAYTAkRFMSAwHgYJKoZIhvcNAQkBFhFkZXZAZ29zc2lwZXJsLmNv</div><div style="font-family: Monaco;">bTEaMBgGA1UEChQRZGV2QGdvc3NpcGVybC5jb20wggIiMA0GCSqGSIb3DQEBAQUA</div><div style="font-family: Monaco;">A4ICDwAwggIKAoICAQDSPEXcaq4gdKyB6nGmac91sLNW2ZfBqJOWmkCIpYQnGB27</div><div style="font-family: Monaco;">EUQTsdxqTtDkfEXlNjf6o4NupytDMqx7lRdVHh+Cqv38S8/Sb9FtyYtsxab4X9hv</div><div style="font-family: Monaco;">vf063O455MKVGCeQGqOTmmQTfybCsiQAa8UYK/chS8wQeBLAIAAaVOcNtmEhbUpb</div><div style="font-family: Monaco;">OaOkwInrjfK9lemD5J8G3z1oUDoiuxwoepyrEWGsmDEWLQKWNJmD6RLeHANH1/UQ</div><div style="font-family: Monaco;">V0PNWqwwYPrkEp9hEgau25/NHrglE9OW1SJmL79Cy3DKvLGxwaH1U0K9vh4rEW3A</div><div style="font-family: Monaco;">Vc36/TCVSpWXkxMUUDYHFihmR2oxyXSgs6/XKWSeV+xJD7VogljVJxl1IzAYcjlV</div><div style="font-family: Monaco;">EbYT4KNqZaqAdSeriRAMSJ5LlZ+7/uknOfdqKcAwUUwdYKKdb1IHpiRmGjFso0zF</div><div style="font-family: Monaco;">icMdKudNLZu854PIkSslh2/SJUhj2fiNwZ8QaGrnklJSEUE6jgjPBcAWbkY6M0Xm</div><div style="font-family: Monaco;">QUON8LcuDGivh1HPOzgiHiWnkd2zGqwAg1u5vsLcraspXBPfgQc+v+oek5xi5OVL</div><div style="font-family: Monaco;">K4YvB8iVf1dg8NQ1Xm3S+aPthi/eI/6UxSx3hSV2fPfydJ8JHoeRx2YWV3Q3dClG</div><div style="font-family: Monaco;">iJJLg36pOoFmO6nMwDDIZpSvPwZsfa/S9A69ZuQMv7ra6o8rzfXo7ZtSvy2X0QID</div><div style="font-family: Monaco;">AQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCoinw+YKNs</div><div style="font-family: Monaco;">0amglVRGcgDJ4kQlz4HN9Z7phmc5MoEUzeo1vSUH/dvKu9tfgzdArRndXIVMOhqM</div><div style="font-family: Monaco;">UiOJvfIFua+IZIO2VWqSgIiyuJ1NYYk3trceVu9BZFb8GC0zymG54kXfzcCejDxZ</div><div style="font-family: Monaco;">K8hm3eSnTqHJWSFwqGW8OGDzoxfJJCtn6hivZJcyvz6lV0Gp+GxkKHqtDZxQpjCl</div><div style="font-family: Monaco;">4I7qyz9i7KOfARtca3VTNwQfaMWZSBZ9A7DoYEFvpIGu0faNmy4zbIM7eIKNhBid</div><div style="font-family: Monaco;">v4xqkQHG8f/XTRhNYebBgCzmittKlQc61NodCGnQJXTcS/xZO8NVweAMmqzaR3A9</div><div style="font-family: Monaco;">BAn9PZ1b/2hScDSAGtJEon3EToqzb5g2ijbKknshbNTe+Nt3J+Riyll115LZRSxg</div><div style="font-family: Monaco;">qwFnPv56WRvL1wJLfYW/S2q9Vwa/RzTiPpPBHPdJw7TETh8Z3UshjSeDVDGmdiQC</div><div style="font-family: Monaco;">V+vFxdMAVtvV7krfuwLa04NQ3mG+WrWfnbPUli7OzZ7NlUxG3Koc0QahABrIahlo</div><div style="font-family: Monaco;">ZDe1yV1OxeSJZByBcM57N04LVDkK29TuqaQsieW/A80g9EN1Q6Y3AJOLhhyZ1Euq</div><div style="font-family: Monaco;">bDg24BJ0P6FiuBz/WFtDRmjwfxhmPiZICfBqpQeltgKsungE4Lg8sMuxPFc7pJpm</div><div style="font-family: Monaco;">hIedZIKnykXzT2wkzRuBz9F9EqyYNRA7BQ==</div><div style="font-family: Monaco;">-----END CERTIFICATE-----</div><div style="font-family: Monaco;">subject=/CN=localhost/ST=Rheinland-Pfalz/C=DE/emailAddress=dev@somewhere.com/O=dev@somewhere.com</div><div style="font-family: Monaco;">issuer=/CN=localhost/ST=Rheinland-Pfalz/C=DE/emailAddress=dev@somewhere.com/O=dev@somewhere.com</div><div style="font-family: Monaco;">---</div><div style="font-family: Monaco;">No client certificate CA names sent</div><div style="font-family: Monaco;">---</div><div style="font-family: Monaco;">SSL handshake has read 2244 bytes and written 264 bytes</div><div style="font-family: Monaco;">---</div><div style="font-family: Monaco;">New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA</div><div style="font-family: Monaco;">Server public key is 4096 bit</div><div style="font-family: Monaco;">Secure Renegotiation IS supported</div><div style="font-family: Monaco;">Compression: NONE</div><div style="font-family: Monaco;">Expansion: NONE</div><div style="font-family: Monaco;">SSL-Session:</div><div style="font-family: Monaco;"> Protocol : TLSv1</div><div style="font-family: Monaco;"> Cipher : DHE-RSA-AES256-SHA</div><div style="font-family: Monaco;"> Session-ID: CC6AD5806068C8845CF6FDF0DDBAA6885412DEDE918D47E669A6BA03208BB0C8</div><div style="font-family: Monaco;"> Session-ID-ctx:</div><div style="font-family: Monaco;"> Master-Key: 57FB4F0F69476D72846453CEE844AFCB577CE9E558A925D3C7914B76E195DDA38479B73E0A81FF48629D3C3F7F8093AE</div><div style="font-family: Monaco;"> Key-Arg : None</div><div style="font-family: Monaco;"> Start Time: 1421814845</div><div style="font-family: Monaco;"> Timeout : 300 (sec)</div><div style="font-family: Monaco;"> Verify return code: 18 (self signed certificate)</div><div style="font-family: Monaco;">—</div><div style="font-family: Monaco;"><br></div><div style="font-family: Monaco;">ssl:versions().</div><div style="font-family: Monaco;"><br></div><div><div><font face="Monaco">[{ssl_app,"5.3.8"},</font></div><div><font face="Monaco"> {supported,['tlsv1.2','tlsv1.1',tlsv1,sslv3]},</font></div><div><font face="Monaco"> {available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]}]</font></div></div><div style="font-family: Monaco;"><br></div><div>I am trying to understand why Erlang has a problem with it. I read that Erlang had a problem with sha256 signed certs but I am not sure if this is still a problem? I am using OTP 17.4 for these tests. The error happens in some unidentified place, I tried modifying OTP to log the error message in a place where there’s only reference to ?BAD_CERTIFICATE (via call to path_validation_alert function in ssl_handshake.erl) but I get no log - the modification can be seen here: <a href="https://github.com/gossiperl/otp/blob/b446bcc3ece0367c96b54af96577b23e4fa43ee4/lib/ssl/src/ssl_handshake.erl#L433">https://github.com/gossiperl/otp/blob/b446bcc3ece0367c96b54af96577b23e4fa43ee4/lib/ssl/src/ssl_handshake.erl#L433</a> and I am 100% that the installation of Erlang I’m using is the one with the modified code. Of course it could be an issue with my certificate.</div><div><br></div><div>I would appreciate any pointers.</div></div></div><div>
<p style="font-family: Helvetica; font-size: 10pt; margin-bottom: 0cm;">
</p><p style="font-family: Helvetica; font-size: 10pt; margin-bottom: 0cm;">
</p><p style="margin-bottom: 0cm;">
</p><p style="margin-bottom: 0cm"><font color="#000000"><font face="Helvetica, sans-serif"><font style="font-size: 9pt">Kind
regards,
<br>Radek
Gruchalski<br>
</font></font></font><font face="Helvetica, sans-serif"><font style="font-size: 9pt"><a href="mailto:radek@gruchalski.com">radek@gruchalski.com</a><a href="mailto:radek@gruchalski.com">
</a></font></font><font color="#0084d1"><font face="Helvetica, sans-serif"><font style="font-size: 9pt"><br></font></font></font><a href="http://de.linkedin.com/in/radgruchalski/"><font color="#0084d1"><font face="Helvetica, sans-serif"><font style="font-size: 9pt">de.linkedin.com/in/radgruchalski/</font></font></font></a><font color="#0084d1"><font face="Helvetica, sans-serif"><font style="font-size: 9pt"><u><br></u></font></font></font><font color="#000000"><font face="Helvetica, sans-serif"><font style="font-size: 9pt">+4917685656526<br><br></font></font></font><font color="#878787"><font face="Helvetica, sans-serif"><font style="font-size: 8pt"><b>Confidentiality:<br></b></font></font></font><font color="#878787"><font face="Helvetica, sans-serif"><font style="font-size: 8pt">This
communication is intended for the above-named person and may be
confidential and/or legally privileged.<br>If it has come to you in
error you must take no action based on it, nor must you copy or show
it to anyone; please delete/destroy and inform the sender
immediately.</font></font></font></p></div>