<div dir="ltr">Hi!<div><br><div class="gmail_extra"><div class="gmail_quote">2015-01-30 21:37 GMT+01:00 <a href="mailto:e@bestmx.net">e@bestmx.net</a> <span dir="ltr"><<a href="mailto:e@bestmx.net" target="_blank">e@bestmx.net</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 01/30/2015 09:18 PM, Ingela Andin wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi!<br>
<br>
2015-01-30 19:25 GMT+01:00 <a href="mailto:e@bestmx.net" target="_blank">e@bestmx.net</a> <<a href="mailto:e@bestmx.net" target="_blank">e@bestmx.net</a>>:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi, all.<br>
<br>
SSL: certify: ssl_alert.erl:92:Fatal error: unknown ca<br>
<br>
I know this issue generates thousands of "hits" in google-search<br>
yet google does not reveal a consistent explanation (not a recipe!)<br>
<br>
first of all: Unknown TO WHOM???<br>
<br>
</blockquote>
<br>
<br>
To the client or server trying to verify its peer certificate.<br>
</blockquote>
<br></span>
since the error appears on the server side,<br>
may i deduce that the server (Erlang's ssl application)<br>
is trying to verify the client (a browser)?<br>
<br></blockquote><div><br></div><div>No, the error does not appear on the server side. The error appers on the client side that sends</div><div>a TLS alert message to the server side that will log the reason why the client disconnects.</div><div><br></div><div> <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
in this case i want to know how to disable this feature.<br>
(i only need to verify the server by the client)</blockquote><div><br></div><div>You did not enable client certification.</div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
secondly: What CA will be considered known?<br>
<br>
<br>
</blockquote>
The root CA must be present in the verifiers CA database (cacertfile or<br>
corresponding option for that client/server).<br>
</blockquote>
<br></span>
my 'cacertfile' (as given to the 'ssl' application) contains one and only one certificate which is self-signed.<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
what properties of CA are required?<br>
may we assume that "CA" and "a certificate file" are synonyms in the<br>
current context? otherwise, what is CA and how is it represented?<br>
</blockquote></blockquote>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Certificates and CA certificates are defined in RFC 5280. The are defined<br>
by as ASN-1 specifications and can normaly be inputed as ASN-1 DER (binary<br>
format) or<br>
as a PEM file (a text file representaion of the "DER-blob").<br>
</blockquote>
<br></span>
I was asking something else.<br>
When 'ssl' application complains about a "CA" does it mean a corresponding certfile that represents a CA or something else?<br>
(Does it consider any other data sources besides those files provided by me?)<span class=""><br>
<br>
<br></span></blockquote><div><br></div><div>No, but you are not doing client certification verification as you did not enable it.</div><div><br></div><div><br></div><div>Regards Ingela Erlang/OTP team - Ericsson AB</div></div></div></div></div>