<p>This is checking the cert from twilio, though. Right? So there's something in their ca chain, that ends up unknown. Or am I getting the wrong end of the stick.</p>
<p>/Robby</p>
<div class="gmail_quote">On Jun 22, 2015 10:05 AM, "Benoit Chesneau" <<a href="mailto:bchesneau@gmail.com">bchesneau@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">In hackney, by default the HTTPS connection is using the following options:<div><br></div><div><div> [{verify_fun, {fun ssl_verify_hostname:verify_fun/3,</div><div> [{check_hostname, Host}]}},</div><div> {cacertfile, CACertFile },</div><div> {server_name_indication, Host},</div><div> {verify, verify_peer}, {depth, 99},</div><div> {reuse_sessions, true}]<br></div></div><div><br></div><div>Where the Host is based on the Url. CaCertFile is this one:</div><div><a href="https://github.com/benoitc/hackney/blob/master/priv/ca-bundle.crt" target="_blank">https://github.com/benoitc/hackney/blob/master/priv/ca-bundle.crt</a></div><div><br></div><div>And the verify_fun is here: <a href="https://github.com/deadtrickster/ssl_verify_hostname.erl/blob/master/src/ssl_verify_hostname.erl" target="_blank">https://github.com/deadtrickster/ssl_verify_hostname.erl/blob/master/src/ssl_verify_hostname.erl</a></div><div><br></div><div>It works in most cases but when connecting to Twillio I get the following error:</div><div><br></div><div><div> 2> hackney:get("<a href="https://api.twilio.com/2010-04-01/Accounts/" target="_blank">https://api.twilio.com/2010-04-01/Accounts/</a>").</div><div><br></div><div> =ERROR REPORT==== 22-Jun-2015::10:46:28 ===</div><div> SSL: certify: ssl_handshake.erl:1403:Fatal error: unknown ca</div><div> {error,{tls_alert,"unknown ca"}}</div></div><div><br></div><div>When checking the CA files it seems it contains the thawte certificaes:</div><div><br></div><div><div> $ cat priv/ca-bundle.crt|grep thawte </div><div> thawte Primary Root CA</div><div> thawte Primary Root CA - G2</div><div> thawte Primary Root CA - G3</div></div><div><br></div><div>Before opening a ticket I was wondering if I missed something in my configuration? Is there anything wrong in the CA file? Any option is missing?</div><div><br></div><div>- benoit</div><div><br></div><div><br></div></div>
<br>_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" rel="noreferrer" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
<br></blockquote></div>