<div dir="ltr">Hi!<br><div><div><div class="gmail_extra"><br><div class="gmail_quote">2015-06-27 11:38 GMT+02:00 Benoit Chesneau <span dir="ltr"><<a href="mailto:bchesneau@gmail.com" target="_blank">bchesneau@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Ingela, <div><br></div><div>So it's not clear yet if the it was t-is the exact error here. It have been fixed by updating the list of PEM in the file in hackney using apple certificates store. The error I am referring has been reported here: <span style="line-height:1.5"><a href="https://github.com/benoitc/hackney/issues/196" target="_blank">https://github.com/benoitc/hackney/issues/196</a> </span></div><div><br></div><div>So it is probably that apple is including an intermediate certificate that is not in the list provided by Mozilla. </div><div><br></div><div>To be sure to understand, when a peer is not trusted by the validation function, will the partial_chain function still be executed? What is the order? I thought the partial_chain function would be executed first returning one of the certificate in the chain? In that case why it's not executed in the code snippet above? (i can provide you a full branch if it helps)</div><div><br></div><div>More generally what is the common pattern in that case if any?</div><span class="HOEnZb"><font color="#888888"><div><br></div></font></span></div></blockquote><div><br></div><div>The partial_chain function will be called if the "top"-certificate in the certificate chain sent by the peer is not self-signed and found in the trusted CA-store. This is done before calling the public_key:path_validation. The partial_chain function may claim one of the certificates present in the chain to be trusted, then that certificate will be used as the trusted CA in the<br></div><div>path_validation and certificates above the claimed certificate in the chain will be disregarded and the once below will be path-validated. <br></div><div><br></div><div>As for your particular problem it hard to say unless I can see all the inputs. <br><br></div><div>Regards Ingela Erlang/OTP team - Ericsson AB<br></div><div><br></div><div><br><br> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span class="HOEnZb"><font color="#888888"><div></div><div>- benoit</div><div><br></div><div><br></div></font></span></div><div class="HOEnZb"><div class="h5"><br><div class="gmail_quote"><div dir="ltr">On Thu, Jun 25, 2015 at 4:22 PM Ingela Andin <<a href="mailto:ingela.andin@gmail.com" target="_blank">ingela.andin@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi!<br><div><div class="gmail_extra"><br><div class="gmail_quote"></div></div></div></div><div dir="ltr"><div><div class="gmail_extra"><div class="gmail_quote">2015-06-24 19:52 GMT+02:00 Benoit Chesneau <span dir="ltr"><<a href="mailto:bchesneau@gmail.com" target="_blank">bchesneau@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>I tried to use the partial_chain option in SSL to fix an unknown_ca issue but the function is never executed:</div><div><br></div></div></blockquote></div></div></div></div><div dir="ltr"><div><div class="gmail_extra"><div class="gmail_quote"><div><br><br>The <span>partial</span> <span>chain</span> function lets you shorten the <span>certificate chain</span> by accepting an intermediate cert sent to you by the peer as trusted. This is not the same as ignoring unknown_ca errors.<br>If you want to handle incorrect clients (sending incomplete chains) by building the <span>chain</span>
to the client certificate on the server side , if possible, you need to
do that in the verify_fun when it fails and then call
public_key:pkix_path_validation again with the <span>chain</span> that you built. <br><br><br></div><div>Regards Ingela Erlang/OTP Team - Ericsson AB<br></div><div><br> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"></blockquote></div></div></div></div><div dir="ltr"><div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div></div><div>The code is:</div><div><br></div><div><div><div> enum_cacerts([], _Certs) -></div><div> unknown_ca;</div><div> enum_cacerts([Cert| Rest], Certs) -></div><div> case lists:member(Cert, Certs) of</div><div> true -> {trusted_ca, Cert};</div><div> false -> enum_cacerts(Rest, Certs)</div><div> end.</div><div><br></div></div></div><div><br></div><div><div> CACertFile = filename:join(hackney_util:privdir(), "ca-bundle.crt"),</div><div> {ok, ServerCAs} = file:read_file(CACertFile),</div><div> Pems = public_key:pem_decode(ServerCAs),</div><div> CaCerts = lists:map(fun({_, Der, _}) -> Der end, Pems),</div><div><br></div><div> PartialChain = fun(ChainCerts) -></div><div> enum_cacerts(CaCerts, ChainCerts)</div><div> end,</div></div><div><br></div><div>And the SSL options are:</div><div><br></div><div><div> [{partial_chain, PartialChain},</div><div> {cacerts, CaCerts},</div><div> {server_name_indication, Host},</div><div> {verify_fun, {fun ssl_verify_hostname:verify_fun/3,</div><div> [{check_hostname, Host}]}},</div><div> {verify, verify_peer},</div><div> {depth, 99}];</div></div><div><br></div><div>What am I doing wrong? I am not sure actually why the function is never executed. Any idea is welcome...</div><span><font color="#888888"><div><br></div><div>- benoit</div><div><br></div><div><br></div></font></span></div>
<br></blockquote></div></div></div></div><div dir="ltr"><div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" rel="noreferrer" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
<br></blockquote></div></div></div></div></blockquote></div>
</div></div></blockquote></div><br></div></div></div></div>