<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class="">ubuntu 14.04</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class=""><br class=""></font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class=""><br class=""></font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class=""># wget <a href="http://curl.haxx.se/ca/cacert.pem" class="">http://curl.haxx.se/ca/cacert.pem</a></font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class="">--2015-07-16 19:11:50-- <a href="http://curl.haxx.se/ca/cacert.pem" class="">http://curl.haxx.se/ca/cacert.pem</a></font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class="">Resolving <a href="http://curl.haxx.se" class="">curl.haxx.se</a> (<a href="http://curl.haxx.se" class="">curl.haxx.se</a>)... 2a00:1a28:1200:9::2, 80.67.6.50</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class="">Connecting to <a href="http://curl.haxx.se" class="">curl.haxx.se</a> (<a href="http://curl.haxx.se" class="">curl.haxx.se</a>)|2a00:1a28:1200:9::2|:80... connected.</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class="">HTTP request sent, awaiting response... 200 OK</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class="">Length: 258424 (252K)</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class="">Saving to: 'cacert.pem'</font></div><div style="margin: 0px; font-family: Menlo; min-height: 21px;" class=""><font size="2" class=""><br class=""></font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class="">100%[=============================================================================================================================================================================================>] 258,424 1.62MB/s in 0.2s </font></div><div style="margin: 0px; font-family: Menlo; min-height: 21px;" class=""><font size="2" class=""><br class=""></font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class="">2015-07-16 19:11:50 (1.62 MB/s) - 'cacert.pem' saved [258424/258424]</font></div><div style="margin: 0px; font-family: Menlo; min-height: 21px;" class=""><font size="2" class=""><br class=""></font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class=""># erl</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class="">Erlang/OTP 18 [erts-7.0] [source] [64-bit] [smp:4:4] [async-threads:10] [hipe] [kernel-poll:false]</font></div><div style="margin: 0px; font-family: Menlo; min-height: 21px;" class=""><font size="2" class=""><br class=""></font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class="">Eshell V7.0 (abort with ^G)</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class="">1> application:ensure_all_started(ssl).</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class="">{ok,[crypto,asn1,public_key,ssl]}</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class="">2> ssl:connect( "<a href="http://www.nicemine.ru" class="">www.nicemine.ru</a>", 443, [{verify,verify_peer},{server_name_indication,"<a href="http://www.nicemine.ru" class="">www.nicemine.ru</a>"},{depth,2},{cacertfile,"cacert.pem"}] ).</font></div><div style="margin: 0px; font-family: Menlo; min-height: 21px;" class=""><font size="2" class=""><br class=""></font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class="">=ERROR REPORT==== 16-Jul-2015::19:12:18 ===</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class="">SSL: certify: ssl_handshake.erl:1476:Fatal error: bad certificate</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class="">{error,{tls_alert,"bad certificate"}}</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class="">3> </font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class=""><br class=""></font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class=""><br class=""></font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class=""><b class="">and</b></font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class=""><br class=""></font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class="">Mac OS X</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class=""><br class=""></font></div><div style="margin: 0px; font-family: Menlo;" class=""><font size="2" class=""><br class=""></font></div><div style="margin: 0px; font-family: Menlo;" class=""><div style="margin: 0px;" class=""><font size="2" class="">$ wget <a href="http://curl.haxx.se/ca/cacert.pem" class="">http://curl.haxx.se/ca/cacert.pem</a></font></div><div style="margin: 0px;" class=""><font size="2" class="">--2015-07-16 22:09:02-- <a href="http://curl.haxx.se/ca/cacert.pem" class="">http://curl.haxx.se/ca/cacert.pem</a></font></div><div style="margin: 0px;" class=""><font size="2" class="">Resolving <a href="http://curl.haxx.se" class="">curl.haxx.se</a>... 80.67.6.50, 2a00:1a28:1200:9::2</font></div><div style="margin: 0px;" class=""><font size="2" class="">Connecting to <a href="http://curl.haxx.se" class="">curl.haxx.se</a>|80.67.6.50|:80... connected.</font></div><div style="margin: 0px;" class=""><font size="2" class="">HTTP request sent, awaiting response... 200 OK</font></div><div style="margin: 0px;" class=""><font size="2" class="">Length: 258424 (252K)</font></div><div style="margin: 0px;" class=""><font size="2" class="">Saving to: 'cacert.pem'</font></div><div style="margin: 0px; min-height: 21px;" class=""><font size="2" class=""><br class=""></font></div><div style="margin: 0px;" class=""><font size="2" class="">100%[=============================================================================================================================================================================================>] 258,424 --.-K/s in 0.1s </font></div><div style="margin: 0px; min-height: 21px;" class=""><font size="2" class=""><br class=""></font></div><div style="margin: 0px;" class=""><font size="2" class="">2015-07-16 22:09:02 (1.92 MB/s) - 'cacert.pem' saved [258424/258424]</font></div><div style="margin: 0px; min-height: 21px;" class=""><font size="2" class=""><br class=""></font></div><div style="margin: 0px;" class=""><font size="2" class="">$ erl</font></div><div style="margin: 0px;" class=""><font size="2" class="">Erlang/OTP 17 [erts-6.3] [source] [64-bit] [smp:8:8] [async-threads:10] [hipe] [kernel-poll:false] [dtrace]</font></div><div style="margin: 0px; min-height: 21px;" class=""><font size="2" class=""><br class=""></font></div><div style="margin: 0px;" class=""><font size="2" class="">Eshell V6.3 (abort with ^G)</font></div><div style="margin: 0px;" class=""><font size="2" class="">1> application:ensure_all_started(ssl).</font></div><div style="margin: 0px;" class=""><font size="2" class="">{ok,[crypto,asn1,public_key,ssl]}</font></div><div style="margin: 0px;" class=""><font size="2" class="">2> ssl:connect( "<a href="http://www.nicemine.ru" class="">www.nicemine.ru</a>", 443, [{verify,verify_peer},{server_name_indication,"<a href="http://www.nicemine.ru" class="">www.nicemine.ru</a>"},{depth,2},{cacertfile,"cacert.pem"}] ).</font></div><div style="margin: 0px; min-height: 21px;" class=""><font size="2" class=""><br class=""></font></div><div style="margin: 0px;" class=""><font size="2" class="">=ERROR REPORT==== 16-Jul-2015::22:09:23 ===</font></div><div style="margin: 0px;" class=""><font size="2" class="">SSL: certify: ssl_handshake.erl:1389:Fatal error: bad certificate</font></div><div style="margin: 0px;" class=""><font size="2" class="">{error,{tls_alert,"bad certificate"}}</font></div><div style="margin: 0px;" class=""><font size="2" class="">3> </font></div></div><div style="margin: 0px; font-size: 18px; font-family: Menlo;" class=""><br class=""></div><div style="margin: 0px; font-size: 18px; font-family: Menlo;" class=""><br class=""></div><div style="margin: 0px; font-size: 18px; font-family: Menlo;" class="">:((((((((((((</div><div style="margin: 0px; font-size: 18px; font-family: Menlo;" class=""><br class=""></div><div style="margin: 0px; font-size: 18px; font-family: Menlo;" class=""><br class=""></div><div style="margin: 0px; font-size: 18px; font-family: Menlo;" class=""><br class=""></div><div><blockquote type="cite" class=""><div class="">16 июля 2015 г., в 21:16, Santiago Fernández <<a href="mailto:santif@gmail.com" class="">santif@gmail.com</a>> написал(а):</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">can't reproduce:<br class=""><br class="">Erlang/OTP 17 [erts-6.4] [source] [64-bit] [smp:8:8] [async-threads:10] [kernel-poll:false]<br class=""><br class="">Eshell V6.4 (abort with ^G)<br class="">1> application:ensure_all_started(ssl).<br class="">{ok,[crypto,asn1,public_key,ssl]}<br class="">2> ssl:connect( "<a href="http://www.nicemine.ru/" class="">www.nicemine.ru</a>", 443, [{verify,verify_peer},{server_name_indication,"<a href="http://www.nicemine.ru/" class="">www.nicemine.ru</a>"},{depth,2},{cacertfile,"cacert.pem"}] ).<br class="">{ok,{sslsocket,{gen_tcp,#Port<0.821>,tls_connection,<br class=""> undefined},<br class=""> <0.49.0>}}<br class=""><br class=""><br class=""><br class=""></div><div class="gmail_extra"><br clear="all" class=""><div class=""><div class="gmail_signature"><div class=""><br class=""></div>--<div class="">Santiago</div></div></div>
<br class=""><div class="gmail_quote">On Thu, Jul 16, 2015 at 2:54 PM, Alex Hudich <span dir="ltr" class=""><<a href="mailto:alttagil@gmail.com" target="_blank" class="">alttagil@gmail.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word" class=""><div class="">Hi,</div><div class=""><br class=""></div><div class="">It doesn’t help. Still <span style="font-family:Menlo;font-size:18px" class="">{bad_cert,invalid_issuer}</span></div><div class=""><span style="font-family:Menlo;font-size:18px" class=""><br class=""></span></div><div class=""><span style="font-family:Menlo;font-size:18px" class=""><br class=""></span></div><br class=""><div class=""><blockquote type="cite" class=""><div class="">16 июля 2015 г., в 20:29, Éric Pailleau <<a href="mailto:eric.pailleau@wanadoo.fr" target="_blank" class="">eric.pailleau@wanadoo.fr</a>> написал(а):</div><div class=""><div class="h5"><br class=""><div class="">Hi, try with depth = 3. Depth 0 to depth 2 is 3.<br class="">Regards<br class=""><br class="">Le 16 juil. 2015 15:15, Alex Hudich <<a href="mailto:alttagil@gmail.com" target="_blank" class="">alttagil@gmail.com</a>> a écrit :<br class=""><blockquote type="cite" class=""><br class="">When I tried to check connection with openssl command I’ve got w/o cacert.pem file:<br class=""><br class="">$ openssl s_client -connect <a href="http://nicemine.ru/" target="_blank" class="">nicemine.ru</a>:443 -verify 99 <br class="">verify depth is 99<br class="">CONNECTED(00000003)<br class="">depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority<br class="">verify error:num=19:self signed certificate in certificate chain<br class="">verify return:1<br class="">depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority<br class="">verify return:1<br class="">depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA<br class="">verify return:1<br class="">depth=0 /<a href="mailto:C=KZ/CN=www.nicefiles.ru/emailAddress=webmaster@nicefiles.ru" target="_blank" class="">C=KZ/CN=www.nicefiles.ru/emailAddress=webmaster@nicefiles.ru</a><br class="">verify return:1<br class=""><br class=""><br class="">and with it<br class=""><br class="">$ openssl s_client -connect <a href="http://nicemine.ru/" target="_blank" class="">nicemine.ru</a>:443 -verify 99 -CAfile cacert.pem<br class="">verify depth is 99<br class="">CONNECTED(00000003)<br class="">depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority<br class="">verify return:1<br class="">depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA<br class="">verify return:1<br class="">depth=0 /<a href="mailto:C=KZ/CN=www.nicefiles.ru/emailAddress=webmaster@nicefiles.ru" target="_blank" class="">C=KZ/CN=www.nicefiles.ru/emailAddress=webmaster@nicefiles.ru</a><br class="">verify return:1<br class=""><br class="">so cacert.pem file contains enough info for StartCom certificates to be checked as valid.<br class=""><br class=""><br class="">Also I’ve tried to dig it more in erlang and I’ve found that I get error in OTP 18 too.<br class=""><br class="">And the reason for bad certificate error is {bad_cert,invalid_issuer}<br class=""><br class=""><br class=""><br class="">I also tried to add <a href="https://www.startssl.com/certs/sub.class1.server.ca.pem" target="_blank" class="">https://www.startssl.com/certs/sub.class1.server.ca.pem</a> file to cacert.pem but with no luck.<br class=""><br class=""><br class=""><br class=""><br class=""><br class=""><blockquote type="cite" class="">16 июля 2015 г., в 12:16, Alex Hudich <<a href="mailto:alttagil@gmail.com" target="_blank" class="">alttagil@gmail.com</a>> написал(а):<br class=""><br class="">Hi!<br class=""><br class=""><br class=""><br class="">wget <a href="http://curl.haxx.se/ca/cacert.pem" target="_blank" class="">http://curl.haxx.se/ca/cacert.pem</a><br class=""><br class="">and then <br class=""><br class="">ssl:connect( "<a href="http://www.nicemine.ru/" target="_blank" class="">www.nicemine.ru</a>", 443, [{verify,verify_peer},{server_name_indication,"<a href="http://www.nicemine.ru/" target="_blank" class="">www.nicemine.ru</a>"},{depth,2},{cacertfile,"cacert.pem"}] ).<br class=""><br class="">gives me {error,{tls_alert,"bad certificate"}}<br class=""><br class=""><br class=""><br class="">Why? Site can be opened ok in the browser.<br class=""><br class="">Erlang/OTP 17 [erts-6.3] <br class=""><br class=""><br class=""></blockquote><br class=""></blockquote></div></div></div></blockquote></div><br class=""></div><br class="">_______________________________________________<br class="">
erlang-questions mailing list<br class="">
<a href="mailto:erlang-questions@erlang.org" class="">erlang-questions@erlang.org</a><br class="">
<a href="http://erlang.org/mailman/listinfo/erlang-questions" rel="noreferrer" target="_blank" class="">http://erlang.org/mailman/listinfo/erlang-questions</a><br class="">
<br class=""></blockquote></div><br class=""></div>
</div></blockquote></div><br class=""></body></html>