<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><div class="">But it seems to me thet there are some diffrernces between 17.4 and 17.5 which make 17.5 «more buggy» </div><div class=""><br class=""></div><div class="">I prepared two files. cacert.pem.1 is empty file with length 0 and cacert.pem which I’ve downloaded earlier. And there is an output of 17.5 which seems to me wrong. </div><div class=""><br class=""></div><div class="">Line 2 and 3 is ok. Line 4 is ok. But why line 5 gave me no error??</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-family: Menlo;" class=""><font color="#008cb4" class="">Erlang/OTP 17 [erts-6.4] [source] [64-bit] [async-threads:10] [hipe] [kernel-poll:false]</font></div><div style="margin: 0px; font-family: Menlo; min-height: 21px;" class=""><font color="#008cb4" class=""><br class=""></font></div><div style="margin: 0px; font-family: Menlo;" class=""><font color="#008cb4" class="">Eshell V6.4 (abort with ^G)</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font color="#008cb4" class="">1> application:ensure_all_started(ssl).</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font color="#008cb4" class="">{ok,[crypto,asn1,public_key,ssl]}</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font color="#008cb4" class="">2> ssl:connect( "<a href="http://www.nicemine.ru" class="">www.nicemine.ru</a>", 443, [{verify,verify_peer},{server_name_indication,"<a href="http://www.nicemine.ru" class="">www.nicemine.ru</a>"},{depth,2},{cacertfile,"cacert.pem.1"}] ).</font></div><div style="margin: 0px; font-family: Menlo; min-height: 21px;" class=""><font color="#008cb4" class=""><br class=""></font></div><div style="margin: 0px; font-family: Menlo;" class=""><font color="#008cb4" class="">=ERROR REPORT==== 17-Jul-2015::13:26:45 ===</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font color="#008cb4" class="">SSL: certify: ssl_handshake.erl:1401:Fatal error: unknown ca</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font color="#008cb4" class="">{error,{tls_alert,"unknown ca"}}</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font color="#008cb4" class="">3> ssl:connect( "<a href="http://www.nicemine.ru" class="">www.nicemine.ru</a>", 443, [{verify,verify_peer},{server_name_indication,"<a href="http://www.nicemine.ru" class="">www.nicemine.ru</a>"},{depth,2},{cacertfile,"cacert.pem.1"}] ).</font></div><div style="margin: 0px; font-family: Menlo; min-height: 21px;" class=""><font color="#008cb4" class=""><br class=""></font></div><div style="margin: 0px; font-family: Menlo;" class=""><font color="#008cb4" class="">=ERROR REPORT==== 17-Jul-2015::13:26:48 ===</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font color="#008cb4" class="">SSL: certify: ssl_handshake.erl:1401:Fatal error: unknown ca</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font color="#008cb4" class="">{error,{tls_alert,"unknown ca"}}</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font color="#008cb4" class="">4> ssl:connect( "<a href="http://www.nicemine.ru" class="">www.nicemine.ru</a>", 443, [{verify,verify_peer},{server_name_indication,"<a href="http://www.nicemine.ru" class="">www.nicemine.ru</a>"},{depth,2},{cacertfile,"cacert.pem"}] ). </font></div><div style="margin: 0px; font-family: Menlo;" class=""><font color="#008cb4" class="">{ok,{sslsocket,{gen_tcp,#Port<0.1236>,tls_connection,</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font color="#008cb4" class=""> undefined},</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font color="#008cb4" class=""> <0.53.0>}}</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font color="#008cb4" class="">5> ssl:connect( "<a href="http://www.nicemine.ru" class="">www.nicemine.ru</a>", 443, [{verify,verify_peer},{server_name_indication,"<a href="http://www.nicemine.ru" class="">www.nicemine.ru</a>"},{depth,2},{cacertfile,"cacert.pem.1"}] ).</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font color="#008cb4" class="">{ok,{sslsocket,{gen_tcp,#Port<0.1243>,tls_connection,</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font color="#008cb4" class=""> undefined},</font></div><div style="margin: 0px; font-family: Menlo;" class=""><font color="#008cb4" class=""> <0.55.0>}}</font></div></div></div><div style="margin: 0px; font-family: Menlo;" class=""><font color="#008cb4" class=""><br class=""></font></div><div style="margin: 0px; font-family: Menlo;" class=""><font color="#008cb4" class=""><br class=""></font></div><div style="margin: 0px; font-family: Menlo;" class=""><font color="#008cb4" class=""><br class=""></font></div><div class=""><br class=""></div><br class=""><div><blockquote type="cite" class=""><div class="">16 июля 2015 г., в 21:16, Santiago Fernández <<a href="mailto:santif@gmail.com" class="">santif@gmail.com</a>> написал(а):</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">can't reproduce:<br class=""><br class="">Erlang/OTP 17 [erts-6.4] [source] [64-bit] [smp:8:8] [async-threads:10] [kernel-poll:false]<br class=""><br class="">Eshell V6.4 (abort with ^G)<br class="">1> application:ensure_all_started(ssl).<br class="">{ok,[crypto,asn1,public_key,ssl]}<br class="">2> ssl:connect( "<a href="http://www.nicemine.ru/" class="">www.nicemine.ru</a>", 443, [{verify,verify_peer},{server_name_indication,"<a href="http://www.nicemine.ru/" class="">www.nicemine.ru</a>"},{depth,2},{cacertfile,"cacert.pem"}] ).<br class="">{ok,{sslsocket,{gen_tcp,#Port<0.821>,tls_connection,<br class=""> undefined},<br class=""> <0.49.0>}}<br class=""><br class=""><br class=""><br class=""></div><div class="gmail_extra"><br clear="all" class=""><div class=""><div class="gmail_signature"><div class=""><br class=""></div>--<div class="">Santiago</div></div></div>
<br class=""><div class="gmail_quote">On Thu, Jul 16, 2015 at 2:54 PM, Alex Hudich <span dir="ltr" class=""><<a href="mailto:alttagil@gmail.com" target="_blank" class="">alttagil@gmail.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word" class=""><div class="">Hi,</div><div class=""><br class=""></div><div class="">It doesn’t help. Still <span style="font-family:Menlo;font-size:18px" class="">{bad_cert,invalid_issuer}</span></div><div class=""><span style="font-family:Menlo;font-size:18px" class=""><br class=""></span></div><div class=""><span style="font-family:Menlo;font-size:18px" class=""><br class=""></span></div><br class=""><div class=""><blockquote type="cite" class=""><div class="">16 июля 2015 г., в 20:29, Éric Pailleau <<a href="mailto:eric.pailleau@wanadoo.fr" target="_blank" class="">eric.pailleau@wanadoo.fr</a>> написал(а):</div><div class=""><div class="h5"><br class=""><div class="">Hi, try with depth = 3. Depth 0 to depth 2 is 3.<br class="">Regards<br class=""><br class="">Le 16 juil. 2015 15:15, Alex Hudich <<a href="mailto:alttagil@gmail.com" target="_blank" class="">alttagil@gmail.com</a>> a écrit :<br class=""><blockquote type="cite" class=""><br class="">When I tried to check connection with openssl command I’ve got w/o cacert.pem file:<br class=""><br class="">$ openssl s_client -connect <a href="http://nicemine.ru/" target="_blank" class="">nicemine.ru</a>:443 -verify 99 <br class="">verify depth is 99<br class="">CONNECTED(00000003)<br class="">depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority<br class="">verify error:num=19:self signed certificate in certificate chain<br class="">verify return:1<br class="">depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority<br class="">verify return:1<br class="">depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA<br class="">verify return:1<br class="">depth=0 /<a href="mailto:C=KZ/CN=www.nicefiles.ru/emailAddress=webmaster@nicefiles.ru" target="_blank" class="">C=KZ/CN=www.nicefiles.ru/emailAddress=webmaster@nicefiles.ru</a><br class="">verify return:1<br class=""><br class=""><br class="">and with it<br class=""><br class="">$ openssl s_client -connect <a href="http://nicemine.ru/" target="_blank" class="">nicemine.ru</a>:443 -verify 99 -CAfile cacert.pem<br class="">verify depth is 99<br class="">CONNECTED(00000003)<br class="">depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority<br class="">verify return:1<br class="">depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA<br class="">verify return:1<br class="">depth=0 /<a href="mailto:C=KZ/CN=www.nicefiles.ru/emailAddress=webmaster@nicefiles.ru" target="_blank" class="">C=KZ/CN=www.nicefiles.ru/emailAddress=webmaster@nicefiles.ru</a><br class="">verify return:1<br class=""><br class="">so cacert.pem file contains enough info for StartCom certificates to be checked as valid.<br class=""><br class=""><br class="">Also I’ve tried to dig it more in erlang and I’ve found that I get error in OTP 18 too.<br class=""><br class="">And the reason for bad certificate error is {bad_cert,invalid_issuer}<br class=""><br class=""><br class=""><br class="">I also tried to add <a href="https://www.startssl.com/certs/sub.class1.server.ca.pem" target="_blank" class="">https://www.startssl.com/certs/sub.class1.server.ca.pem</a> file to cacert.pem but with no luck.<br class=""><br class=""><br class=""><br class=""><br class=""><br class=""><blockquote type="cite" class="">16 июля 2015 г., в 12:16, Alex Hudich <<a href="mailto:alttagil@gmail.com" target="_blank" class="">alttagil@gmail.com</a>> написал(а):<br class=""><br class="">Hi!<br class=""><br class=""><br class=""><br class="">wget <a href="http://curl.haxx.se/ca/cacert.pem" target="_blank" class="">http://curl.haxx.se/ca/cacert.pem</a><br class=""><br class="">and then <br class=""><br class="">ssl:connect( "<a href="http://www.nicemine.ru/" target="_blank" class="">www.nicemine.ru</a>", 443, [{verify,verify_peer},{server_name_indication,"<a href="http://www.nicemine.ru/" target="_blank" class="">www.nicemine.ru</a>"},{depth,2},{cacertfile,"cacert.pem"}] ).<br class=""><br class="">gives me {error,{tls_alert,"bad certificate"}}<br class=""><br class=""><br class=""><br class="">Why? Site can be opened ok in the browser.<br class=""><br class="">Erlang/OTP 17 [erts-6.3] <br class=""><br class=""><br class=""></blockquote><br class=""></blockquote></div></div></div></blockquote></div><br class=""></div><br class="">_______________________________________________<br class="">
erlang-questions mailing list<br class="">
<a href="mailto:erlang-questions@erlang.org" class="">erlang-questions@erlang.org</a><br class="">
<a href="http://erlang.org/mailman/listinfo/erlang-questions" rel="noreferrer" target="_blank" class="">http://erlang.org/mailman/listinfo/erlang-questions</a><br class="">
<br class=""></blockquote></div><br class=""></div>
</div></blockquote></div><br class=""></body></html>