<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><span style="color: rgb(51, 51, 51); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; background-color: rgb(255, 255, 255);" class="">When you say "breaks the TLS protocol" are you referring to establishing trust through PKI or that somehow the connection security is somehow compromised?</span><div class=""><font color="#333333" face="Helvetica Neue, Helvetica, Arial, sans-serif" class=""><span style="font-size: 14px; background-color: rgb(255, 255, 255);" class=""><br class=""></span></font></div><div class=""><font color="#333333" face="Helvetica Neue, Helvetica, Arial, sans-serif" class=""><span style="font-size: 14px; background-color: rgb(255, 255, 255);" class="">Erik<br class=""></span></font><div style=""><br class=""><blockquote type="cite" class=""><div class="">On 2018. Feb 23., at 14:53, Ingela Andin <<a href="mailto:ingela.andin@gmail.com" class="">ingela.andin@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Hi!<br class=""><div class=""><div class="gmail_extra"><br class=""><div class="gmail_quote">2018-02-22 17:57 GMT+01:00 Erik Seres <span dir="ltr" class=""><<a href="mailto:erikseres@exosite.com" target="_blank" class="">erikseres@exosite.com</a>></span>:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space" class=""><div class=""><span style="color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(255,255,255)" class="">Hello,</span></div><div class=""><span style="color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(255,255,255)" class=""><br class=""></span></div><span style="color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(255,255,255)" class="">We are developing a custom service that uses TLS certificates.  Clients connect to that service and must present their client certificate.  The client certificates are signed by a CA managed by our service.  Our service's CA cert is in turn signed by a root cert,</span><span style="color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(255,255,255)" class=""> and not self signed.  We do not want to require the clients to hold the services intermediate cert,</span><span style="color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(255,255,255)" class=""> and so they connect just presenting their own client certificate.  </span></div></blockquote><div class=""><br class=""></div><div class="">That breaks the TLS protocol. The peer in either direction should send the whole certificate chain with the exception of the ROOT certificate that is optional as the peer has to own it to be able to verify it.<br class=""></div><div class=""><br class=""> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space" class=""><span style="color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(255,255,255)" class="">However,</span><span style="color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(255,255,255)" class=""> the erlang SSL application does not seem to allow for this setup.  It seems to require that to verify the client certificate,</span><span style="color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(255,255,255)" class=""> that the service's cert is self signed (ie a root cert) or that the client provide all intermediate certs in the chain.  Is there a way to configure the service with the intermediate cert as the ca,</span><span style="color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(255,255,255)" class=""> and not require the client to also send it as part of the chain?</span><div class=""><span style="color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(255,255,255)" class=""><br class=""></span></div></div></blockquote><div class=""><br class=""></div><div class="">You can use the option verify_fun to customize the certificate path validation, but you would have to be careful to only accept the valid cases.<br class=""><br class=""></div><div class="">Regards Ingela Erlang/OTP team - Ericsson AB <br class=""></div><div class=""><br class=""> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space" class=""><div class=""><span style="color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(255,255,255)" class=""></span></div><div class=""><span style="color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(255,255,255)" class="">Thanks,</span></div><div class=""><span style="color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(255,255,255)" class="">Erik</span></div></div><br class="">______________________________<wbr class="">_________________<br class="">
erlang-questions mailing list<br class="">
<a href="mailto:erlang-questions@erlang.org" class="">erlang-questions@erlang.org</a><br class="">
<a href="http://erlang.org/mailman/listinfo/erlang-questions" rel="noreferrer" target="_blank" class="">http://erlang.org/mailman/<wbr class="">listinfo/erlang-questions</a><br class="">
<br class=""></blockquote></div><br class=""></div></div></div>
</div></blockquote></div><br class=""></div></body></html>