<div>Hi! Thank you.</div><div><br></div><div><br></div><div>I included the root cert in the example. The root cert is id1 in cert chain - this is evident in the other file. </div><div><br></div><div>It seems because the root cert is out of order - the cert chain is invalid - IIRC this may be true for tls1.2 - however the negotiation is at TLS1.2</div><div><br></div><div><br></div><div>Thank you for your consideration!<caret></caret></div><div><br></div><div><br></div><div id="protonmail_mobile_signature_block"><div>Sent from ProtonMail Mobile</div></div> <div><br></div><div><br></div>On Sat, Oct 19, 2019 at 10:51 AM, Ingela Andin <<a href="mailto:ingela.andin@gmail.com" class="">ingela.andin@gmail.com</a>> wrote:<blockquote class="protonmail_quote" type="cite"> <div dir="ltr"><div><br></div><div>Hi!<br></div><div><br></div><div>"Unknown CA" means that you did not have the ROOT certificate of the chian in your "trusted store" (cacerts option).</div><div>If you do not own the ROOT certificate you can not trust the chain.<br></div><div><br></div><div>Regards Ingela Erlang/OTP Team - Ericsson AB<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Den fre 18 okt. 2019 kl 21:52 skrev Curtis J Schofield <curtis@ram9.cc>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Dear Erlang Questions:<br>
<br>
<br>
SSL 9.0.2 mentions a patch to fix out of order cert chains<br>
<br>
In SSL 9.2 we have a root CA and an out of order cert chain<br>
for host <a href="http://hooks.glip.com" rel="noreferrer">hooks.glip.com</a>.<br>
<br>
When we try to verify peer with the out of order cert<br>
chain we get 'Unknown CA'.<br>
<br>
Is this expected behaviour for Erlang SSL 9.2 with verify_peer ?<br>
<br>
The <a href="http://erlang.org/doc/apps/ssl/notes.html#ssl-9.0.2" rel="noreferrer">http://erlang.org/doc/apps/ssl/notes.html#ssl-9.0.2</a> notes<br>
mention that other care may need to be taken to ensure compatibility.<br>
<br>
Reproduce error:<br>
<br>
<a href="https://github.com/robotarmy/out-of-order-ssl" rel="noreferrer">https://github.com/robotarmy/out-of-order-ssl</a><br>
<br>
Thank you,<br>
Curtis and Team DevEco<br>
<br>
<br>
<br>
<br>
Sent through ProtonMail Encrypted Email Channel.<br>
<br>
<br>
_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" rel="noreferrer">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
</blockquote></div></div>
</blockquote><div><br></div><div><br></div>