[erlang-questions] ssl:peercert returns no_peercert on server, but works on client

Ingela Andin ingela.andin@REDACTED
Wed Nov 21 17:36:59 CET 2012 

Hello!

2012/11/20, Jan.Evangelista@REDACTED <Jan.Evangelista@REDACTED>:
> Hello.
>
> I am writing a client-server application which communicates over SSL.
>
> When the SSL connection is successfully established, the server attempts to
> retrieve the client certificate with ssl:peercert/1 - but on server the
> function always returns no_peercert error. The client gives PEM certificate
> and key paths when it requests connection upgrade to SSL:
>
>     SslOptions = [{cacertfile, ?SSL_CACERT_PATH}, {certfile,
> ?SSL_CERT_PATH}, {keyfile, ?SSL_KEY_PATH}],
>     SslConnectResult = ssl:connect(Socket, SslOptions),
>     ?assertMatch({ok, _}, SslConnectResult),
>     ....
>
> In an attempt to find what is wrong, I tried to reverse the client and
> server roles - and the peer certificate can be retrieved successfully on
> client. In this case the connection is upgraded to SSL with exactly the same
> SslOptions on server. The peer certificate can be retrieved successfully on
> client:
>     ...
>     ?assertMatch({ok, _}, ssl:peercert(SslSocket)),
>
> and the server code contains basically
>
>     SslOptions = [{cacertfile, ?SSL_CACERT_PATH}, {certfile,
> ?SSL_CERT_PATH}, {keyfile, ?SSL_KEY_PATH}],
>     {ok, SslSocket} = ssl:ssl_accept(Socket, SslOptions, infinity),
>     ...
>
> Is the failing ssl:peercert/1 on server a bug/missing implementation, or am
> I missing something? The Erlang distribution is R14B04.
>
> Thanks, Jan
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>

Well we have a reported issue that is similar to what you describe,
but we have not been able to reproduce it yet.  However in your case
it proably depends on that you have not
specified that the server should verify the client {verify,
verify_peer} , by default the server will
not  request a client certificate.

Regards Ingela Erlang/OTP team - Ericsson AB

More information about the erlang-questions mailing list