[erlang-questions] SSL certificate unknown error

Andreas Pauley apauley@REDACTED
Mon Aug 26 18:31:22 CEST 2013 

Hi Ingela,

I'm having the same issue when trying to access a web service over
HTTPS. In my case the issue is not present on R13B04, but it is
present on R14B03, R15B03-1 and R16B01.
I did some debug tracing on R16B01 as suggested above. The ssl app in
my case fails validation on an empty field 'X520StateOrProvinceName'
in the remote certificate.

Even though it looks like the remote certificate may not have valid
data in this field, we don't really have control over what
certificates external parties use.
Google Chrome on Mac OS X claims that this certificate is valid, but
in the field "State/Province" it gives "< parser error >" as the
value.

The first few and last few lines of my debug tracing:
12> ssltest:test().
OTP Version: "R16B01"
(<0.104.0>) call
ssl_certificate:trusted_cert_and_path([<<48,130,4,175,48,130,3,151,160,3,2,1,2,2,3,1,71,197,48,13,6,9,42,134,72,134,

...

(<0.104.0>) call 'OTP-PUB-KEY':decode('X520StateOrProvinceName',<<19,0>>)
(<0.104.0>) returned from 'OTP-PUB-KEY':decode/2 -> {error,
                                                     {asn1,
                                                      {length,{1,128},[]}}}
(<0.104.0>) exception_from {public_key,pkix_decode_cert,2}
{error,{badmatch,{error,{asn1,{length,{1,128},[]}}}}}
(<0.104.0>) exception_from {ssl_certificate,trusted_cert_and_path,3}
{error,{badmatch,{error,{asn1,{length,{1,128},[]}}}}}

=ERROR REPORT==== 26-Aug-2013::18:01:40 ===
SSL: certify: tls_handshake.erl:259:Fatal error: certificate unknown
** exception error: no match of right hand side value
                    {error,{tls_alert,"certificate unknown"}}
     in function  ssltest:test/1 (/var/tmp/ssl/ssltest.erl, line 17)


The code I used to test with:

-module(ssltest).

-export([test/0]).

test() ->
  test("196.38.92.87").

test(Server) ->
  [application:start(App) || App <- [crypto, asn1, public_key, ssl]],
  OTPVersion = erlang:system_info(otp_release),
  io:format("OTP Version: ~p~n", [OTPVersion]),
  dbg:tracer(),
  dbg:p(all, [call]),
  dbg:tpl(ssl_certificate, trusted_cert_and_path, x),
  dbg:tpl(public_key, pkix_decode_cert, x),
  dbg:tpl('OTP-PUB-KEY', decode, x),
  {ok, _SslSocket} = ssl:connect(Server,443,[binary, {active,false}],
2000), % this is line 17
  io:format("Successful ssl:connect to ~s~n", [Server]),
  ok.

Please let me know if I can help with more tracing or other info.

Kind regards,
Andreas Pauley

--
http://pauley.org.za/
http://twitter.com/apauley
http://www.meetup.com/lambda-luminaries/
http://za.linkedin.com/in/apauley



On Tue, Mar 12, 2013 at 10:48 AM, Ingela Andin <ingela.andin@REDACTED> wrote:
> Hi!
>
> This error typically happens when there is a problem in the ASN-1
> decoding of a certificate.
> You could try tracing on public_key:pkix_path_validation. If we can
> get the input values
> to that function we could create a way to reproduce the error and make
> it much easier for us
> to fix the problem.
>
> dbg:tracer().
> dbg:p(all, [call]).
> dbg:tpl(public_key, pkix_path_validation, x).
>
> Regards Ingela Erlang/OTP- team Ericsson AB
>
>
> 2013/3/12, Andrei Soroker <soroker@REDACTED>:
>> On Mon, Mar 11, 2013 at 8:14 PM, Tristan Sloughter
>> <tristan.sloughter@REDACTED> wrote:
>>> I ran into the same problem on R16A. I sent this to erlang-bugs
>>>
>>> http://erlang.org/pipermail/erlang-bugs/2013-February/003369.html
>>>
>>> I sadly didn't take care of continued investigation.... But if it still
>>> exists in R16B I guess I'll have to now, unless you figure it out :)
>>
>> I reverted to R15B03-1 for the time being. I'll poke around some more
>> later in the week.
>>
>>>
>>>
>>> On Mon, Mar 11, 2013 at 10:09 PM, Andrei Soroker <soroker@REDACTED>
>>> wrote:
>>>>
>>>> Hi again,
>>>>
>>>> I'm using lhttpc to make some calls over https. Everything worked fine
>>>> with R15B03-1, but with R16B I'm seeing this:
>>>>
>>>> SSL: certify: ssl_handshake.erl:263:Fatal error: certificate unknown
>>>>
>>>> Thanks,
>>>> Andrei
>>>> _______________________________________________
>>>> erlang-questions mailing list
>>>> erlang-questions@REDACTED
>>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>
>>>
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions

More information about the erlang-questions mailing list