[erlang-questions] SSL peer verification in httpc with Mozilla's certificate store

Eric Meadows-Jönsson eric.meadows.jonsson@REDACTED
Wed Sep 10 10:16:12 CEST 2014


We are using httpc with the `{verify, verify_peer}` option for SSL
connections. We also provide CA certificates through the `cacertfile`
option. The certificate store we are using is from Mozilla [1] where we
extract all certificates that been set as trusted for issuing new
certificates.

Using this set of certificates, when accessing https://s3.amazonaws.com,
gives us the following error:

    17:03:17.397 [error] SSL: :certify: ssl_handshake.erl:1389:Fatal error:
unknown ca

Using the same certificate file with curl, python's built-in http client or
ruby's http client produces no error and the connection is successful. I
believe this happens because the root certificate in amazon's certificate
chain is not include the certificate file. The intermediate certificate is
included though, so it is trusted. It seems erlang's SSL implementation
does not handle this scenario even though most HTTP clients and browsers
do. From what I can read about path validation it is recommended to stop
validation when a trusted certificate is found in the chain and not
continue to the root and check it as well.

-- 
Eric Meadows-Jönsson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140910/605547ec/attachment.htm>


More information about the erlang-questions mailing list