[erlang-questions] SSL peer verification in httpc with Mozilla's certificate store

Ingela Andin ingela.andin@REDACTED
Fri Sep 12 10:28:03 CEST 2014


When it comes to when to stop the path validation there is no clear answer
that will always cut it and TLS, X509 RFC are not always in total
agreement. Even the same
RFC is sometimes contradicting itself. The issue you are describing has
been addressed in the latest version of the ssl application.

See commit 1c9e0651c4917b63f49d8505dba7e820da8e32d2,  where I added a new
option partial_chain that lets the user decide which certificate in the
chain that shall be
considered the trusted anchor if the whole chain can not be validated.

Regards Ingela Erlang/OTP team - Ericsson AB

2014-09-10 10:16 GMT+02:00 Eric Meadows-Jönsson <

> We are using httpc with the `{verify, verify_peer}` option for SSL
> connections. We also provide CA certificates through the `cacertfile`
> option. The certificate store we are using is from Mozilla [1] where we
> extract all certificates that been set as trusted for issuing new
> certificates.
> Using this set of certificates, when accessing https://s3.amazonaws.com,
> gives us the following error:
>     17:03:17.397 [error] SSL: :certify: ssl_handshake.erl:1389:Fatal
> error: unknown ca
> Using the same certificate file with curl, python's built-in http client
> or ruby's http client produces no error and the connection is successful. I
> believe this happens because the root certificate in amazon's certificate
> chain is not include the certificate file. The intermediate certificate is
> included though, so it is trusted. It seems erlang's SSL implementation
> does not handle this scenario even though most HTTP clients and browsers
> do. From what I can read about path validation it is recommended to stop
> validation when a trusted certificate is found in the chain and not
> continue to the root and check it as well.
> --
> Eric Meadows-Jönsson
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140912/2e76c904/attachment.htm>

More information about the erlang-questions mailing list