[erlang-questions] Fwd: SSL peer verification in httpc with Mozilla's certificate store

Ingela Andin ingela.andin@REDACTED
Sat Sep 13 11:09:10 CEST 2014 

---------- Forwarded message ----------
From: Ingela Andin <ingela.andin@REDACTED>
Date: 2014-09-12 16:17 GMT+02:00
Subject: Re: [erlang-questions] SSL peer verification in httpc with
Mozilla's certificate store
To: Eric Meadows-Jönsson <eric.meadows.jonsson@REDACTED>


Hi!

It will be in 17.3, that most likely will be released next week on wensday.

Regards Ingela Erlang/OTP team - Ericsson AB


2014-09-12 15:53 GMT+02:00 Eric Meadows-Jönsson <
eric.meadows.jonsson@REDACTED>:

> Great, that looks like exactly what we need! Thanks Ingela.
>
> I found the commit on the OTP repo, but could not find the branch it
> belonged to. Do you know when when it will be available and which release
> it will be part of?
>
> On Fri, Sep 12, 2014 at 10:28 AM, Ingela Andin <ingela.andin@REDACTED>
> wrote:
>
>> Hi!
>>
>> When it comes to when to stop the path validation there is no clear
>> answer that will always cut it and TLS, X509 RFC are not always in total
>> agreement. Even the same
>> RFC is sometimes contradicting itself. The issue you are describing has
>> been addressed in the latest version of the ssl application.
>>
>> See commit 1c9e0651c4917b63f49d8505dba7e820da8e32d2,  where I added a new
>> option partial_chain that lets the user decide which certificate in the
>> chain that shall be
>> considered the trusted anchor if the whole chain can not be validated.
>>
>> Regards Ingela Erlang/OTP team - Ericsson AB
>>
>>
>> 2014-09-10 10:16 GMT+02:00 Eric Meadows-Jönsson <
>> eric.meadows.jonsson@REDACTED>:
>>
>>> We are using httpc with the `{verify, verify_peer}` option for SSL
>>> connections. We also provide CA certificates through the `cacertfile`
>>> option. The certificate store we are using is from Mozilla [1] where we
>>> extract all certificates that been set as trusted for issuing new
>>> certificates.
>>>
>>> Using this set of certificates, when accessing https://s3.amazonaws.com,
>>> gives us the following error:
>>>
>>>     17:03:17.397 [error] SSL: :certify: ssl_handshake.erl:1389:Fatal
>>> error: unknown ca
>>>
>>> Using the same certificate file with curl, python's built-in http client
>>> or ruby's http client produces no error and the connection is successful. I
>>> believe this happens because the root certificate in amazon's certificate
>>> chain is not include the certificate file. The intermediate certificate is
>>> included though, so it is trusted. It seems erlang's SSL implementation
>>> does not handle this scenario even though most HTTP clients and browsers
>>> do. From what I can read about path validation it is recommended to stop
>>> validation when a trusted certificate is found in the chain and not
>>> continue to the root and check it as well.
>>>
>>> --
>>> Eric Meadows-Jönsson
>>>
>>> _______________________________________________
>>> erlang-questions mailing list
>>> erlang-questions@REDACTED
>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>
>>>
>>
>
>
> --
> Eric Meadows-Jönsson
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140913/e2d3acd3/attachment.htm>

More information about the erlang-questions mailing list