[erlang-questions] bad certificate if trying to verify StartSsl certificate

Ingela Andin ingela.andin@REDACTED
Tue Aug 11 09:54:40 CEST 2015


2015-07-16 11:16 GMT+02:00 Alex Hudich <alttagil@REDACTED>:

> Hi!
> wget http://curl.haxx.se/ca/cacert.pem
> and then
> ssl:connect( "www.nicemine.ru", 443,
> [{verify,verify_peer},{server_name_indication,"www.nicemine.ru"},{depth,2},{cacertfile,"cacert.pem"}]
> ).
> gives me {error,{tls_alert,"bad certificate"}}
This site is not sending a correct certificate chain,  I get all the
certificates that shall be in the chain but scrambled around and not in the
correct order, this is breaking the
SSL/TLS-protocol. OpenSSL will also get the error above when trying to
verify that chain, but later versions of OpenSSL and also other
implementations obviously tries to work around this by attempting to sort
them and run the validation again.

You could do that too using the verify_fun if you really want to. We would
rather not make that a default feature as breaking security protocols is
usually a bad idea that could lead to vulnerabilities.

Regards Ingela Erlang/OTP Team - Ericsson AB

> Why? Site can be opened ok in the browser.
> Erlang/OTP 17 [erts-6.3]
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150811/a2c07822/attachment.htm>

More information about the erlang-questions mailing list