[erlang-questions] bad certificate if trying to verify StartSsl certificate

Santiago Fernández santif@REDACTED
Thu Jul 16 20:16:08 CEST 2015


can't reproduce:

Erlang/OTP 17 [erts-6.4] [source] [64-bit] [smp:8:8] [async-threads:10]
[kernel-poll:false]

Eshell V6.4  (abort with ^G)
1> application:ensure_all_started(ssl).
{ok,[crypto,asn1,public_key,ssl]}
2> ssl:connect( "www.nicemine.ru", 443,
[{verify,verify_peer},{server_name_indication,"www.nicemine.ru"},{depth,2},{cacertfile,"cacert.pem"}]
).
{ok,{sslsocket,{gen_tcp,#Port<0.821>,tls_connection,
                        undefined},
               <0.49.0>}}





--
Santiago

On Thu, Jul 16, 2015 at 2:54 PM, Alex Hudich <alttagil@REDACTED> wrote:

> Hi,
>
> It doesn’t help. Still  {bad_cert,invalid_issuer}
>
>
>
> 16 июля 2015 г., в 20:29, Éric Pailleau <eric.pailleau@REDACTED>
> написал(а):
>
> Hi, try with depth = 3.   Depth 0 to depth 2 is 3.
> Regards
>
> Le 16 juil. 2015 15:15, Alex Hudich <alttagil@REDACTED> a écrit :
>
>
> When I tried to check connection with openssl command I’ve got w/o
> cacert.pem file:
>
> $ openssl s_client -connect nicemine.ru:443 -verify 99
> verify depth is 99
> CONNECTED(00000003)
> depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Certification Authority
> verify error:num=19:self signed certificate in certificate chain
> verify return:1
> depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Certification Authority
> verify return:1
> depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Class 1 Primary Intermediate Server CA
> verify return:1
> depth=0 /C=KZ/CN=www.nicefiles.ru/emailAddress=webmaster@REDACTED
> verify return:1
>
>
> and with it
>
> $ openssl s_client -connect nicemine.ru:443 -verify 99 -CAfile cacert.pem
> verify depth is 99
> CONNECTED(00000003)
> depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Certification Authority
> verify return:1
> depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Class 1 Primary Intermediate Server CA
> verify return:1
> depth=0 /C=KZ/CN=www.nicefiles.ru/emailAddress=webmaster@REDACTED
> verify return:1
>
> so cacert.pem file contains enough info for StartCom certificates to be
> checked as valid.
>
>
> Also I’ve tried to dig it more in erlang and I’ve found that I get error
> in OTP 18 too.
>
> And the reason for bad certificate error is {bad_cert,invalid_issuer}
>
>
>
> I also tried to add
> https://www.startssl.com/certs/sub.class1.server.ca.pem file to
> cacert.pem but with no luck.
>
>
>
>
>
> 16 июля 2015 г., в 12:16, Alex Hudich <alttagil@REDACTED> написал(а):
>
> Hi!
>
>
>
> wget http://curl.haxx.se/ca/cacert.pem
>
> and then
>
> ssl:connect( "www.nicemine.ru", 443,
> [{verify,verify_peer},{server_name_indication,"www.nicemine.ru"},{depth,2},{cacertfile,"cacert.pem"}]
> ).
>
> gives me {error,{tls_alert,"bad certificate"}}
>
>
>
> Why? Site can be opened ok in the browser.
>
> Erlang/OTP 17 [erts-6.3]
>
>
>
>
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150716/c8b2c6f2/attachment.htm>


More information about the erlang-questions mailing list