[erlang-questions] bad certificate if trying to verify StartSsl certificate

Alex Hudich alttagil@REDACTED
Thu Jul 16 21:15:48 CEST 2015 

ubuntu 14.04


# wget http://curl.haxx.se/ca/cacert.pem
--2015-07-16 19:11:50--  http://curl.haxx.se/ca/cacert.pem
Resolving curl.haxx.se (curl.haxx.se)... 2a00:1a28:1200:9::2, 80.67.6.50
Connecting to curl.haxx.se (curl.haxx.se)|2a00:1a28:1200:9::2|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 258424 (252K)
Saving to: 'cacert.pem'

100%[=============================================================================================================================================================================================>] 258,424     1.62MB/s   in 0.2s   

2015-07-16 19:11:50 (1.62 MB/s) - 'cacert.pem' saved [258424/258424]

# erl
Erlang/OTP 18 [erts-7.0] [source] [64-bit] [smp:4:4] [async-threads:10] [hipe] [kernel-poll:false]

Eshell V7.0  (abort with ^G)
1> application:ensure_all_started(ssl).
{ok,[crypto,asn1,public_key,ssl]}
2>  ssl:connect( "www.nicemine.ru", 443, [{verify,verify_peer},{server_name_indication,"www.nicemine.ru"},{depth,2},{cacertfile,"cacert.pem"}] ).

=ERROR REPORT==== 16-Jul-2015::19:12:18 ===
SSL: certify: ssl_handshake.erl:1476:Fatal error: bad certificate
{error,{tls_alert,"bad certificate"}}
3> 


and

Mac OS X


$ wget http://curl.haxx.se/ca/cacert.pem
--2015-07-16 22:09:02--  http://curl.haxx.se/ca/cacert.pem
Resolving curl.haxx.se... 80.67.6.50, 2a00:1a28:1200:9::2
Connecting to curl.haxx.se|80.67.6.50|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 258424 (252K)
Saving to: 'cacert.pem'

100%[=============================================================================================================================================================================================>] 258,424     --.-K/s   in 0.1s    

2015-07-16 22:09:02 (1.92 MB/s) - 'cacert.pem' saved [258424/258424]

$ erl
Erlang/OTP 17 [erts-6.3] [source] [64-bit] [smp:8:8] [async-threads:10] [hipe] [kernel-poll:false] [dtrace]

Eshell V6.3  (abort with ^G)
1>  application:ensure_all_started(ssl).
{ok,[crypto,asn1,public_key,ssl]}
2>  ssl:connect( "www.nicemine.ru", 443, [{verify,verify_peer},{server_name_indication,"www.nicemine.ru"},{depth,2},{cacertfile,"cacert.pem"}] ).

=ERROR REPORT==== 16-Jul-2015::22:09:23 ===
SSL: certify: ssl_handshake.erl:1389:Fatal error: bad certificate
{error,{tls_alert,"bad certificate"}}
3> 


:((((((((((((



> 16 июля 2015 г., в 21:16, Santiago Fernández <santif@REDACTED> написал(а):
> 
> can't reproduce:
> 
> Erlang/OTP 17 [erts-6.4] [source] [64-bit] [smp:8:8] [async-threads:10] [kernel-poll:false]
> 
> Eshell V6.4  (abort with ^G)
> 1> application:ensure_all_started(ssl).
> {ok,[crypto,asn1,public_key,ssl]}
> 2> ssl:connect( "www.nicemine.ru <http://www.nicemine.ru/>", 443, [{verify,verify_peer},{server_name_indication,"www.nicemine.ru <http://www.nicemine.ru/>"},{depth,2},{cacertfile,"cacert.pem"}] ).
> {ok,{sslsocket,{gen_tcp,#Port<0.821>,tls_connection,
>                         undefined},
>                <0.49.0>}}
> 
> 
> 
> 
> 
> --
> Santiago
> 
> On Thu, Jul 16, 2015 at 2:54 PM, Alex Hudich <alttagil@REDACTED <mailto:alttagil@REDACTED>> wrote:
> Hi,
> 
> It doesn’t help. Still  {bad_cert,invalid_issuer}
> 
> 
> 
>> 16 июля 2015 г., в 20:29, Éric Pailleau <eric.pailleau@REDACTED <mailto:eric.pailleau@REDACTED>> написал(а):
>> 
>> Hi, try with depth = 3.   Depth 0 to depth 2 is 3.
>> Regards
>> 
>> Le 16 juil. 2015 15:15, Alex Hudich <alttagil@REDACTED <mailto:alttagil@REDACTED>> a écrit :
>>> 
>>> When I tried to check connection with openssl command I’ve got w/o cacert.pem file:
>>> 
>>> $ openssl s_client -connect nicemine.ru <http://nicemine.ru/>:443 -verify 99 
>>> verify depth is 99
>>> CONNECTED(00000003)
>>> depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
>>> verify error:num=19:self signed certificate in certificate chain
>>> verify return:1
>>> depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
>>> verify return:1
>>> depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
>>> verify return:1
>>> depth=0 /C=KZ/CN=www.nicefiles.ru/emailAddress=webmaster@REDACTED <mailto:C=KZ/CN=www.nicefiles.ru/emailAddress=webmaster@REDACTED>
>>> verify return:1
>>> 
>>> 
>>> and with it
>>> 
>>> $ openssl s_client -connect nicemine.ru <http://nicemine.ru/>:443 -verify 99 -CAfile cacert.pem
>>> verify depth is 99
>>> CONNECTED(00000003)
>>> depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
>>> verify return:1
>>> depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
>>> verify return:1
>>> depth=0 /C=KZ/CN=www.nicefiles.ru/emailAddress=webmaster@REDACTED <mailto:C=KZ/CN=www.nicefiles.ru/emailAddress=webmaster@REDACTED>
>>> verify return:1
>>> 
>>> so cacert.pem file contains enough info for StartCom certificates to be checked as valid.
>>> 
>>> 
>>> Also I’ve tried to dig it more in erlang and I’ve found that I get error in OTP 18 too.
>>> 
>>> And the reason for bad certificate error is {bad_cert,invalid_issuer}
>>> 
>>> 
>>> 
>>> I also tried to add  https://www.startssl.com/certs/sub.class1.server.ca.pem <https://www.startssl.com/certs/sub.class1.server.ca.pem> file to cacert.pem but with no luck.
>>> 
>>> 
>>> 
>>> 
>>> 
>>>> 16 июля 2015 г., в 12:16, Alex Hudich <alttagil@REDACTED <mailto:alttagil@REDACTED>> написал(а):
>>>> 
>>>> Hi!
>>>> 
>>>> 
>>>> 
>>>> wget http://curl.haxx.se/ca/cacert.pem <http://curl.haxx.se/ca/cacert.pem>
>>>> 
>>>> and then 
>>>> 
>>>> ssl:connect( "www.nicemine.ru <http://www.nicemine.ru/>", 443, [{verify,verify_peer},{server_name_indication,"www.nicemine.ru <http://www.nicemine.ru/>"},{depth,2},{cacertfile,"cacert.pem"}] ).
>>>> 
>>>> gives me {error,{tls_alert,"bad certificate"}}
>>>> 
>>>> 
>>>> 
>>>> Why? Site can be opened ok in the browser.
>>>> 
>>>> Erlang/OTP 17 [erts-6.3] 
>>>> 
>>>> 
>>> 
> 
> 
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED <mailto:erlang-questions@REDACTED>
> http://erlang.org/mailman/listinfo/erlang-questions <http://erlang.org/mailman/listinfo/erlang-questions>
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150716/3edf9bdb/attachment.htm>

More information about the erlang-questions mailing list