[erlang-questions] SSL Client CA Certs/chain validation

Eric Meadows-Jönsson eric.meadows.jonsson@REDACTED
Thu Jul 23 14:29:51 CEST 2015


https://api.twilio.com/2010-04-01/Accounts/ works for me with Hex's http
client. https://api.gateway.evercam.io/v1 doesn't work and the issue seems
to be that they only send their own certificate without any intermediate
certificates in the chain. Since `partial_chain` is supposed to claim trust
for an intermediate certificate (and only for an intermediate in the
provided chain, you cannot return your own intermediate from the CA store)
this is impossible to do.

On Thu, Jul 23, 2015 at 12:11 PM, Benoit Chesneau <bchesneau@REDACTED>
wrote:

>
>
> On Thu, Jul 23, 2015 at 3:27 AM Tristan Sloughter <t@REDACTED> wrote:
>
>>  For Erlang code I copied from Eric to implement the same for rebar3's
>> hex client :)
>>
>>
>> https://github.com/rebar/rebar3/blob/master/src/rebar_pkg_resource.erl#L127-L172
>>
>> and
>>
>> https://github.com/rebar/rebar3/blob/master/src/rebar_cacerts.erl
>>
>> --
>> Tristan Sloughter
>> t@REDACTED
>>
>>
>
> Hrmm Are you sure it is actually working?
>
> I tried similar code in hackney on the following URLS:
>
> https://api.gateway.evercam.io/v1
> https://api.twilio.com/2010-04-01/Accounts/
>
> And I get an "unkown_ca" error...
>
> Hackney changes are:
> https://github.com/benoitc/hackney/pull/217
>
> On which URLS did you tested it? How do you generate your CA file?
>
> - benoit
>
>
>>
>>
>> On Wed, Jul 22, 2015, at 08:15 PM, Eric Meadows-Jönsson wrote:
>>
>> I maintain a http client using httpc as part of the Hex package manager
>> and have been trying to do proper HTTPS connections with it. In my
>> experience there is a lot of things you have to implement yourself if you
>> want to do it correctly and I have had many of the same questions you have.
>> Many things are still not clear for me but hopefully I can answer some of
>> your questions. I am going to be linking to Elixir code but I think it will
>> be easy for an Erlang programmer to understand it.
>>
>> These are the SSL options I use:
>> https://github.com/hexpm/hex/blob/98ebb655a3e4b494795f510c07e6b16f16650e91/lib/hex/api.ex#L54-L55
>> .
>>
>> Interesting options are `verify_fun`, Erlang doesn't seem to support
>> hostname verification so I use an Elixir port of
>> https://github.com/deadtrickster/ssl_verify_hostname.erl for that, many
>> thanks to Ilya Khaprov for creating that library. I pass in a CA
>> certificate store via `cacerts`, it is generated from Mozilla's store with
>> curl's mk-ca-bundle tool http://curl.haxx.se/docs/mk-ca-bundle.html, you
>> can see how it is called here:
>> https://github.com/hexpm/hex/blob/98ebb655a3e4b494795f510c07e6b16f16650e91/mix.exs#L61-L84
>> .
>>
>> Finally, unless you implement the `partial_chain` function many websites
>> wont work because they do not send a complete certificate chain.
>> Disclaimer: I do not know the correct (and secure) way to implement this
>> function, I even received a security bug report recently
>> https://github.com/hexpm/hex/issues/108 because the old implementation
>> was even more wrong. As you can see from the linked issue we are still not
>> confident that this is a correct implementation. Reviews of this function
>> from the OTP team or someone intimate with Erlang SSL would be very much
>> appreciated.
>>
>> There are also the new options for SNI in OTP 18 which I have not
>> implemented yet.
>>
>> As you can tell there is a lot of code you have to write yourself and
>> Erlang's ssl application does not have very exhaustive documentation or any
>> guides at all AFAICT, so it is very hard to implement this without any bugs
>> exposing security holes and I am not very confident in my own code because
>> of this.
>>
>> On Thu, Jul 23, 2015 at 2:28 AM, Kaiduan Xie <kaiduanx@REDACTED> wrote:
>>
>> The following articles explain thing very clearly,
>>
>>
>> http://security.stackexchange.com/questions/59566/ssl-certificate-chain-verification
>>
>>
>> http://security.stackexchange.com/questions/56389/ssl-certificate-framework-101-how-does-the-browser-actually-verify-the-validity
>>
>> /Kaiduan
>>
>>  On Wed, Jul 22, 2015 at 7:35 PM, Geoff Cant <nem@REDACTED> wrote:
>>  > Hi all, I’m wondering if anyone has written a guide (or can link to
>> example code) showing how they use OTP’s SSL library to connect to
>> arbitrary TLS servers on the internet with x.509 cert chain validation.
>>  >
>>  > I know the default SSL library option is ‘verify_none’, and that there
>> is a ‘cacertfile’ option, but a) it’s 2015 and you should verify cert
>> chains, and b) are people really bundling all the standard public CA certs
>> into a single giant cacertfile? If you are bundling say all of ubuntu’s
>> /etc/certs, do you have any tooling for this (cat /etc/certs/*.pem >>
>> get_me_everyone.cacerts)? Am I missing something and OTP automatically uses
>> the contents of /etc/certs ?
>>  >
>>  > Also, are people writing utility libraries/code to wrap ssl:* in order
>> to setup the connect/listen options they use? (I know I wrote one to do
>> certificate pinning)
>>  >
>>  >
>>  > I’m generally curious about your OTP ssl client use - particularly
>> around cert chain validation.
>>  >
>>  > Cheers,
>>  > -Geoff
>>  > _______________________________________________
>>  > erlang-questions mailing list
>>  > erlang-questions@REDACTED
>>  > http://erlang.org/mailman/listinfo/erlang-questions
>>  _______________________________________________
>>  erlang-questions mailing list
>>  erlang-questions@REDACTED
>>  http://erlang.org/mailman/listinfo/erlang-questions
>>
>>
>>
>>
>> --
>> Eric Meadows-Jönsson
>>  *_______________________________________________*
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>>
>>  _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>


-- 
Eric Meadows-Jönsson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150723/729b0823/attachment.htm>


More information about the erlang-questions mailing list