[erlang-questions] example of partial_chain in SSL

Benoit Chesneau bchesneau@REDACTED
Sat Jun 27 11:38:40 CEST 2015 

Ingela,

So it's not clear yet if the it was t-is the exact error here. It have been
fixed by updating the list of PEM in the file in hackney using apple
certificates store. The error I am referring has been reported here:
https://github.com/benoitc/hackney/issues/196

So it is probably that apple is including an intermediate certificate that
is not in the list provided by Mozilla.

To be sure to understand, when a peer is not trusted by the validation
function, will the partial_chain function still be executed? What is the
order? I thought the partial_chain function would be executed first
returning one of the certificate in the chain? In that case why it's not
executed in the code snippet above? (i can provide you a full branch if it
helps)

More generally what is the common pattern in that case if any?

- benoit



On Thu, Jun 25, 2015 at 4:22 PM Ingela Andin <ingela.andin@REDACTED> wrote:

> Hi!
>
> 2015-06-24 19:52 GMT+02:00 Benoit Chesneau <bchesneau@REDACTED>:
>
>> Hi,
>>
>> I tried to use the partial_chain option in SSL to fix an unknown_ca issue
>> but the  function is never executed:
>>
>>
>
> The partial chain function lets you shorten the certificate chain by
> accepting an intermediate cert sent to you by the peer as trusted. This is
> not the same as ignoring unknown_ca errors.
> If you want to handle incorrect clients (sending incomplete chains) by
> building the chain to the client certificate on the server side , if
> possible, you need to do that in the verify_fun when it fails and then call
> public_key:pkix_path_validation again with the chain that you built.
>
>
> Regards Ingela Erlang/OTP Team - Ericsson AB
>
>
>
>> The code is:
>>
>>     enum_cacerts([], _Certs) ->
>>         unknown_ca;
>>     enum_cacerts([Cert| Rest], Certs) ->
>>         case lists:member(Cert, Certs) of
>>             true -> {trusted_ca, Cert};
>>             false -> enum_cacerts(Rest, Certs)
>>         end.
>>
>>
>>         CACertFile = filename:join(hackney_util:privdir(),
>>  "ca-bundle.crt"),
>>         {ok, ServerCAs} = file:read_file(CACertFile),
>>         Pems = public_key:pem_decode(ServerCAs),
>>         CaCerts = lists:map(fun({_, Der, _}) -> Der end, Pems),
>>
>>         PartialChain =  fun(ChainCerts) ->
>>                             enum_cacerts(CaCerts, ChainCerts)
>>                     end,
>>
>> And the SSL options are:
>>
>>                     [{partial_chain, PartialChain},
>>                      {cacerts, CaCerts},
>>                      {server_name_indication, Host},
>>                      {verify_fun, {fun ssl_verify_hostname:verify_fun/3,
>>                                    [{check_hostname, Host}]}},
>>                      {verify, verify_peer},
>>                      {depth, 99}];
>>
>> What am I doing wrong? I am not sure actually why the function is never
>> executed. Any idea is welcome...
>>
>> - benoit
>>
>>
>>
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150627/a2fb9179/attachment.htm>

More information about the erlang-questions mailing list