[erlang-questions] example of partial_chain in SSL
Ingela Andin
ingela.andin@REDACTED
Mon Jun 29 10:46:55 CEST 2015
Hi!
2015-06-27 11:38 GMT+02:00 Benoit Chesneau <bchesneau@REDACTED>:
> Ingela,
>
> So it's not clear yet if the it was t-is the exact error here. It have
> been fixed by updating the list of PEM in the file in hackney using apple
> certificates store. The error I am referring has been reported here:
> https://github.com/benoitc/hackney/issues/196
>
> So it is probably that apple is including an intermediate certificate that
> is not in the list provided by Mozilla.
>
> To be sure to understand, when a peer is not trusted by the validation
> function, will the partial_chain function still be executed? What is the
> order? I thought the partial_chain function would be executed first
> returning one of the certificate in the chain? In that case why it's not
> executed in the code snippet above? (i can provide you a full branch if it
> helps)
>
> More generally what is the common pattern in that case if any?
>
>
The partial_chain function will be called if the "top"-certificate in the
certificate chain sent by the peer is not self-signed and found in the
trusted CA-store. This is done before calling the
public_key:path_validation. The partial_chain function may claim one of
the certificates present in the chain to be trusted, then that certificate
will be used as the trusted CA in the
path_validation and certificates above the claimed certificate in the chain
will be disregarded and the once below will be path-validated.
As for your particular problem it hard to say unless I can see all the
inputs.
Regards Ingela Erlang/OTP team - Ericsson AB
> - benoit
>
>
>
> On Thu, Jun 25, 2015 at 4:22 PM Ingela Andin <ingela.andin@REDACTED>
> wrote:
>
>> Hi!
>>
>> 2015-06-24 19:52 GMT+02:00 Benoit Chesneau <bchesneau@REDACTED>:
>>
>>> Hi,
>>>
>>> I tried to use the partial_chain option in SSL to fix an unknown_ca
>>> issue but the function is never executed:
>>>
>>>
>>
>> The partial chain function lets you shorten the certificate chain by
>> accepting an intermediate cert sent to you by the peer as trusted. This is
>> not the same as ignoring unknown_ca errors.
>> If you want to handle incorrect clients (sending incomplete chains) by
>> building the chain to the client certificate on the server side , if
>> possible, you need to do that in the verify_fun when it fails and then call
>> public_key:pkix_path_validation again with the chain that you built.
>>
>>
>> Regards Ingela Erlang/OTP Team - Ericsson AB
>>
>>
>>
>>> The code is:
>>>
>>> enum_cacerts([], _Certs) ->
>>> unknown_ca;
>>> enum_cacerts([Cert| Rest], Certs) ->
>>> case lists:member(Cert, Certs) of
>>> true -> {trusted_ca, Cert};
>>> false -> enum_cacerts(Rest, Certs)
>>> end.
>>>
>>>
>>> CACertFile = filename:join(hackney_util:privdir(),
>>> "ca-bundle.crt"),
>>> {ok, ServerCAs} = file:read_file(CACertFile),
>>> Pems = public_key:pem_decode(ServerCAs),
>>> CaCerts = lists:map(fun({_, Der, _}) -> Der end, Pems),
>>>
>>> PartialChain = fun(ChainCerts) ->
>>> enum_cacerts(CaCerts, ChainCerts)
>>> end,
>>>
>>> And the SSL options are:
>>>
>>> [{partial_chain, PartialChain},
>>> {cacerts, CaCerts},
>>> {server_name_indication, Host},
>>> {verify_fun, {fun ssl_verify_hostname:verify_fun/3,
>>> [{check_hostname, Host}]}},
>>> {verify, verify_peer},
>>> {depth, 99}];
>>>
>>> What am I doing wrong? I am not sure actually why the function is never
>>> executed. Any idea is welcome...
>>>
>>> - benoit
>>>
>>>
>>>
>>> _______________________________________________
>>> erlang-questions mailing list
>>> erlang-questions@REDACTED
>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150629/018ffb3c/attachment.htm>
More information about the erlang-questions
mailing list