[erlang-questions] bad certificate if trying to verify StartSsl certificate

Benoit Chesneau bchesneau@REDACTED
Thu Sep 10 11:02:56 CEST 2015


I
On Tue, Aug 11, 2015 at 9:54 AM Ingela Andin <ingela.andin@REDACTED> wrote:

> Hi!
>
> 2015-07-16 11:16 GMT+02:00 Alex Hudich <alttagil@REDACTED>:
>
>> Hi!
>>
>>
>>
>> wget http://curl.haxx.se/ca/cacert.pem
>>
>> and then
>>
>> ssl:connect( "www.nicemine.ru", 443,
>> [{verify,verify_peer},{server_name_indication,"www.nicemine.ru"},{depth,2},{cacertfile,"cacert.pem"}]
>> ).
>>
>> gives me {error,{tls_alert,"bad certificate"}}
>>
>>
>>
>>
> This site is not sending a correct certificate chain,  I get all the
> certificates that shall be in the chain but scrambled around and not in the
> correct order, this is breaking the
> SSL/TLS-protocol. OpenSSL will also get the error above when trying to
> verify that chain, but later versions of OpenSSL and also other
> implementations obviously tries to work around this by attempting to sort
> them and run the validation again.
>
> You could do that too using the verify_fun if you really want to. We would
> rather not make that a default feature as breaking security protocols is
> usually a bad idea that could lead to vulnerabilities.
>
>
> Regards Ingela Erlang/OTP Team - Ericsson AB
>
>

I have the same issue on another host: rest-api.pay.nl:

15> ssl:connect( "rest-api.pay.nl", 443,
[{verify,verify_peer},{server_name_indication,"rest-api.pay.nl"},{depth,2},{cacertfile,
"priv/ca-bundle.crt"}] ).

=ERROR REPORT==== 10-Sep-2015::11:01:31 ===
SSL: certify: ssl_handshake.erl:1476:Fatal error: bad certificate
{error,{tls_alert,"bad certificate"}}


the chain looks correct for me and curl handle it without issue. What do
you mean by sorting certificates ? Any example?

- benoit




>
>
>> Why? Site can be opened ok in the browser.
>>
>> Erlang/OTP 17 [erts-6.3]
>>
>>
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150910/e3dc6c28/attachment.htm>


More information about the erlang-questions mailing list