[erlang-questions] ssl: Bad Certficate using file generated using mkcert.org
Benoit Chesneau
bchesneau@REDACTED
Mon Apr 2 10:11:17 CEST 2018
It seems according ssllabs there is a problem with the chain: "Incorrect
order, Contains anchor" which is probably the root issue:
https://github.com/benoitc/hackney/issues/490#issuecomment-377873484
I'm now wondering if there is any possibility to fix it in recent Erlang
versions. Did anyone already encounter such issue?
- benoit
On Sun, Apr 1, 2018 at 10:19 PM, Benoit Chesneau <bchesneau@REDACTED>
wrote:
> err wrong coppy-paste. So using openssl the certidicate looks OK. So it
> seems an error in erlang.
>
> OpenSSL> s_client -connect airbrake.io:443 -CAfile
> /Users/benoitc/Misc/erlang-certifi/priv/cacerts.pem
> CONNECTED(00000006)
> depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN =
> AddTrust External CA Root
> verify return:1
> depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
> Network, CN = USERTrust RSA Certification Authority
> verify return:1
> depth=1 C = US, O = SSL.com, OU = www.ssl.com, CN = SSL.com DV CA
> verify return:1
> depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.
> airbrake.io
> verify return:1
> ---
> Certificate chain
> 0 s:/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.
> airbrake.io
> i:/C=US/O=SSL.com/OU=www.ssl.com/CN=SSL.com DV CA
> 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
> External CA Root
> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
> External CA Root
> 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST
> Network/CN=USERTrust RSA Certification Authority
> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
> External CA Root
> 3 s:/C=US/O=SSL.com/OU=www.ssl.com/CN=SSL.com DV CA
> i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST
> Network/CN=USERTrust RSA Certification Authority
> ---
> Server certificate
>
> -----BEGIN CERTIFICATE-----
> MIIEwTCCA6mgAwIBAgIRAKLxH0P8s499IyC7Gi9P0e8wDQYJKoZIhvcNAQELBQAw
> TTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB1NTTC5jb20xFDASBgNVBAsTC3d3dy5z
> c2wuY29tMRYwFAYDVQQDEw1TU0wuY29tIERWIENBMB4XDTE2MTEwNDAwMDAwMFoX
> DTE4MTEyODIzNTk1OVowWzEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
> dGVkMR4wHAYDVQQLExVFc3NlbnRpYWxTU0wgV2lsZGNhcmQxFjAUBgNVBAMMDSou
> YWlyYnJha2UuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXWXkQ
> kM5+hdRdZhWC3G+wjwpSF2GNLzEf27+3CQvZA8J7trZ/JdHTwIt6TPnq4igmE/XA
> Ej2mOEu2crzO+mVignSSPDItHVB8UenwNphguUskZPSDgVEi5a7rBscFWKkvWMEH
> W6vhbrpur+G1j0awhTn6hh++DYUUUl03hUPh6qNN+GQ/wPn+Tbgzw3obX4sE7Iel
> UePxeMpzv4rG9nZznStoXYlRFws3BaL8wTkL3G8wLVJndlIKTzMdfDCinvGpkV85
> rdfm7UfsvFCdYKosOpbt5iRCJGTJvckFX4ih2MAC8mMP+bwzrNrNkPjuY8To+pVC
> F2rNvjRWJn+yTDdVAgMBAAGjggGMMIIBiDAfBgNVHSMEGDAWgBRGmv38UV58VFNS
> 4pnjszLvkxp/VjAdBgNVHQ4EFgQUkQAJSPUocFTrnPm4af+i76JscKkwDgYDVR0P
> AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
> AQUFBwMCMEoGA1UdIARDMEEwNQYKKwYBBAGCqTABATAnMCUGCCsGAQUFBwIBFhlo
> dHRwczovL2Nwcy51c2VydHJ1c3QuY29tMAgGBmeBDAECATA0BgNVHR8ELTArMCmg
> J6AlhiNodHRwOi8vY3JsLnNzbC5jb20vU1NMY29tRFZDQV8yLmNybDBgBggrBgEF
> BQcBAQRUMFIwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jcnQuc3NsLmNvbS9TU0xjb21E
> VkNBXzIuY3J0MB8GCCsGAQUFBzABhhNodHRwOi8vb2NzcC5zc2wuY29tMCUGA1Ud
> EQQeMByCDSouYWlyYnJha2UuaW+CC2FpcmJyYWtlLmlvMA0GCSqGSIb3DQEBCwUA
> A4IBAQBWDuO6czF5/CGPCuySdo9UGy7/Rj/oONzEPSJJcRZ1o6ix+RV7+dQBNBO0
> SPuAkgH4k/Qbs75htpduWq+5hIfgYwSWvTW+2kcEZKgkPrg53n7cMT10MTg7I7oS
> qNvIpNh+2e6JwaFnM9pYSOSx01zh2HnCi8l+AQmVRdhxVDgOT+9SNcLC3+j/IuY6
> iGnse7X4Q3diIMNxtPTdqfPsewLuWH7RJutwuLTIP5qL1R+AH0RmOGeX2K16rPLr
> 1GczOm5WnRyikYMjGW6llzS7RXgPfvdeU8mt4wK7fvZ9chMLNR7fpmEsWoejmN5P
> nqzjN5AKKgED5AjJ+DNtKzzEJqW0
> -----END CERTIFICATE-----
> subject=/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.
> airbrake.io
> issuer=/C=US/O=SSL.com/OU=www.ssl.com/CN=SSL.com DV CA
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 5736 bytes and written 444 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES128-GCM-SHA256
> Session-ID: 2CA3877657CF653D2885B34218AC09
> ECA30A9E125AC0556D749E359F3A6822F7
> Session-ID-ctx:
> Master-Key: 2D3A255FF47D44AAD4CA06024149B9
> 538819A0C832426B69B83EFE76E5404BC87790360A2F4FFC9933DB76816555C6B1
> Start Time: 1522613874
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
> ---
>
> HTTP/1.0 408 Request Time-out
> Cache-Control: no-cache
> Connection: close
> Content-Type: text/html
>
> <html><body><h1>408 Request Time-out</h1>
> Your browser didn't send a complete request in time.
> </body></html>
> closed
>
>
>
> On Sun, Apr 1, 2018 at 10:06 PM, Benoit Chesneau <bchesneau@REDACTED>
> wrote:
>
>> heh OK, no problem :)
>>
>> To be complete the chain retuned by openssl is :
>>
>> OpenSSL> s_client -connect airbrake.io:443 -showcerts
>> CONNECTED(00000006)
>> depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN =
>> AddTrust External CA Root
>> verify error:num=19:self signed certificate in certificate chain
>> verify return:0
>> ---
>> Certificate chain
>> 0 s:/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.
>> airbrake.io
>> i:/C=US/O=SSL.com/OU=www.ssl.com/CN=SSL.com DV CA
>> -----BEGIN CERTIFICATE-----
>> MIIEwTCCA6mgAwIBAgIRAKLxH0P8s499IyC7Gi9P0e8wDQYJKoZIhvcNAQELBQAw
>> TTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB1NTTC5jb20xFDASBgNVBAsTC3d3dy5z
>> c2wuY29tMRYwFAYDVQQDEw1TU0wuY29tIERWIENBMB4XDTE2MTEwNDAwMDAwMFoX
>> DTE4MTEyODIzNTk1OVowWzEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
>> dGVkMR4wHAYDVQQLExVFc3NlbnRpYWxTU0wgV2lsZGNhcmQxFjAUBgNVBAMMDSou
>> YWlyYnJha2UuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXWXkQ
>> kM5+hdRdZhWC3G+wjwpSF2GNLzEf27+3CQvZA8J7trZ/JdHTwIt6TPnq4igmE/XA
>> Ej2mOEu2crzO+mVignSSPDItHVB8UenwNphguUskZPSDgVEi5a7rBscFWKkvWMEH
>> W6vhbrpur+G1j0awhTn6hh++DYUUUl03hUPh6qNN+GQ/wPn+Tbgzw3obX4sE7Iel
>> UePxeMpzv4rG9nZznStoXYlRFws3BaL8wTkL3G8wLVJndlIKTzMdfDCinvGpkV85
>> rdfm7UfsvFCdYKosOpbt5iRCJGTJvckFX4ih2MAC8mMP+bwzrNrNkPjuY8To+pVC
>> F2rNvjRWJn+yTDdVAgMBAAGjggGMMIIBiDAfBgNVHSMEGDAWgBRGmv38UV58VFNS
>> 4pnjszLvkxp/VjAdBgNVHQ4EFgQUkQAJSPUocFTrnPm4af+i76JscKkwDgYDVR0P
>> AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
>> AQUFBwMCMEoGA1UdIARDMEEwNQYKKwYBBAGCqTABATAnMCUGCCsGAQUFBwIBFhlo
>> dHRwczovL2Nwcy51c2VydHJ1c3QuY29tMAgGBmeBDAECATA0BgNVHR8ELTArMCmg
>> J6AlhiNodHRwOi8vY3JsLnNzbC5jb20vU1NMY29tRFZDQV8yLmNybDBgBggrBgEF
>> BQcBAQRUMFIwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jcnQuc3NsLmNvbS9TU0xjb21E
>> VkNBXzIuY3J0MB8GCCsGAQUFBzABhhNodHRwOi8vb2NzcC5zc2wuY29tMCUGA1Ud
>> EQQeMByCDSouYWlyYnJha2UuaW+CC2FpcmJyYWtlLmlvMA0GCSqGSIb3DQEBCwUA
>> A4IBAQBWDuO6czF5/CGPCuySdo9UGy7/Rj/oONzEPSJJcRZ1o6ix+RV7+dQBNBO0
>> SPuAkgH4k/Qbs75htpduWq+5hIfgYwSWvTW+2kcEZKgkPrg53n7cMT10MTg7I7oS
>> qNvIpNh+2e6JwaFnM9pYSOSx01zh2HnCi8l+AQmVRdhxVDgOT+9SNcLC3+j/IuY6
>> iGnse7X4Q3diIMNxtPTdqfPsewLuWH7RJutwuLTIP5qL1R+AH0RmOGeX2K16rPLr
>> 1GczOm5WnRyikYMjGW6llzS7RXgPfvdeU8mt4wK7fvZ9chMLNR7fpmEsWoejmN5P
>> nqzjN5AKKgED5AjJ+DNtKzzEJqW0
>> -----END CERTIFICATE-----
>> 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
>> External CA Root
>> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
>> External CA Root
>> -----BEGIN CERTIFICATE-----
>> MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
>> MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
>> IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
>> MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
>> FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
>> bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
>> dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
>> H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
>> uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
>> mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
>> a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
>> E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
>> WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
>> VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
>> Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
>> cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
>> IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
>> AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
>> YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
>> 6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
>> Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
>> c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
>> mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
>> -----END CERTIFICATE-----
>> 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST
>> Network/CN=USERTrust RSA Certification Authority
>> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
>> External CA Root
>> -----BEGIN CERTIFICATE-----
>> MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
>> MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
>> ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
>> eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
>> gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
>> ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
>> VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN
>> BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt
>> UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC
>> tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf
>> jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM
>> 8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm
>> AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV
>> Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9
>> N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF
>> qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9
>> HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ
>> +gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX
>> HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv
>> A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/
>> BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
>> HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4
>> dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0
>> dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD
>> lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn
>> RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ
>> YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8
>> Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
>> Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
>> 0fKtirOMxyHNwu8=
>> -----END CERTIFICATE-----
>> 3 s:/C=US/O=SSL.com/OU=www.ssl.com/CN=SSL.com DV CA
>> i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST
>> Network/CN=USERTrust RSA Certification Authority
>> -----BEGIN CERTIFICATE-----
>> MIIF5jCCA86gAwIBAgIQEQDFvydYwZlp/Gjtcp381zANBgkqhkiG9w0BAQwFADCB
>> iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
>> cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
>> BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQw
>> NzA0MDAwMDAwWhcNMjQwNzAzMjM1OTU5WjBNMQswCQYDVQQGEwJVUzEQMA4GA1UE
>> ChMHU1NMLmNvbTEUMBIGA1UECxMLd3d3LnNzbC5jb20xFjAUBgNVBAMTDVNTTC5j
>> b20gRFYgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAJEcVY7NR
>> 2qmRMLzC17tObKov3Jf1AQLOfZRfCi26JM4lYzJoW7uMO6RSwBJeP6pSBYthSWLc
>> R+zd0bsQW5xKGITX51HYBH3daGWQEJIWVfL59cw3qhRsMQ5XP/IMZ15BOUxqGRVV
>> 7NnCBBVcrWVhrEqSZbM6o61lMBU3sQQlYep/Ie3Ce6ca8oWfX5h4hrWtxuRCiBB4
>> EjxMB5KYOKJnQaOLEXaRhgr8cNHhzjl2KrKx/tCMtR/9pqy/+dOCKDiQWkg+hBoT
>> D/hGc/B3x7KfHAbdLJTPrRdJrFnSwMWwPcrWGIrrud3w5VxzXBjPAzQn7Dg/hpGB
>> NHEHBwKsLER3AgMBAAGjggGEMIIBgDAfBgNVHSMEGDAWgBRTeb9aqitKz1SA4dib
>> wJ3ysgNmyzAdBgNVHQ4EFgQURpr9/FFefFRTUuKZ47My75Maf1YwDgYDVR0PAQH/
>> BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
>> CCsGAQUFBwMCMCEGA1UdIAQaMBgwDAYKKwYBBAGCqTABATAIBgZngQwBAgEwVQYD
>> VR0fBE4wTDBKoEigRoZEaHR0cDovL2NybC50cnVzdC1wcm92aWRlci5jb20vVVNF
>> UlRydXN0UlNBQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwgYAGCCsGAQUFBwEB
>> BHQwcjBEBggrBgEFBQcwAoY4aHR0cDovL2NydC50cnVzdC1wcm92aWRlci5jb20v
>> VVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5jcnQwKgYIKwYBBQUHMAGGHmh0dHA6Ly9v
>> Y3NwLnRydXN0LXByb3ZpZGVyLmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAB1RJZUdF
>> d05ZN1SYdTZsDj9Rq9De097SCCWi0E97Ehc2MRQag98VqlZPrC2WM9q+C7Z5MvcM
>> 1njs15p55YRJbHjjECgiabKEPsx3xXH+oTb4kKzQjqMZV5CNC7K+5H4OaCtNcFEZ
>> E2vWRI9hunFjTfTJ9VrKjGIwcYz30VtdB1vtk0Jaf0lnC4H1GOAdw3IwJgbygOeu
>> ACY/1RH5U0ai2e9wWXsiADjBtHbiFPEzt5Cmu2wag9fPrX663Xs5TqjDNCPAgCLm
>> ijzyrCQmlCaug332cwnYI5dA0Oa/eIV6lYZTev143bZWs+A6dQhXDJUQzfSvPsQS
>> Pu/W3QAkw4vuZ97mVvgzK5LiDWps2N9Fw9b5Et4Op+cuy27I48fG3bRH0dROJwYs
>> w+MrMc5Sy/TOl9a5UUmtq2jEJbEv7xU5x1bvhaFfBtxoF36sLLuPf19Aev4n2Y46
>> Fou4Aup1eWVyS+XYKiaTGzxL5b4fbwhKItk8NptdrJ26YmdCl6cFNaabXHHak24W
>> I0cF4+u8ATOxkdFkuLyWusWzfmfIMHX1ZHD3giYavooNnupzxnju58Tpc9AsCgyL
>> rRxTbur5AscjOsHHfzeeTqflKtslTvJ9AvNkPLizR2cMk4+1h+6yDBHggsm0bZn0
>> AeY5kXGfjIimFcd00xvjkVn41em3We1sghs=
>> -----END CERTIFICATE-----
>> ---
>> Server certificate
>> subject=/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.
>> airbrake.io
>> issuer=/C=US/O=SSL.com/OU=www.ssl.com/CN=SSL.com DV CA
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 5736 bytes and written 444 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
>> Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> No ALPN negotiated
>> SSL-Session:
>> Protocol : TLSv1.2
>> Cipher : ECDHE-RSA-AES128-GCM-SHA256
>> Session-ID: 62BF8A905F9DF278347423E70D1001
>> 44AEB17B41C4BEB41FE8BC83512D8AE5C7
>> Session-ID-ctx:
>> Master-Key: D3F6811B769DE3E5045BB386AE6CA5
>> 61C272F44014A3F1DB8F8786B599D11015CE44AF5B8351CDD466EA7A02E764F78A
>> Start Time: 1522613090
>> Timeout : 300 (sec)
>> Verify return code: 0 (ok)
>> ---
>> HTTP/1.0 408 Request Time-out
>> Cache-Control: no-cache
>> Connection: close
>> Content-Type: text/html
>>
>> <html><body><h1>408 Request Time-out</h1>
>> Your browser didn't send a complete request in time.
>> </body></html>
>> closed
>>
>>
>> On Sun, Apr 1, 2018 at 9:23 PM, Luke Bakken <luke@REDACTED> wrote:
>>
>>> Oh, never mind, I thought you were responsible for the airbrake.io cert.
>>>
>>> I have seen the same behavior you report when using different CA
>>> certificate bundles. Using the default OS X bundle usually works,
>>> while recent Mozilla CA bundles don't. I did a bunch of diagnosis but
>>> never came to a definitive conclusion. I'll re-visit what I did and
>>> will see if I can figure out what exactly works and what doesn't.
>>>
>>> Luke
>>>
>>> On Sun, Apr 1, 2018 at 12:13 PM, Benoit Chesneau <bchesneau@REDACTED>
>>> wrote:
>>> > hrm not sure i understand. You mean to the cacerts file or to the cert
>>> of
>>> > airbrake? I’m not responsible of the last one.
>>> >
>>> > Benoît
>>> >
>>> >
>>> > On Sunday, April 1, 2018, Luke Bakken <luke@REDACTED> wrote:
>>> >>
>>> >> Try adding "digitalSignature" to the keyUsage field for the cert.
>>> >>
>>> >> Luke
>>> >>
>>> >> On Sun, Apr 1, 2018, 10:55 AM Benoit Chesneau <bchesneau@REDACTED>
>>> wrote:
>>> >>>
>>> >>> I'm trying to connect to airbrake.io via ssl using the certificates
>>> >>> generated by the website mkcert: https://mkcert.org/ which get the
>>> >>> certificates from Mozilla but I get a "Bad certificat" error on
>>> latest
>>> >>> release of erlang:
>>> >>>
>>> >>> 9> ssl:connect("airbrake.io", 443, [{cacertfile, CaCertFile},
>>> {verify,
>>> >>> verify_peer}, {depth, 99}]).
>>> >>>
>>> >>> =INFO REPORT==== 1-Apr-2018::19:45:51 ===
>>> >>> TLS client: In state certify at ssl_handshake.erl:1271 generated
>>> CLIENT
>>> >>> ALERT: Fatal - Bad Certificate
>>> >>>
>>> >>> {error,{tls_alert,"bad certificate"}}
>>> >>>
>>> >>>
>>> >>> where with google it worked:
>>> >>>
>>> >>> 10> ssl:connect("google.com", 443, [{cacertfile, CaCertFile},
>>> {verify,
>>> >>> verify_peer}, {depth, 99}]).
>>> >>> {ok,{sslsocket,{gen_tcp,#Port<0.9355>,tls_connection,
>>> >>> undefined},
>>> >>> <0.224.0>}}
>>> >>>
>>> >>>
>>> >>>
>>> >>> It used to work with previous versions of Erlang, did something
>>> changed
>>> >>> in the validation in 20.x?
>>> >>>
>>> >>> Also how can I check what is the exact issue in the certificate that
>>> >>> cause this error? According sslabs there are no issue in checking the
>>> >>> certificate:
>>> >>>
>>> >>> https://www.ssllabs.com/ssltest/analyze.html?d=airbrake.io
>>> >>>
>>> >>>
>>> >>> _______________________________________________
>>> >>> erlang-questions mailing list
>>> >>> erlang-questions@REDACTED
>>> >>> http://erlang.org/mailman/listinfo/erlang-questions
>>> >
>>> >
>>> >
>>> > --
>>> > Sent from my Mobile
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180402/aee27005/attachment.htm>
More information about the erlang-questions
mailing list