[erlang-questions] Intermediate certificate as CA
Ingela Andin
ingela.andin@REDACTED
Sat Feb 24 14:38:50 CET 2018
>From the TLS RFC:
certificate_list
This is a sequence (chain) of certificates. The sender's
certificate MUST come first in the list. Each following
certificate MUST directly certify the one preceding it. Because
certificate validation requires that root keys be distributed
independently, the self-signed certificate that specifies the root
certificate authority MAY be omitted from the chain, under the
assumption that the remote end must already possess it in order to
validate it in any case.
Regards Ingela Erlang/OTP team - Ericsson AB
2018-02-23 18:45 GMT+01:00 Erik Seres <erikseres@REDACTED>:
> When you say "breaks the TLS protocol" are you referring to establishing
> trust through PKI or that somehow the connection security is somehow
> compromised?
>
> Erik
>
> On 2018. Feb 23., at 14:53, Ingela Andin <ingela.andin@REDACTED> wrote:
>
> Hi!
>
> 2018-02-22 17:57 GMT+01:00 Erik Seres <erikseres@REDACTED>:
>
>> Hello,
>>
>> We are developing a custom service that uses TLS certificates. Clients
>> connect to that service and must present their client certificate. The
>> client certificates are signed by a CA managed by our service. Our
>> service's CA cert is in turn signed by a root cert, and not self signed.
>> We do not want to require the clients to hold the services intermediate
>> cert, and so they connect just presenting their own client certificate.
>>
>
> That breaks the TLS protocol. The peer in either direction should send the
> whole certificate chain with the exception of the ROOT certificate that is
> optional as the peer has to own it to be able to verify it.
>
>
>
>> However, the erlang SSL application does not seem to allow for this
>> setup. It seems to require that to verify the client certificate, that
>> the service's cert is self signed (ie a root cert) or that the client
>> provide all intermediate certs in the chain. Is there a way to configure
>> the service with the intermediate cert as the ca, and not require the
>> client to also send it as part of the chain?
>>
>>
> You can use the option verify_fun to customize the certificate path
> validation, but you would have to be careful to only accept the valid cases.
>
> Regards Ingela Erlang/OTP team - Ericsson AB
>
>
>
>> Thanks,
>> Erik
>>
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>>
>
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180224/cd8bc268/attachment.htm>
More information about the erlang-questions
mailing list