[erlang-questions] SSL Out of Order Cert Chain Question (9.2)

Mark Reynolds beastie@REDACTED
Sat Nov 2 15:17:06 CET 2019


Hey,

I confirm that out of order certs does not seems to be fixed, and it fails with 'Unknown CA' error:


iex(2)> :hackney.get("https://social.fluffel.io")
{:error,
{:tls_alert, {:unknown_ca, 'received CLIENT ALERT: Fatal - Unknown CA'}}}


the only issue with this server TLS certificates is the chain order (CA is Letsencrypt): https://www.ssllabs.com/ssltest/analyze.html?d=social.fluffel.io


On Sat, Nov 2, 2019, at 01:12, Curtis J Schofield wrote:
> Hi!
> 
> Just curious if there is an update on out of order certs.
> 
> The example has id0, id1, id2, id3 certs with id1 being the natural
> root of id2 who is the root of id3, who is the root of id0.
> 
> We can correct the out of order problem by including id1,id2,id3 certs
> in our chain.
> 
> It would be nice to hear from the erlang maintainers around what kind of
> "out of order" erlang can handle nicely and if there is planned support for
> our case!
> 
> Thank you again,
> 
> Curtis.
> 
> 
> Sent through ProtonMail <https://protonmail.com/> Encrypted Email Channel.
> 
> 
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Saturday, October 19, 2019 4:34 PM, Curtis J Schofield <curtis@REDACTED> wrote:
> 
>> Hi! Thank you.
>> 
>> 
>> I included the root cert in the example. The root cert is id1 in cert chain - this is evident in the other file. 
>> 
>> It seems because the root cert is out of order - the cert chain is invalid - IIRC this may be true for tls1.2 - however the negotiation is at TLS1.2
>> 
>> 
>> Thank you for your consideration!
>> 
>> 
>> Sent from ProtonMail Mobile
>> 
>> 
>> On Sat, Oct 19, 2019 at 10:51 AM, Ingela Andin <ingela.andin@REDACTED> wrote:
>>> 
>>> Hi!
>>> 
>>> "Unknown CA" means that you did not have the ROOT certificate of the chian in your "trusted store" (cacerts option).
>>> If you do not own the ROOT certificate you can not trust the chain.
>>> 
>>> Regards Ingela Erlang/OTP Team - Ericsson AB
>>> 
>>> Den fre 18 okt. 2019 kl 21:52 skrev Curtis J Schofield <curtis@REDACTED>:
>>>> Dear Erlang Questions:
>>>> 
>>>> 
>>>> SSL 9.0.2 mentions a patch to fix out of order cert chains
>>>> 
>>>> In SSL 9.2 we have a root CA and an out of order cert chain
>>>> for host hooks.glip.com.
>>>> 
>>>> When we try to verify peer with the out of order cert
>>>> chain we get 'Unknown CA'.
>>>> 
>>>> Is this expected behaviour for Erlang SSL 9.2 with verify_peer ?
>>>> 
>>>> The http://erlang.org/doc/apps/ssl/notes.html#ssl-9.0.2 notes
>>>> mention that other care may need to be taken to ensure compatibility.
>>>> 
>>>> Reproduce error:
>>>> 
>>>> https://github.com/robotarmy/out-of-order-ssl
>>>> 
>>>> Thank you,
>>>> Curtis and Team DevEco
>>>> 
>>>> 
>>>> 
>>>> 
>>>> Sent through ProtonMail Encrypted Email Channel.
>>>> 
>>>> 
>>>> _______________________________________________
>>>> erlang-questions mailing list
>>>> erlang-questions@REDACTED
>>>> http://erlang.org/mailman/listinfo/erlang-questions
>> 
>> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20191102/c75228d8/attachment.htm>


More information about the erlang-questions mailing list