[erlang-questions] SSL Out of Order Cert Chain Question (9.2)

Curtis J Schofield curtis@REDACTED
Sun Oct 20 01:34:49 CEST 2019

Hi! Thank you.

I included the root cert in the example. The root cert is id1 in cert chain - this is evident in the other file.

It seems because the root cert is out of order - the cert chain is invalid - IIRC this may be true for tls1.2 - however the negotiation is at TLS1.2

Thank you for your consideration!

Sent from ProtonMail Mobile

On Sat, Oct 19, 2019 at 10:51 AM, Ingela Andin <ingela.andin@REDACTED> wrote:

> Hi!
> "Unknown CA"  means that you did not have the ROOT certificate of the chian in your   "trusted store" (cacerts option).
> If you do not own the ROOT certificate you can not trust the chain.
> Regards Ingela Erlang/OTP Team - Ericsson AB
> Den fre 18 okt. 2019 kl 21:52 skrev Curtis J Schofield <curtis@REDACTED>:
>> Dear Erlang Questions:
>> SSL 9.0.2 mentions a patch to fix out of order cert chains
>> In SSL 9.2 we have a root CA and an out of order cert chain
>> for host hooks.glip.com.
>> When we try to verify peer with the out of order cert
>> chain we get 'Unknown CA'.
>> Is this expected behaviour for Erlang SSL 9.2 with verify_peer ?
>> The http://erlang.org/doc/apps/ssl/notes.html#ssl-9.0.2 notes
>> mention that other care may need to be taken to ensure compatibility.
>> Reproduce error:
>> https://github.com/robotarmy/out-of-order-ssl
>> Thank you,
>> Curtis and Team DevEco
>> Sent through ProtonMail Encrypted Email Channel.
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20191019/e9846d9d/attachment.htm>

More information about the erlang-questions mailing list