[erlang-questions] SSL Out of Order Cert Chain Question (9.2)
Curtis J Schofield
Sun Oct 20 01:34:49 CEST 2019
Hi! Thank you.
I included the root cert in the example. The root cert is id1 in cert chain - this is evident in the other file.
It seems because the root cert is out of order - the cert chain is invalid - IIRC this may be true for tls1.2 - however the negotiation is at TLS1.2
Thank you for your consideration!
Sent from ProtonMail Mobile
On Sat, Oct 19, 2019 at 10:51 AM, Ingela Andin <ingela.andin@REDACTED> wrote:
> "Unknown CA" means that you did not have the ROOT certificate of the chian in your "trusted store" (cacerts option).
> If you do not own the ROOT certificate you can not trust the chain.
> Regards Ingela Erlang/OTP Team - Ericsson AB
> Den fre 18 okt. 2019 kl 21:52 skrev Curtis J Schofield <curtis@REDACTED>:
>> Dear Erlang Questions:
>> SSL 9.0.2 mentions a patch to fix out of order cert chains
>> In SSL 9.2 we have a root CA and an out of order cert chain
>> for host hooks.glip.com.
>> When we try to verify peer with the out of order cert
>> chain we get 'Unknown CA'.
>> Is this expected behaviour for Erlang SSL 9.2 with verify_peer ?
>> The http://erlang.org/doc/apps/ssl/notes.html#ssl-9.0.2 notes
>> mention that other care may need to be taken to ensure compatibility.
>> Reproduce error:
>> Thank you,
>> Curtis and Team DevEco
>> Sent through ProtonMail Encrypted Email Channel.
>> erlang-questions mailing list
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the erlang-questions