ssl server doesn't send complete chain?

Roger Lipscombe roger@REDACTED
Fri May 1 17:47:05 CEST 2020


I've got a TLS server written in Erlang, and I'm using a custom root
CA and intermediate CA. When I attempt to use the certfile option to
ssl, with the server cert and intermediate cert in the same file, the
server sends only the server cert to the client. It doesn't send the
intermediate CA.

I found a similar problem reported against VerneMQ, here:
https://github.com/vernemq/vernemq/issues/865

But if I use gnutls-serv with the same server.pem, that _does_ send
both certificates.

What am I missing?

I note that the cacertfile option is documented as

"Path to a file containing PEM-encoded CA certificates. The CA
certificates are used to build the server certificate chain and for
client authentication."

However, I want to use a completely separate certificate chain for
client authentication, which is why I'm not putting my server CA in
this list.

Cheers,
Roger.


More information about the erlang-questions mailing list