ssl server doesn't send complete chain?

Ingela Andin ingela.andin@REDACTED
Wed May 13 06:56:17 CEST 2020


Hi that sounds like a feature request! A lot of the option handling is
still pretty influenced by OpenSSL, as many of the options
where once upon a time options to OpenSSL.

Regards Ingela Erlang/OTP Team  Ericsson AB

Den fre 1 maj 2020 kl 17:47 skrev Roger Lipscombe <roger@REDACTED>:

> I've got a TLS server written in Erlang, and I'm using a custom root
> CA and intermediate CA. When I attempt to use the certfile option to
> ssl, with the server cert and intermediate cert in the same file, the
> server sends only the server cert to the client. It doesn't send the
> intermediate CA.
>
> I found a similar problem reported against VerneMQ, here:
> https://github.com/vernemq/vernemq/issues/865
>
> But if I use gnutls-serv with the same server.pem, that _does_ send
> both certificates.
>
> What am I missing?
>
> I note that the cacertfile option is documented as
>
> "Path to a file containing PEM-encoded CA certificates. The CA
> certificates are used to build the server certificate chain and for
> client authentication."
>
> However, I want to use a completely separate certificate chain for
> client authentication, which is why I'm not putting my server CA in
> this list.
>
> Cheers,
> Roger.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20200513/fc8807c2/attachment.htm>


More information about the erlang-questions mailing list