"Unknown CA" with ssl:connect/3 but "openssl s_client" succeeds

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

"Unknown CA" with ssl:connect/3 but "openssl s_client" succeeds

Luke Bakken-2
Hello everyone,

I'm having a heck of a time getting ssl:connect/3 to verify the server
certificate correctly using my system CA bundle.

I'm using kerl-built Erlang 20.1.7 on Arch Linux. I also see the same
behavior using the ESL-packaged Erlang 20 on Ubuntu 16.

This is what is failing (on Ubuntu the cacertfile path is
"/etc/ssl/certs/ca-certificates.crt"):

----

application:ensure_all_started(ssl), ssl:connect("google.com", 443,
[{verify,verify_peer},{reuse_sessions,false},{cacertfile,"/etc/ssl/cert.pem"},{depth,99}]).

=INFO REPORT==== 4-Dec-2017::15:07:45 ===
TLS client: In state certify at ssl_handshake.erl:1626 generated
CLIENT ALERT: Fatal - Unknown CA

{error,{tls_alert,"unknown ca"}}

----

However, the following succeeds on both Arch Linux as well as Ubuntu 16:

Arch Linux command:

openssl s_client -verify 99 -connect google.com:443 -CAfile /etc/ssl/cert.pem

Ubuntu 16 command:

openssl s_client -verify 99 -connect google.com:443 -CAfile
/etc/ssl/certs/ca-certificates.crt

The command returns success: "Verify return code: 0 (ok)"

If I run ssl_pkix_db:extract_trusted_certs("/etc/ssl/cert.pem") it
does return 140 decoded certificates, which is the expected number:

$ fgrep BEGIN /etc/ssl/cert.pem |wc -l
140

I did a little bit of digging and found that
ssl_certificate:find_issuer/4 is returning {error,issuer_not_found}.

Thanks in advance and let me know how I can help further, or if I
missed something obvious!
Luke
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: "Unknown CA" with ssl:connect/3 but "openssl s_client" succeeds

Luke Bakken-2
Hello again -

With more investigation, this appears to be related to the certificate
bundles themselves. The commands I provide below work fine on OS X
10.12.6, for instance. But, they fail using the following CA bundle:

https://curl.haxx.se/docs/caextract.html

curl works fine with that file when connecting to google.com:443, but
openssl and Erlang don't.

Anyway, if I figure out exactly what certs are missing in these files,
or what formatting within them causes issues, or what people can look
out for I will follow up here.

Luke

On Mon, Dec 4, 2017 at 3:39 PM, Luke Bakken <[hidden email]> wrote:

> Hello everyone,
>
> I'm having a heck of a time getting ssl:connect/3 to verify the server
> certificate correctly using my system CA bundle.
>
> I'm using kerl-built Erlang 20.1.7 on Arch Linux. I also see the same
> behavior using the ESL-packaged Erlang 20 on Ubuntu 16.
>
> This is what is failing (on Ubuntu the cacertfile path is
> "/etc/ssl/certs/ca-certificates.crt"):
>
> ----
>
> application:ensure_all_started(ssl), ssl:connect("google.com", 443,
> [{verify,verify_peer},{reuse_sessions,false},{cacertfile,"/etc/ssl/cert.pem"},{depth,99}]).
>
> =INFO REPORT==== 4-Dec-2017::15:07:45 ===
> TLS client: In state certify at ssl_handshake.erl:1626 generated
> CLIENT ALERT: Fatal - Unknown CA
>
> {error,{tls_alert,"unknown ca"}}
>
> ----
>
> However, the following succeeds on both Arch Linux as well as Ubuntu 16:
>
> Arch Linux command:
>
> openssl s_client -verify 99 -connect google.com:443 -CAfile /etc/ssl/cert.pem
>
> Ubuntu 16 command:
>
> openssl s_client -verify 99 -connect google.com:443 -CAfile
> /etc/ssl/certs/ca-certificates.crt
>
> The command returns success: "Verify return code: 0 (ok)"
>
> If I run ssl_pkix_db:extract_trusted_certs("/etc/ssl/cert.pem") it
> does return 140 decoded certificates, which is the expected number:
>
> $ fgrep BEGIN /etc/ssl/cert.pem |wc -l
> 140
>
> I did a little bit of digging and found that
> ssl_certificate:find_issuer/4 is returning {error,issuer_not_found}.
>
> Thanks in advance and let me know how I can help further, or if I
> missed something obvious!
> Luke
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions