ssl: Bad Certficate using file generated using mkcert.org

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

ssl: Bad Certficate using file generated using mkcert.org

Benoit Chesneau-2
I'm trying to connect to airbrake.io via ssl using the certificates generated by the website mkcert: https://mkcert.org/ which get the certificates from Mozilla but I get a "Bad certificat" error on latest release of erlang:

9> ssl:connect("airbrake.io", 443, [{cacertfile, CaCertFile}, {verify, verify_peer}, {depth, 99}]).

=INFO REPORT==== 1-Apr-2018::19:45:51 ===
TLS client: In state certify at ssl_handshake.erl:1271 generated CLIENT ALERT: Fatal - Bad Certificate

{error,{tls_alert,"bad certificate"}}


where with google it worked:

10> ssl:connect("google.com", 443, [{cacertfile, CaCertFile}, {verify, verify_peer}, {depth, 99}]).
{ok,{sslsocket,{gen_tcp,#Port<0.9355>,tls_connection,
                        undefined},
               <0.224.0>}}



It used to work with previous versions of Erlang, did something changed in the validation in 20.x?

Also how can I check what is the exact issue in the certificate that cause this error? According sslabs there are no issue in checking the certificate:

https://www.ssllabs.com/ssltest/analyze.html?d=airbrake.io



_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: ssl: Bad Certficate using file generated using mkcert.org

Luke Bakken-2
Try adding "digitalSignature" to the keyUsage field for the cert.

Luke

On Sun, Apr 1, 2018, 10:55 AM Benoit Chesneau <[hidden email]> wrote:
I'm trying to connect to airbrake.io via ssl using the certificates generated by the website mkcert: https://mkcert.org/ which get the certificates from Mozilla but I get a "Bad certificat" error on latest release of erlang:

9> ssl:connect("airbrake.io", 443, [{cacertfile, CaCertFile}, {verify, verify_peer}, {depth, 99}]).

=INFO REPORT==== 1-Apr-2018::19:45:51 ===
TLS client: In state certify at ssl_handshake.erl:1271 generated CLIENT ALERT: Fatal - Bad Certificate

{error,{tls_alert,"bad certificate"}}


where with google it worked:

10> ssl:connect("google.com", 443, [{cacertfile, CaCertFile}, {verify, verify_peer}, {depth, 99}]).
{ok,{sslsocket,{gen_tcp,#Port<0.9355>,tls_connection,
                        undefined},
               <0.224.0>}}



It used to work with previous versions of Erlang, did something changed in the validation in 20.x?

Also how can I check what is the exact issue in the certificate that cause this error? According sslabs there are no issue in checking the certificate:

https://www.ssllabs.com/ssltest/analyze.html?d=airbrake.io


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: ssl: Bad Certficate using file generated using mkcert.org

Luke Bakken-2
Oh, never mind, I thought you were responsible for the airbrake.io cert.

I have seen the same behavior you report when using different CA
certificate bundles. Using the default OS X bundle usually works,
while recent Mozilla CA bundles don't. I did a bunch of diagnosis but
never came to a definitive conclusion. I'll re-visit what I did and
will see if I can figure out what exactly works and what doesn't.

Luke

On Sun, Apr 1, 2018 at 12:13 PM, Benoit Chesneau <[hidden email]> wrote:

> hrm not sure i understand. You mean to the cacerts file or to the cert of
> airbrake? I’m not responsible of the last one.
>
> Benoît
>
>
> On Sunday, April 1, 2018, Luke Bakken <[hidden email]> wrote:
>>
>> Try adding "digitalSignature" to the keyUsage field for the cert.
>>
>> Luke
>>
>> On Sun, Apr 1, 2018, 10:55 AM Benoit Chesneau <[hidden email]> wrote:
>>>
>>> I'm trying to connect to airbrake.io via ssl using the certificates
>>> generated by the website mkcert: https://mkcert.org/ which get the
>>> certificates from Mozilla but I get a "Bad certificat" error on latest
>>> release of erlang:
>>>
>>> 9> ssl:connect("airbrake.io", 443, [{cacertfile, CaCertFile}, {verify,
>>> verify_peer}, {depth, 99}]).
>>>
>>> =INFO REPORT==== 1-Apr-2018::19:45:51 ===
>>> TLS client: In state certify at ssl_handshake.erl:1271 generated CLIENT
>>> ALERT: Fatal - Bad Certificate
>>>
>>> {error,{tls_alert,"bad certificate"}}
>>>
>>>
>>> where with google it worked:
>>>
>>> 10> ssl:connect("google.com", 443, [{cacertfile, CaCertFile}, {verify,
>>> verify_peer}, {depth, 99}]).
>>> {ok,{sslsocket,{gen_tcp,#Port<0.9355>,tls_connection,
>>>                         undefined},
>>>                <0.224.0>}}
>>>
>>>
>>>
>>> It used to work with previous versions of Erlang, did something changed
>>> in the validation in 20.x?
>>>
>>> Also how can I check what is the exact issue in the certificate that
>>> cause this error? According sslabs there are no issue in checking the
>>> certificate:
>>>
>>> https://www.ssllabs.com/ssltest/analyze.html?d=airbrake.io
>>>
>>>
>>> _______________________________________________
>>> erlang-questions mailing list
>>> [hidden email]
>>> http://erlang.org/mailman/listinfo/erlang-questions
>
>
>
> --
> Sent from my Mobile
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: ssl: Bad Certficate using file generated using mkcert.org

Benoit Chesneau-2
heh OK, no problem :)

To be complete the chain retuned by openssl is :

OpenSSL> s_client -connect airbrake.io:443 -showcerts
CONNECTED(00000006)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.airbrake.io
   i:/C=US/O=SSL.com/OU=www.ssl.com/CN=SSL.com DV CA
-----BEGIN CERTIFICATE-----
MIIEwTCCA6mgAwIBAgIRAKLxH0P8s499IyC7Gi9P0e8wDQYJKoZIhvcNAQELBQAw
TTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB1NTTC5jb20xFDASBgNVBAsTC3d3dy5z
c2wuY29tMRYwFAYDVQQDEw1TU0wuY29tIERWIENBMB4XDTE2MTEwNDAwMDAwMFoX
DTE4MTEyODIzNTk1OVowWzEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
dGVkMR4wHAYDVQQLExVFc3NlbnRpYWxTU0wgV2lsZGNhcmQxFjAUBgNVBAMMDSou
YWlyYnJha2UuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXWXkQ
kM5+hdRdZhWC3G+wjwpSF2GNLzEf27+3CQvZA8J7trZ/JdHTwIt6TPnq4igmE/XA
Ej2mOEu2crzO+mVignSSPDItHVB8UenwNphguUskZPSDgVEi5a7rBscFWKkvWMEH
W6vhbrpur+G1j0awhTn6hh++DYUUUl03hUPh6qNN+GQ/wPn+Tbgzw3obX4sE7Iel
UePxeMpzv4rG9nZznStoXYlRFws3BaL8wTkL3G8wLVJndlIKTzMdfDCinvGpkV85
rdfm7UfsvFCdYKosOpbt5iRCJGTJvckFX4ih2MAC8mMP+bwzrNrNkPjuY8To+pVC
F2rNvjRWJn+yTDdVAgMBAAGjggGMMIIBiDAfBgNVHSMEGDAWgBRGmv38UV58VFNS
4pnjszLvkxp/VjAdBgNVHQ4EFgQUkQAJSPUocFTrnPm4af+i76JscKkwDgYDVR0P
AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMEoGA1UdIARDMEEwNQYKKwYBBAGCqTABATAnMCUGCCsGAQUFBwIBFhlo
dHRwczovL2Nwcy51c2VydHJ1c3QuY29tMAgGBmeBDAECATA0BgNVHR8ELTArMCmg
J6AlhiNodHRwOi8vY3JsLnNzbC5jb20vU1NMY29tRFZDQV8yLmNybDBgBggrBgEF
BQcBAQRUMFIwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jcnQuc3NsLmNvbS9TU0xjb21E
VkNBXzIuY3J0MB8GCCsGAQUFBzABhhNodHRwOi8vb2NzcC5zc2wuY29tMCUGA1Ud
EQQeMByCDSouYWlyYnJha2UuaW+CC2FpcmJyYWtlLmlvMA0GCSqGSIb3DQEBCwUA
A4IBAQBWDuO6czF5/CGPCuySdo9UGy7/Rj/oONzEPSJJcRZ1o6ix+RV7+dQBNBO0
SPuAkgH4k/Qbs75htpduWq+5hIfgYwSWvTW+2kcEZKgkPrg53n7cMT10MTg7I7oS
qNvIpNh+2e6JwaFnM9pYSOSx01zh2HnCi8l+AQmVRdhxVDgOT+9SNcLC3+j/IuY6
iGnse7X4Q3diIMNxtPTdqfPsewLuWH7RJutwuLTIP5qL1R+AH0RmOGeX2K16rPLr
1GczOm5WnRyikYMjGW6llzS7RXgPfvdeU8mt4wK7fvZ9chMLNR7fpmEsWoejmN5P
nqzjN5AKKgED5AjJ+DNtKzzEJqW0
-----END CERTIFICATE-----
 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
-----BEGIN CERTIFICATE-----
MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt
UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC
tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf
jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM
8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm
AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV
Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9
N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF
qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9
HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ
+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX
HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv
A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/
BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4
dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0
dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD
lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn
RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ
YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8
Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
0fKtirOMxyHNwu8=
-----END CERTIFICATE-----
 3 s:/C=US/O=SSL.com/OU=www.ssl.com/CN=SSL.com DV CA
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
-----BEGIN CERTIFICATE-----
MIIF5jCCA86gAwIBAgIQEQDFvydYwZlp/Gjtcp381zANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQw
NzA0MDAwMDAwWhcNMjQwNzAzMjM1OTU5WjBNMQswCQYDVQQGEwJVUzEQMA4GA1UE
ChMHU1NMLmNvbTEUMBIGA1UECxMLd3d3LnNzbC5jb20xFjAUBgNVBAMTDVNTTC5j
b20gRFYgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAJEcVY7NR
2qmRMLzC17tObKov3Jf1AQLOfZRfCi26JM4lYzJoW7uMO6RSwBJeP6pSBYthSWLc
R+zd0bsQW5xKGITX51HYBH3daGWQEJIWVfL59cw3qhRsMQ5XP/IMZ15BOUxqGRVV
7NnCBBVcrWVhrEqSZbM6o61lMBU3sQQlYep/Ie3Ce6ca8oWfX5h4hrWtxuRCiBB4
EjxMB5KYOKJnQaOLEXaRhgr8cNHhzjl2KrKx/tCMtR/9pqy/+dOCKDiQWkg+hBoT
D/hGc/B3x7KfHAbdLJTPrRdJrFnSwMWwPcrWGIrrud3w5VxzXBjPAzQn7Dg/hpGB
NHEHBwKsLER3AgMBAAGjggGEMIIBgDAfBgNVHSMEGDAWgBRTeb9aqitKz1SA4dib
wJ3ysgNmyzAdBgNVHQ4EFgQURpr9/FFefFRTUuKZ47My75Maf1YwDgYDVR0PAQH/
BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMCEGA1UdIAQaMBgwDAYKKwYBBAGCqTABATAIBgZngQwBAgEwVQYD
VR0fBE4wTDBKoEigRoZEaHR0cDovL2NybC50cnVzdC1wcm92aWRlci5jb20vVVNF
UlRydXN0UlNBQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwgYAGCCsGAQUFBwEB
BHQwcjBEBggrBgEFBQcwAoY4aHR0cDovL2NydC50cnVzdC1wcm92aWRlci5jb20v
VVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5jcnQwKgYIKwYBBQUHMAGGHmh0dHA6Ly9v
Y3NwLnRydXN0LXByb3ZpZGVyLmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAB1RJZUdF
d05ZN1SYdTZsDj9Rq9De097SCCWi0E97Ehc2MRQag98VqlZPrC2WM9q+C7Z5MvcM
1njs15p55YRJbHjjECgiabKEPsx3xXH+oTb4kKzQjqMZV5CNC7K+5H4OaCtNcFEZ
E2vWRI9hunFjTfTJ9VrKjGIwcYz30VtdB1vtk0Jaf0lnC4H1GOAdw3IwJgbygOeu
ACY/1RH5U0ai2e9wWXsiADjBtHbiFPEzt5Cmu2wag9fPrX663Xs5TqjDNCPAgCLm
ijzyrCQmlCaug332cwnYI5dA0Oa/eIV6lYZTev143bZWs+A6dQhXDJUQzfSvPsQS
Pu/W3QAkw4vuZ97mVvgzK5LiDWps2N9Fw9b5Et4Op+cuy27I48fG3bRH0dROJwYs
w+MrMc5Sy/TOl9a5UUmtq2jEJbEv7xU5x1bvhaFfBtxoF36sLLuPf19Aev4n2Y46
Fou4Aup1eWVyS+XYKiaTGzxL5b4fbwhKItk8NptdrJ26YmdCl6cFNaabXHHak24W
I0cF4+u8ATOxkdFkuLyWusWzfmfIMHX1ZHD3giYavooNnupzxnju58Tpc9AsCgyL
rRxTbur5AscjOsHHfzeeTqflKtslTvJ9AvNkPLizR2cMk4+1h+6yDBHggsm0bZn0
AeY5kXGfjIimFcd00xvjkVn41em3We1sghs=
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.airbrake.io
issuer=/C=US/O=SSL.com/OU=www.ssl.com/CN=SSL.com DV CA
---
No client certificate CA names sent
---
SSL handshake has read 5736 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 62BF8A905F9DF278347423E70D100144AEB17B41C4BEB41FE8BC83512D8AE5C7
    Session-ID-ctx:
    Master-Key: D3F6811B769DE3E5045BB386AE6CA561C272F44014A3F1DB8F8786B599D11015CE44AF5B8351CDD466EA7A02E764F78A
    Start Time: 1522613090
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
HTTP/1.0 408 Request Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>
closed


On Sun, Apr 1, 2018 at 9:23 PM, Luke Bakken <[hidden email]> wrote:
Oh, never mind, I thought you were responsible for the airbrake.io cert.

I have seen the same behavior you report when using different CA
certificate bundles. Using the default OS X bundle usually works,
while recent Mozilla CA bundles don't. I did a bunch of diagnosis but
never came to a definitive conclusion. I'll re-visit what I did and
will see if I can figure out what exactly works and what doesn't.

Luke

On Sun, Apr 1, 2018 at 12:13 PM, Benoit Chesneau <[hidden email]> wrote:
> hrm not sure i understand. You mean to the cacerts file or to the cert of
> airbrake? I’m not responsible of the last one.
>
> Benoît
>
>
> On Sunday, April 1, 2018, Luke Bakken <[hidden email]> wrote:
>>
>> Try adding "digitalSignature" to the keyUsage field for the cert.
>>
>> Luke
>>
>> On Sun, Apr 1, 2018, 10:55 AM Benoit Chesneau <[hidden email]> wrote:
>>>
>>> I'm trying to connect to airbrake.io via ssl using the certificates
>>> generated by the website mkcert: https://mkcert.org/ which get the
>>> certificates from Mozilla but I get a "Bad certificat" error on latest
>>> release of erlang:
>>>
>>> 9> ssl:connect("airbrake.io", 443, [{cacertfile, CaCertFile}, {verify,
>>> verify_peer}, {depth, 99}]).
>>>
>>> =INFO REPORT==== 1-Apr-2018::19:45:51 ===
>>> TLS client: In state certify at ssl_handshake.erl:1271 generated CLIENT
>>> ALERT: Fatal - Bad Certificate
>>>
>>> {error,{tls_alert,"bad certificate"}}
>>>
>>>
>>> where with google it worked:
>>>
>>> 10> ssl:connect("google.com", 443, [{cacertfile, CaCertFile}, {verify,
>>> verify_peer}, {depth, 99}]).
>>> {ok,{sslsocket,{gen_tcp,#Port<0.9355>,tls_connection,
>>>                         undefined},
>>>                <0.224.0>}}
>>>
>>>
>>>
>>> It used to work with previous versions of Erlang, did something changed
>>> in the validation in 20.x?
>>>
>>> Also how can I check what is the exact issue in the certificate that
>>> cause this error? According sslabs there are no issue in checking the
>>> certificate:
>>>
>>> https://www.ssllabs.com/ssltest/analyze.html?d=airbrake.io
>>>
>>>
>>> _______________________________________________
>>> erlang-questions mailing list
>>> [hidden email]
>>> http://erlang.org/mailman/listinfo/erlang-questions
>
>
>
> --
> Sent from my Mobile


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: ssl: Bad Certficate using file generated using mkcert.org

Benoit Chesneau-2
err wrong coppy-paste. So using openssl the certidicate looks OK. So it seems an error in erlang.

OpenSSL> s_client -connect airbrake.io:443  -CAfile /Users/benoitc/Misc/erlang-certifi/priv/cacerts.pem
CONNECTED(00000006)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = US, O = SSL.com, OU = www.ssl.com, CN = SSL.com DV CA
verify return:1
depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.airbrake.io
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.airbrake.io
   i:/C=US/O=SSL.com/OU=www.ssl.com/CN=SSL.com DV CA
 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=US/O=SSL.com/OU=www.ssl.com/CN=SSL.com DV CA
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEwTCCA6mgAwIBAgIRAKLxH0P8s499IyC7Gi9P0e8wDQYJKoZIhvcNAQELBQAw
TTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB1NTTC5jb20xFDASBgNVBAsTC3d3dy5z
c2wuY29tMRYwFAYDVQQDEw1TU0wuY29tIERWIENBMB4XDTE2MTEwNDAwMDAwMFoX
DTE4MTEyODIzNTk1OVowWzEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
dGVkMR4wHAYDVQQLExVFc3NlbnRpYWxTU0wgV2lsZGNhcmQxFjAUBgNVBAMMDSou
YWlyYnJha2UuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXWXkQ
kM5+hdRdZhWC3G+wjwpSF2GNLzEf27+3CQvZA8J7trZ/JdHTwIt6TPnq4igmE/XA
Ej2mOEu2crzO+mVignSSPDItHVB8UenwNphguUskZPSDgVEi5a7rBscFWKkvWMEH
W6vhbrpur+G1j0awhTn6hh++DYUUUl03hUPh6qNN+GQ/wPn+Tbgzw3obX4sE7Iel
UePxeMpzv4rG9nZznStoXYlRFws3BaL8wTkL3G8wLVJndlIKTzMdfDCinvGpkV85
rdfm7UfsvFCdYKosOpbt5iRCJGTJvckFX4ih2MAC8mMP+bwzrNrNkPjuY8To+pVC
F2rNvjRWJn+yTDdVAgMBAAGjggGMMIIBiDAfBgNVHSMEGDAWgBRGmv38UV58VFNS
4pnjszLvkxp/VjAdBgNVHQ4EFgQUkQAJSPUocFTrnPm4af+i76JscKkwDgYDVR0P
AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMEoGA1UdIARDMEEwNQYKKwYBBAGCqTABATAnMCUGCCsGAQUFBwIBFhlo
dHRwczovL2Nwcy51c2VydHJ1c3QuY29tMAgGBmeBDAECATA0BgNVHR8ELTArMCmg
J6AlhiNodHRwOi8vY3JsLnNzbC5jb20vU1NMY29tRFZDQV8yLmNybDBgBggrBgEF
BQcBAQRUMFIwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jcnQuc3NsLmNvbS9TU0xjb21E
VkNBXzIuY3J0MB8GCCsGAQUFBzABhhNodHRwOi8vb2NzcC5zc2wuY29tMCUGA1Ud
EQQeMByCDSouYWlyYnJha2UuaW+CC2FpcmJyYWtlLmlvMA0GCSqGSIb3DQEBCwUA
A4IBAQBWDuO6czF5/CGPCuySdo9UGy7/Rj/oONzEPSJJcRZ1o6ix+RV7+dQBNBO0
SPuAkgH4k/Qbs75htpduWq+5hIfgYwSWvTW+2kcEZKgkPrg53n7cMT10MTg7I7oS
qNvIpNh+2e6JwaFnM9pYSOSx01zh2HnCi8l+AQmVRdhxVDgOT+9SNcLC3+j/IuY6
iGnse7X4Q3diIMNxtPTdqfPsewLuWH7RJutwuLTIP5qL1R+AH0RmOGeX2K16rPLr
1GczOm5WnRyikYMjGW6llzS7RXgPfvdeU8mt4wK7fvZ9chMLNR7fpmEsWoejmN5P
nqzjN5AKKgED5AjJ+DNtKzzEJqW0
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.airbrake.io
issuer=/C=US/O=SSL.com/OU=www.ssl.com/CN=SSL.com DV CA
---
No client certificate CA names sent
---
SSL handshake has read 5736 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 2CA3877657CF653D2885B34218AC09ECA30A9E125AC0556D749E359F3A6822F7
    Session-ID-ctx:
    Master-Key: 2D3A255FF47D44AAD4CA06024149B9538819A0C832426B69B83EFE76E5404BC87790360A2F4FFC9933DB76816555C6B1
    Start Time: 1522613874
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

HTTP/1.0 408 Request Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>
closed



On Sun, Apr 1, 2018 at 10:06 PM, Benoit Chesneau <[hidden email]> wrote:
heh OK, no problem :)

To be complete the chain retuned by openssl is :

OpenSSL> s_client -connect airbrake.io:443 -showcerts
CONNECTED(00000006)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.airbrake.io
   i:/C=US/O=SSL.com/OU=www.ssl.com/CN=SSL.com DV CA
-----BEGIN CERTIFICATE-----
MIIEwTCCA6mgAwIBAgIRAKLxH0P8s499IyC7Gi9P0e8wDQYJKoZIhvcNAQELBQAw
TTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB1NTTC5jb20xFDASBgNVBAsTC3d3dy5z
c2wuY29tMRYwFAYDVQQDEw1TU0wuY29tIERWIENBMB4XDTE2MTEwNDAwMDAwMFoX
DTE4MTEyODIzNTk1OVowWzEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
dGVkMR4wHAYDVQQLExVFc3NlbnRpYWxTU0wgV2lsZGNhcmQxFjAUBgNVBAMMDSou
YWlyYnJha2UuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXWXkQ
kM5+hdRdZhWC3G+wjwpSF2GNLzEf27+3CQvZA8J7trZ/JdHTwIt6TPnq4igmE/XA
Ej2mOEu2crzO+mVignSSPDItHVB8UenwNphguUskZPSDgVEi5a7rBscFWKkvWMEH
W6vhbrpur+G1j0awhTn6hh++DYUUUl03hUPh6qNN+GQ/wPn+Tbgzw3obX4sE7Iel
UePxeMpzv4rG9nZznStoXYlRFws3BaL8wTkL3G8wLVJndlIKTzMdfDCinvGpkV85
rdfm7UfsvFCdYKosOpbt5iRCJGTJvckFX4ih2MAC8mMP+bwzrNrNkPjuY8To+pVC
F2rNvjRWJn+yTDdVAgMBAAGjggGMMIIBiDAfBgNVHSMEGDAWgBRGmv38UV58VFNS
4pnjszLvkxp/VjAdBgNVHQ4EFgQUkQAJSPUocFTrnPm4af+i76JscKkwDgYDVR0P
AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMEoGA1UdIARDMEEwNQYKKwYBBAGCqTABATAnMCUGCCsGAQUFBwIBFhlo
dHRwczovL2Nwcy51c2VydHJ1c3QuY29tMAgGBmeBDAECATA0BgNVHR8ELTArMCmg
J6AlhiNodHRwOi8vY3JsLnNzbC5jb20vU1NMY29tRFZDQV8yLmNybDBgBggrBgEF
BQcBAQRUMFIwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jcnQuc3NsLmNvbS9TU0xjb21E
VkNBXzIuY3J0MB8GCCsGAQUFBzABhhNodHRwOi8vb2NzcC5zc2wuY29tMCUGA1Ud
EQQeMByCDSouYWlyYnJha2UuaW+CC2FpcmJyYWtlLmlvMA0GCSqGSIb3DQEBCwUA
A4IBAQBWDuO6czF5/CGPCuySdo9UGy7/Rj/oONzEPSJJcRZ1o6ix+RV7+dQBNBO0
SPuAkgH4k/Qbs75htpduWq+5hIfgYwSWvTW+2kcEZKgkPrg53n7cMT10MTg7I7oS
qNvIpNh+2e6JwaFnM9pYSOSx01zh2HnCi8l+AQmVRdhxVDgOT+9SNcLC3+j/IuY6
iGnse7X4Q3diIMNxtPTdqfPsewLuWH7RJutwuLTIP5qL1R+AH0RmOGeX2K16rPLr
1GczOm5WnRyikYMjGW6llzS7RXgPfvdeU8mt4wK7fvZ9chMLNR7fpmEsWoejmN5P
nqzjN5AKKgED5AjJ+DNtKzzEJqW0
-----END CERTIFICATE-----
 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
-----BEGIN CERTIFICATE-----
MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt
UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC
tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf
jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM
8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm
AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV
Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9
N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF
qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9
HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ
+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX
HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv
A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/
BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4
dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0
dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD
lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn
RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ
YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8
Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
0fKtirOMxyHNwu8=
-----END CERTIFICATE-----
 3 s:/C=US/O=SSL.com/OU=www.ssl.com/CN=SSL.com DV CA
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
-----BEGIN CERTIFICATE-----
MIIF5jCCA86gAwIBAgIQEQDFvydYwZlp/Gjtcp381zANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQw
NzA0MDAwMDAwWhcNMjQwNzAzMjM1OTU5WjBNMQswCQYDVQQGEwJVUzEQMA4GA1UE
ChMHU1NMLmNvbTEUMBIGA1UECxMLd3d3LnNzbC5jb20xFjAUBgNVBAMTDVNTTC5j
b20gRFYgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAJEcVY7NR
2qmRMLzC17tObKov3Jf1AQLOfZRfCi26JM4lYzJoW7uMO6RSwBJeP6pSBYthSWLc
R+zd0bsQW5xKGITX51HYBH3daGWQEJIWVfL59cw3qhRsMQ5XP/IMZ15BOUxqGRVV
7NnCBBVcrWVhrEqSZbM6o61lMBU3sQQlYep/Ie3Ce6ca8oWfX5h4hrWtxuRCiBB4
EjxMB5KYOKJnQaOLEXaRhgr8cNHhzjl2KrKx/tCMtR/9pqy/+dOCKDiQWkg+hBoT
D/hGc/B3x7KfHAbdLJTPrRdJrFnSwMWwPcrWGIrrud3w5VxzXBjPAzQn7Dg/hpGB
NHEHBwKsLER3AgMBAAGjggGEMIIBgDAfBgNVHSMEGDAWgBRTeb9aqitKz1SA4dib
wJ3ysgNmyzAdBgNVHQ4EFgQURpr9/FFefFRTUuKZ47My75Maf1YwDgYDVR0PAQH/
BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMCEGA1UdIAQaMBgwDAYKKwYBBAGCqTABATAIBgZngQwBAgEwVQYD
VR0fBE4wTDBKoEigRoZEaHR0cDovL2NybC50cnVzdC1wcm92aWRlci5jb20vVVNF
UlRydXN0UlNBQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwgYAGCCsGAQUFBwEB
BHQwcjBEBggrBgEFBQcwAoY4aHR0cDovL2NydC50cnVzdC1wcm92aWRlci5jb20v
VVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5jcnQwKgYIKwYBBQUHMAGGHmh0dHA6Ly9v
Y3NwLnRydXN0LXByb3ZpZGVyLmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAB1RJZUdF
d05ZN1SYdTZsDj9Rq9De097SCCWi0E97Ehc2MRQag98VqlZPrC2WM9q+C7Z5MvcM
1njs15p55YRJbHjjECgiabKEPsx3xXH+oTb4kKzQjqMZV5CNC7K+5H4OaCtNcFEZ
E2vWRI9hunFjTfTJ9VrKjGIwcYz30VtdB1vtk0Jaf0lnC4H1GOAdw3IwJgbygOeu
ACY/1RH5U0ai2e9wWXsiADjBtHbiFPEzt5Cmu2wag9fPrX663Xs5TqjDNCPAgCLm
ijzyrCQmlCaug332cwnYI5dA0Oa/eIV6lYZTev143bZWs+A6dQhXDJUQzfSvPsQS
Pu/W3QAkw4vuZ97mVvgzK5LiDWps2N9Fw9b5Et4Op+cuy27I48fG3bRH0dROJwYs
w+MrMc5Sy/TOl9a5UUmtq2jEJbEv7xU5x1bvhaFfBtxoF36sLLuPf19Aev4n2Y46
Fou4Aup1eWVyS+XYKiaTGzxL5b4fbwhKItk8NptdrJ26YmdCl6cFNaabXHHak24W
I0cF4+u8ATOxkdFkuLyWusWzfmfIMHX1ZHD3giYavooNnupzxnju58Tpc9AsCgyL
rRxTbur5AscjOsHHfzeeTqflKtslTvJ9AvNkPLizR2cMk4+1h+6yDBHggsm0bZn0
AeY5kXGfjIimFcd00xvjkVn41em3We1sghs=
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.airbrake.io
issuer=/C=US/O=SSL.com/OU=www.ssl.com/CN=SSL.com DV CA
---
No client certificate CA names sent
---
SSL handshake has read 5736 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 62BF8A905F9DF278347423E70D100144AEB17B41C4BEB41FE8BC83512D8AE5C7
    Session-ID-ctx:
    Master-Key: D3F6811B769DE3E5045BB386AE6CA561C272F44014A3F1DB8F8786B599D11015CE44AF5B8351CDD466EA7A02E764F78A
    Start Time: 1522613090
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
HTTP/1.0 408 Request Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>
closed


On Sun, Apr 1, 2018 at 9:23 PM, Luke Bakken <[hidden email]> wrote:
Oh, never mind, I thought you were responsible for the airbrake.io cert.

I have seen the same behavior you report when using different CA
certificate bundles. Using the default OS X bundle usually works,
while recent Mozilla CA bundles don't. I did a bunch of diagnosis but
never came to a definitive conclusion. I'll re-visit what I did and
will see if I can figure out what exactly works and what doesn't.

Luke

On Sun, Apr 1, 2018 at 12:13 PM, Benoit Chesneau <[hidden email]> wrote:
> hrm not sure i understand. You mean to the cacerts file or to the cert of
> airbrake? I’m not responsible of the last one.
>
> Benoît
>
>
> On Sunday, April 1, 2018, Luke Bakken <[hidden email]> wrote:
>>
>> Try adding "digitalSignature" to the keyUsage field for the cert.
>>
>> Luke
>>
>> On Sun, Apr 1, 2018, 10:55 AM Benoit Chesneau <[hidden email]> wrote:
>>>
>>> I'm trying to connect to airbrake.io via ssl using the certificates
>>> generated by the website mkcert: https://mkcert.org/ which get the
>>> certificates from Mozilla but I get a "Bad certificat" error on latest
>>> release of erlang:
>>>
>>> 9> ssl:connect("airbrake.io", 443, [{cacertfile, CaCertFile}, {verify,
>>> verify_peer}, {depth, 99}]).
>>>
>>> =INFO REPORT==== 1-Apr-2018::19:45:51 ===
>>> TLS client: In state certify at ssl_handshake.erl:1271 generated CLIENT
>>> ALERT: Fatal - Bad Certificate
>>>
>>> {error,{tls_alert,"bad certificate"}}
>>>
>>>
>>> where with google it worked:
>>>
>>> 10> ssl:connect("google.com", 443, [{cacertfile, CaCertFile}, {verify,
>>> verify_peer}, {depth, 99}]).
>>> {ok,{sslsocket,{gen_tcp,#Port<0.9355>,tls_connection,
>>>                         undefined},
>>>                <0.224.0>}}
>>>
>>>
>>>
>>> It used to work with previous versions of Erlang, did something changed
>>> in the validation in 20.x?
>>>
>>> Also how can I check what is the exact issue in the certificate that
>>> cause this error? According sslabs there are no issue in checking the
>>> certificate:
>>>
>>> https://www.ssllabs.com/ssltest/analyze.html?d=airbrake.io
>>>
>>>
>>> _______________________________________________
>>> erlang-questions mailing list
>>> [hidden email]
>>> http://erlang.org/mailman/listinfo/erlang-questions
>
>
>
> --
> Sent from my Mobile



_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: ssl: Bad Certficate using file generated using mkcert.org

Benoit Chesneau-2
It seems according ssllabs there is a problem with the chain: "Incorrect order, Contains anchor"  which is probably the root issue:
https://github.com/benoitc/hackney/issues/490#issuecomment-377873484

I'm now wondering if there is any possibility to fix it in recent Erlang versions. Did anyone already encounter such issue?

- benoit

On Sun, Apr 1, 2018 at 10:19 PM, Benoit Chesneau <[hidden email]> wrote:
err wrong coppy-paste. So using openssl the certidicate looks OK. So it seems an error in erlang.

OpenSSL> s_client -connect airbrake.io:443  -CAfile /Users/benoitc/Misc/erlang-certifi/priv/cacerts.pem
CONNECTED(00000006)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = US, O = SSL.com, OU = www.ssl.com, CN = SSL.com DV CA
verify return:1
depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.airbrake.io
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.airbrake.io
   i:/C=US/O=SSL.com/OU=www.ssl.com/CN=SSL.com DV CA
 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=US/O=SSL.com/OU=www.ssl.com/CN=SSL.com DV CA
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
---
Server certificate

-----BEGIN CERTIFICATE-----
MIIEwTCCA6mgAwIBAgIRAKLxH0P8s499IyC7Gi9P0e8wDQYJKoZIhvcNAQELBQAw
TTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB1NTTC5jb20xFDASBgNVBAsTC3d3dy5z
c2wuY29tMRYwFAYDVQQDEw1TU0wuY29tIERWIENBMB4XDTE2MTEwNDAwMDAwMFoX
DTE4MTEyODIzNTk1OVowWzEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
dGVkMR4wHAYDVQQLExVFc3NlbnRpYWxTU0wgV2lsZGNhcmQxFjAUBgNVBAMMDSou
YWlyYnJha2UuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXWXkQ
kM5+hdRdZhWC3G+wjwpSF2GNLzEf27+3CQvZA8J7trZ/JdHTwIt6TPnq4igmE/XA
Ej2mOEu2crzO+mVignSSPDItHVB8UenwNphguUskZPSDgVEi5a7rBscFWKkvWMEH
W6vhbrpur+G1j0awhTn6hh++DYUUUl03hUPh6qNN+GQ/wPn+Tbgzw3obX4sE7Iel
UePxeMpzv4rG9nZznStoXYlRFws3BaL8wTkL3G8wLVJndlIKTzMdfDCinvGpkV85
rdfm7UfsvFCdYKosOpbt5iRCJGTJvckFX4ih2MAC8mMP+bwzrNrNkPjuY8To+pVC
F2rNvjRWJn+yTDdVAgMBAAGjggGMMIIBiDAfBgNVHSMEGDAWgBRGmv38UV58VFNS
4pnjszLvkxp/VjAdBgNVHQ4EFgQUkQAJSPUocFTrnPm4af+i76JscKkwDgYDVR0P
AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMEoGA1UdIARDMEEwNQYKKwYBBAGCqTABATAnMCUGCCsGAQUFBwIBFhlo
dHRwczovL2Nwcy51c2VydHJ1c3QuY29tMAgGBmeBDAECATA0BgNVHR8ELTArMCmg
J6AlhiNodHRwOi8vY3JsLnNzbC5jb20vU1NMY29tRFZDQV8yLmNybDBgBggrBgEF
BQcBAQRUMFIwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jcnQuc3NsLmNvbS9TU0xjb21E
VkNBXzIuY3J0MB8GCCsGAQUFBzABhhNodHRwOi8vb2NzcC5zc2wuY29tMCUGA1Ud
EQQeMByCDSouYWlyYnJha2UuaW+CC2FpcmJyYWtlLmlvMA0GCSqGSIb3DQEBCwUA
A4IBAQBWDuO6czF5/CGPCuySdo9UGy7/Rj/oONzEPSJJcRZ1o6ix+RV7+dQBNBO0
SPuAkgH4k/Qbs75htpduWq+5hIfgYwSWvTW+2kcEZKgkPrg53n7cMT10MTg7I7oS
qNvIpNh+2e6JwaFnM9pYSOSx01zh2HnCi8l+AQmVRdhxVDgOT+9SNcLC3+j/IuY6
iGnse7X4Q3diIMNxtPTdqfPsewLuWH7RJutwuLTIP5qL1R+AH0RmOGeX2K16rPLr
1GczOm5WnRyikYMjGW6llzS7RXgPfvdeU8mt4wK7fvZ9chMLNR7fpmEsWoejmN5P
nqzjN5AKKgED5AjJ+DNtKzzEJqW0
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.airbrake.io
issuer=/C=US/O=SSL.com/OU=www.ssl.com/CN=SSL.com DV CA
---
No client certificate CA names sent
---
SSL handshake has read 5736 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 2CA3877657CF653D2885B34218AC09ECA30A9E125AC0556D749E359F3A6822F7
    Session-ID-ctx:
    Master-Key: 2D3A255FF47D44AAD4CA06024149B9538819A0C832426B69B83EFE76E5404BC87790360A2F4FFC9933DB76816555C6B1
    Start Time: 1522613874
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

HTTP/1.0 408 Request Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>
closed



On Sun, Apr 1, 2018 at 10:06 PM, Benoit Chesneau <[hidden email]> wrote:
heh OK, no problem :)

To be complete the chain retuned by openssl is :

OpenSSL> s_client -connect airbrake.io:443 -showcerts
CONNECTED(00000006)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.airbrake.io
   i:/C=US/O=SSL.com/OU=www.ssl.com/CN=SSL.com DV CA
-----BEGIN CERTIFICATE-----
MIIEwTCCA6mgAwIBAgIRAKLxH0P8s499IyC7Gi9P0e8wDQYJKoZIhvcNAQELBQAw
TTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB1NTTC5jb20xFDASBgNVBAsTC3d3dy5z
c2wuY29tMRYwFAYDVQQDEw1TU0wuY29tIERWIENBMB4XDTE2MTEwNDAwMDAwMFoX
DTE4MTEyODIzNTk1OVowWzEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
dGVkMR4wHAYDVQQLExVFc3NlbnRpYWxTU0wgV2lsZGNhcmQxFjAUBgNVBAMMDSou
YWlyYnJha2UuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXWXkQ
kM5+hdRdZhWC3G+wjwpSF2GNLzEf27+3CQvZA8J7trZ/JdHTwIt6TPnq4igmE/XA
Ej2mOEu2crzO+mVignSSPDItHVB8UenwNphguUskZPSDgVEi5a7rBscFWKkvWMEH
W6vhbrpur+G1j0awhTn6hh++DYUUUl03hUPh6qNN+GQ/wPn+Tbgzw3obX4sE7Iel
UePxeMpzv4rG9nZznStoXYlRFws3BaL8wTkL3G8wLVJndlIKTzMdfDCinvGpkV85
rdfm7UfsvFCdYKosOpbt5iRCJGTJvckFX4ih2MAC8mMP+bwzrNrNkPjuY8To+pVC
F2rNvjRWJn+yTDdVAgMBAAGjggGMMIIBiDAfBgNVHSMEGDAWgBRGmv38UV58VFNS
4pnjszLvkxp/VjAdBgNVHQ4EFgQUkQAJSPUocFTrnPm4af+i76JscKkwDgYDVR0P
AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMEoGA1UdIARDMEEwNQYKKwYBBAGCqTABATAnMCUGCCsGAQUFBwIBFhlo
dHRwczovL2Nwcy51c2VydHJ1c3QuY29tMAgGBmeBDAECATA0BgNVHR8ELTArMCmg
J6AlhiNodHRwOi8vY3JsLnNzbC5jb20vU1NMY29tRFZDQV8yLmNybDBgBggrBgEF
BQcBAQRUMFIwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jcnQuc3NsLmNvbS9TU0xjb21E
VkNBXzIuY3J0MB8GCCsGAQUFBzABhhNodHRwOi8vb2NzcC5zc2wuY29tMCUGA1Ud
EQQeMByCDSouYWlyYnJha2UuaW+CC2FpcmJyYWtlLmlvMA0GCSqGSIb3DQEBCwUA
A4IBAQBWDuO6czF5/CGPCuySdo9UGy7/Rj/oONzEPSJJcRZ1o6ix+RV7+dQBNBO0
SPuAkgH4k/Qbs75htpduWq+5hIfgYwSWvTW+2kcEZKgkPrg53n7cMT10MTg7I7oS
qNvIpNh+2e6JwaFnM9pYSOSx01zh2HnCi8l+AQmVRdhxVDgOT+9SNcLC3+j/IuY6
iGnse7X4Q3diIMNxtPTdqfPsewLuWH7RJutwuLTIP5qL1R+AH0RmOGeX2K16rPLr
1GczOm5WnRyikYMjGW6llzS7RXgPfvdeU8mt4wK7fvZ9chMLNR7fpmEsWoejmN5P
nqzjN5AKKgED5AjJ+DNtKzzEJqW0
-----END CERTIFICATE-----
 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
-----BEGIN CERTIFICATE-----
MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt
UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC
tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf
jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM
8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm
AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV
Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9
N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF
qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9
HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ
+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX
HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv
A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/
BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4
dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0
dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD
lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn
RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ
YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8
Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
0fKtirOMxyHNwu8=
-----END CERTIFICATE-----
 3 s:/C=US/O=SSL.com/OU=www.ssl.com/CN=SSL.com DV CA
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
-----BEGIN CERTIFICATE-----
MIIF5jCCA86gAwIBAgIQEQDFvydYwZlp/Gjtcp381zANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQw
NzA0MDAwMDAwWhcNMjQwNzAzMjM1OTU5WjBNMQswCQYDVQQGEwJVUzEQMA4GA1UE
ChMHU1NMLmNvbTEUMBIGA1UECxMLd3d3LnNzbC5jb20xFjAUBgNVBAMTDVNTTC5j
b20gRFYgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAJEcVY7NR
2qmRMLzC17tObKov3Jf1AQLOfZRfCi26JM4lYzJoW7uMO6RSwBJeP6pSBYthSWLc
R+zd0bsQW5xKGITX51HYBH3daGWQEJIWVfL59cw3qhRsMQ5XP/IMZ15BOUxqGRVV
7NnCBBVcrWVhrEqSZbM6o61lMBU3sQQlYep/Ie3Ce6ca8oWfX5h4hrWtxuRCiBB4
EjxMB5KYOKJnQaOLEXaRhgr8cNHhzjl2KrKx/tCMtR/9pqy/+dOCKDiQWkg+hBoT
D/hGc/B3x7KfHAbdLJTPrRdJrFnSwMWwPcrWGIrrud3w5VxzXBjPAzQn7Dg/hpGB
NHEHBwKsLER3AgMBAAGjggGEMIIBgDAfBgNVHSMEGDAWgBRTeb9aqitKz1SA4dib
wJ3ysgNmyzAdBgNVHQ4EFgQURpr9/FFefFRTUuKZ47My75Maf1YwDgYDVR0PAQH/
BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMCEGA1UdIAQaMBgwDAYKKwYBBAGCqTABATAIBgZngQwBAgEwVQYD
VR0fBE4wTDBKoEigRoZEaHR0cDovL2NybC50cnVzdC1wcm92aWRlci5jb20vVVNF
UlRydXN0UlNBQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwgYAGCCsGAQUFBwEB
BHQwcjBEBggrBgEFBQcwAoY4aHR0cDovL2NydC50cnVzdC1wcm92aWRlci5jb20v
VVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5jcnQwKgYIKwYBBQUHMAGGHmh0dHA6Ly9v
Y3NwLnRydXN0LXByb3ZpZGVyLmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAB1RJZUdF
d05ZN1SYdTZsDj9Rq9De097SCCWi0E97Ehc2MRQag98VqlZPrC2WM9q+C7Z5MvcM
1njs15p55YRJbHjjECgiabKEPsx3xXH+oTb4kKzQjqMZV5CNC7K+5H4OaCtNcFEZ
E2vWRI9hunFjTfTJ9VrKjGIwcYz30VtdB1vtk0Jaf0lnC4H1GOAdw3IwJgbygOeu
ACY/1RH5U0ai2e9wWXsiADjBtHbiFPEzt5Cmu2wag9fPrX663Xs5TqjDNCPAgCLm
ijzyrCQmlCaug332cwnYI5dA0Oa/eIV6lYZTev143bZWs+A6dQhXDJUQzfSvPsQS
Pu/W3QAkw4vuZ97mVvgzK5LiDWps2N9Fw9b5Et4Op+cuy27I48fG3bRH0dROJwYs
w+MrMc5Sy/TOl9a5UUmtq2jEJbEv7xU5x1bvhaFfBtxoF36sLLuPf19Aev4n2Y46
Fou4Aup1eWVyS+XYKiaTGzxL5b4fbwhKItk8NptdrJ26YmdCl6cFNaabXHHak24W
I0cF4+u8ATOxkdFkuLyWusWzfmfIMHX1ZHD3giYavooNnupzxnju58Tpc9AsCgyL
rRxTbur5AscjOsHHfzeeTqflKtslTvJ9AvNkPLizR2cMk4+1h+6yDBHggsm0bZn0
AeY5kXGfjIimFcd00xvjkVn41em3We1sghs=
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.airbrake.io
issuer=/C=US/O=SSL.com/OU=www.ssl.com/CN=SSL.com DV CA
---
No client certificate CA names sent
---
SSL handshake has read 5736 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 62BF8A905F9DF278347423E70D100144AEB17B41C4BEB41FE8BC83512D8AE5C7
    Session-ID-ctx:
    Master-Key: D3F6811B769DE3E5045BB386AE6CA561C272F44014A3F1DB8F8786B599D11015CE44AF5B8351CDD466EA7A02E764F78A
    Start Time: 1522613090
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
HTTP/1.0 408 Request Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>
closed


On Sun, Apr 1, 2018 at 9:23 PM, Luke Bakken <[hidden email]> wrote:
Oh, never mind, I thought you were responsible for the airbrake.io cert.

I have seen the same behavior you report when using different CA
certificate bundles. Using the default OS X bundle usually works,
while recent Mozilla CA bundles don't. I did a bunch of diagnosis but
never came to a definitive conclusion. I'll re-visit what I did and
will see if I can figure out what exactly works and what doesn't.

Luke

On Sun, Apr 1, 2018 at 12:13 PM, Benoit Chesneau <[hidden email]> wrote:
> hrm not sure i understand. You mean to the cacerts file or to the cert of
> airbrake? I’m not responsible of the last one.
>
> Benoît
>
>
> On Sunday, April 1, 2018, Luke Bakken <[hidden email]> wrote:
>>
>> Try adding "digitalSignature" to the keyUsage field for the cert.
>>
>> Luke
>>
>> On Sun, Apr 1, 2018, 10:55 AM Benoit Chesneau <[hidden email]> wrote:
>>>
>>> I'm trying to connect to airbrake.io via ssl using the certificates
>>> generated by the website mkcert: https://mkcert.org/ which get the
>>> certificates from Mozilla but I get a "Bad certificat" error on latest
>>> release of erlang:
>>>
>>> 9> ssl:connect("airbrake.io", 443, [{cacertfile, CaCertFile}, {verify,
>>> verify_peer}, {depth, 99}]).
>>>
>>> =INFO REPORT==== 1-Apr-2018::19:45:51 ===
>>> TLS client: In state certify at ssl_handshake.erl:1271 generated CLIENT
>>> ALERT: Fatal - Bad Certificate
>>>
>>> {error,{tls_alert,"bad certificate"}}
>>>
>>>
>>> where with google it worked:
>>>
>>> 10> ssl:connect("google.com", 443, [{cacertfile, CaCertFile}, {verify,
>>> verify_peer}, {depth, 99}]).
>>> {ok,{sslsocket,{gen_tcp,#Port<0.9355>,tls_connection,
>>>                         undefined},
>>>                <0.224.0>}}
>>>
>>>
>>>
>>> It used to work with previous versions of Erlang, did something changed
>>> in the validation in 20.x?
>>>
>>> Also how can I check what is the exact issue in the certificate that
>>> cause this error? According sslabs there are no issue in checking the
>>> certificate:
>>>
>>> https://www.ssllabs.com/ssltest/analyze.html?d=airbrake.io
>>>
>>>
>>> _______________________________________________
>>> erlang-questions mailing list
>>> [hidden email]
>>> http://erlang.org/mailman/listinfo/erlang-questions
>
>
>
> --
> Sent from my Mobile




_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: ssl: Bad Certficate using file generated using mkcert.org

Andrew Thompson-2
On Mon, Apr 02, 2018 at 10:11:17AM +0200, Benoit Chesneau wrote:
> It seems according ssllabs there is a problem with the chain: "Incorrect
> order, Contains anchor"  which is probably the root issue:
> https://github.com/benoitc/hackney/issues/490#issuecomment-377873484
>
> I'm now wondering if there is any possibility to fix it in recent Erlang
> versions. Did anyone already encounter such issue?
>

I believe you can supply a custom verify_fun to the ssl application that
can, sometimes, let you fix some of these issues. You might be able to
handle the bad_cert case and fix up the ordering and verify it by hand.

There's some old code I wrote that uses this to do something similar
(except with CRLs) here:

https://github.com/Vagabond/erl_crl_example/blob/master/src/client.erl

Andrew
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions