You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I get this error when connecting to a https server using the attached certificate:
{noformat}
=ERROR REPORT==== 23-Aug-2016::14:36:15 ===
SSL: certify: ssl_handshake.erl:415:Fatal error: certificate unknown
{error,{failed_connect,[{to_address,{"localhost",443}},
{inet,[inet],{tls_alert,"certificate unknown"}}]}}
{noformat}
The specific error is in asn1 certificate decoding, which I was able to print out after modifying the ssl_handshake.erl under the "%% ASN-1 decode of certificate somehow failed" comment:
{noformat}
{case_clause,{error,{asn1,bad_range}}}
{noformat}
These certificates were generated with https://github.com/cloudflare/cfssl with the attached ca-config.json like so:
{code:shell}
cat ca_apiserver | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server - | cfssljson -bare apiserver
{code}
No other HTTPS client I came across during my testing of this issue had any problems with this certificate.
The text was updated successfully, but these errors were encountered:
The {{bad_range }} error occurs because the X520countryname in the server certificate has the value "Poland" but
according to the standard asn.1 spec that looks like this:
X520countryName ::= PrintableString (SIZE (2))
the countryname should be exactly 2 characters.
Obviously all other implementations you have encountered neglects to do a length check of this value.
As Kenneth pointed out this is not a bug in our software, the certificate brakes the ASN-1 spec, which apparently are not checked by all software. If something like this becomes a de-facto standard we could consider working around it. Hopefully this is not a de-facto standard only a tool that lets you input incorrect data and some other tools that fail to check the ASN-1 spec.
Original reporter:
xek
Affected version:
OTP-18.3
Component:
asn1
Migrated from: https://bugs.erlang.org/browse/ERL-236
The text was updated successfully, but these errors were encountered: