ERL-236: asn1 httpc SSL certificate parse issue

[OTP-Maintainer]

Original reporter: xek
Affected version: OTP-18.3
Component: asn1
Migrated from: https://bugs.erlang.org/browse/ERL-236

---

I get this error when connecting to a https server using the attached certificate:

{noformat}
=ERROR REPORT==== 23-Aug-2016::14:36:15 ===
SSL: certify: ssl_handshake.erl:415:Fatal error: certificate unknown
{error,{failed_connect,[{to_address,{"localhost",443}},
                        {inet,[inet],{tls_alert,"certificate unknown"}}]}}
{noformat}


The specific error is in asn1 certificate decoding, which I was able to print out after modifying the ssl_handshake.erl under the "%% ASN-1 decode of certificate somehow failed" comment:

{noformat}
{case_clause,{error,{asn1,bad_range}}}
{noformat}

These certificates were generated with https://github.com/cloudflare/cfssl with the attached ca-config.json like so:

{code:shell}
cat ca_apiserver | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server - | cfssljson -bare apiserver
{code}

No other HTTPS client I came across during my testing of this issue had any problems with this certificate.

[OTP-Maintainer]

kenneth said:

The {{bad_range }} error occurs because the X520countryname in the server certificate has the value "Poland" but
according to the standard asn.1 spec that looks like this:
X520countryName ::=     PrintableString (SIZE (2))
the countryname should be exactly 2 characters.

Obviously all other implementations you have encountered neglects to do a length check of this value.

[OTP-Maintainer]

ingela said:

As Kenneth pointed out this is not a bug in our software, the certificate brakes the ASN-1 spec, which apparently are not checked by all software. If something like this becomes a de-facto standard we could consider working around it. Hopefully this is not a de-facto standard only a tool that lets you input incorrect data and some other tools that fail to check the ASN-1 spec.