SSL certificates from relative symbolic links broken since OTP 25.1

[laurglia]

Describe the bug

Starting SSL connections fails in cases where certificates are read from files that are relative symbolic links.

To Reproduce

1. Create directory foo: mkdir foo
2. Enter directory foo: cd foo
3. Generate arbitrary certificate: openssl req -x509 -newkey rsa:4096 -out cert.pem -days 365 -nodes
4. Create relative symbolic link to the certificate: ln -s cert.pem cert2.pem
5. Leave directory foo: cd ..
6. Start Erlang shell and run the following code:

ssl:start().
ssl:connect('google.com', 443, [{cacertfile, "foo/cert2.pem"}, {verify, verify_none}]).

7. Observe that you get back the following error about file not existing even though it does exist.

{error,{options,{cacertfile,"cert.pem",{error,enoent}}}}

Expected behavior

The SSL connection should establish.

Affected versions

25.1

Additional context

I think this bug started in #6287

More specifically, I believe this piece of code is the culprit:

unambiguous_path(Value) ->
    AbsName = filename:absname(Value),
    case file:read_link(AbsName) of
        {ok, PathWithNoLink} ->
            PathWithNoLink;
        _ ->
            AbsName
    end.

This code looks up the path of the file but it does not properly resolve the path of the symbolic link. For example, if the symbolic link points to cert.pem, then it always returns the path cert.pem, regardless of where the symbolic link is located.

[u3s]

Thanks for reporting. Fix is planned to be included in OTP 25.1.1 and released this week.

[pjk25]

This also affected 24.3.4.5, correct?

[u3s]

yes 24.3.4.5 will be corrected as well, but a little later probably.

[u3s]

OTP25.1.1 will be delayed until Monday, sorry for inconvenience.

[u3s]

OTP-25.1.1 is released
https://github.com/erlang/otp/releases/tag/OTP-25.1.1

[u3s]

OTP-24 fix is released as well.
https://github.com/erlang/otp/releases/tag/OTP-24.3.4.6

thanks for the report