gen_smtp: handle broken Linux x509-certificates #453

Open
mworrell opened this Issue Nov 12, 2012 · 2 comments

Comments

Projects
None yet
2 participants
Owner

mworrell commented Nov 12, 2012

This is a gen_smtp issue, but I first want to discuss it here before bumping it up to gen_smtp.

When performing the SSL handshake with mail.mattijsen.com (aka mail04.roosit.eu) I get the following error:

2012-11-12 07:06:43.177 [error] <0.32220.1173> gen_fsm <0.32220.1173> in state
certify terminated with reason: no match of right hand value {error,{asn1,{'Type not
compatible with table constraint',{{component,'Type'},{value,{5,<<>>}},
{unique_name_and_value,id,{1,2,840,113549,1,1,11}}}}}} in 
public_key:pkix_decode_cert/2
2012-11-12 07:06:43.282 [error] <0.32220.1173> CRASH REPORT Process 
<0.32220.1173> with 0 neighbours crashed with reason: no match of right hand 
value {error,{asn1,{'Type not compatible with table constraint',{{component,'Type'},
{value,{5,<<>>}},{unique_name_and_value,id,{1,2,840,113549,1,1,11}}}}}} in
public_key:pkix_decode_cert/2
2012-11-12 07:06:43.357 [error] <0.96.0> Supervisor ssl_connection_sup had child 
undefined started with {ssl_connection,start_link,undefined} at <0.32220.1173> exit
with reason no match of right hand value {error,{asn1,{'Type not compatible with table
constraint',{{component,'Type'},{value,{5,<<>>}},{unique_name_and_value,id,
{1,2,840,113549,1,1,11}}}}}} in public_key:pkix_decode_cert/2 in context child_terminated

Some Googling gave this:

A few old certificates that are part of atleast some linux-distributions breaks the ASN-1 specs for x509-certificates, which means that the erlang asn-1 application can not decode them and hence the erlang ssl-application can not use them, but if the CA-file has many certs all correctly encoded certs will be understood.

http://erlang.org/pipermail/erlang-questions/2012-August/068509.html

When the connection crashes due to SSL cert problems I propose to retry the connection and skip the SSL handshake.

I also found some references to setting the "{depth, ..}" option to set the max length of the certificate chain. This is currently set to 0 (in gen_smtp/src/socket.erl).

Check: http://comments.gmane.org/gmane.comp.lang.erlang.bugs/2037

Per above: another unrelated idea might be to allow expired certificates.

Owner

arjan commented Nov 12, 2012

Seems reasonable to me, however this is indeed a gen_smtp issue...
cc @Vagabond

Owner

mworrell commented Nov 12, 2012

Just as a note: the unique_name_and_value mentioned matches with this definition:

-define('sha256WithRSAEncryption', {1,2,840,113549,1,1,11}).

And the (self signed) certificate, fetched with openssl, is:

-----BEGIN CERTIFICATE----- MIIFnDCCA4SgAwIBAgIDEBAnMA0GCSqGSIb3DQEBCwUAMIHRMQswCQYDVQQGEwJO TDELMAkGA1UECBMCbmgxEjAQBgNVBAcTCUFtc3RlcmRhbTEPMA0GA1UEChMGUm9v c0lUMREwDwYDVQQLEwhpbnRlcm5ldDEUMBIGA1UEAwwLKi5yb29zaXQuZXUxFTAT BgNVBAMMDCoucm9vc2l0LmNvbTEVMBMGA1UEAwwMKi5yb29zaXQubmV0MRQwEgYD VQQDDAsqLnJvb3NpdC5ubDEjMCEGCSqGSIb3DQEJARYUcG9zdG1hc3RlckByb29z aXQuZXUwHhcNMTIwMjI1MTkxNTM2WhcNMTcwMjIzMTkxNTM2WjCB0TELMAkGA1UE BhMCTkwxCzAJBgNVBAgTAm5oMRIwEAYDVQQHEwlBbXN0ZXJkYW0xDzANBgNVBAoT BlJvb3NJVDERMA8GA1UECxMIaW50ZXJuZXQxFDASBgNVBAMMCyoucm9vc2l0LmV1 MRUwEwYDVQQDDAwqLnJvb3NpdC5jb20xFTATBgNVBAMMDCoucm9vc2l0Lm5ldDEU MBIGA1UEAwwLKi5yb29zaXQubmwxIzAhBgkqhkiG9w0BCQEWFHBvc3RtYXN0ZXJA cm9vc2l0LmV1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqu1VNDJ4 Pjeq9/BGtgCwSwyrW72GVkl+920GGVVkeb3EqhEt3SIohV9g6wkanaSN/80Rg9Pj qWgC3xUIl57gXGTRHl6a5RHMqGyyEqSWa8VvdZyokRyZovU8cNKNOUim2TOdmKDv 1XtDRnDvzztgIPcqxycGWa5mEhxV5JRaYH0oZBPAedvujyn/i/Q6IIPXnP9JMf1A 01y7kFuZMboFK66atDsXv6GmRxwX54Ep3bkZHqtz6a1Fj27Qdrd1qZPDZG5NRh6Z AH3UTcEWyGhuxwhyJO5TULBDAOsFFjYSGV4clFb4hVOBCnATnA1QOtxLHaaRlWIh l0Jzk7FznqG8nQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1P cGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQULG57ZVqE83Sn HxJvqdb79sbDTxEwHwYDVR0jBBgwFoAUJCvPm2RfVG8C8TWqCXZE860PickwDQYJ KoZIhvcNAQELBQADggIBAExXAIEBrdpqIiyA994UQnd2w10Za6IwiwaWAUx94ldO 8UYTh+Jwc9d5K4eEyq6uyYUZTRVs5OsVCs4wcw7r8wksdKl/fWxQ910cMsPbptDa HHSCkDcF+F/qvxgf4q3NA9QI/6wYID8FpzYMrNoQWHaZHg7QvQF+s6amVyHDBV/d YPm2jquCdTGry2rZyOPg1zQzLYIpIXUrvN10+xskdfZj/5D8D38DEk6HnAun0zNR l/GAMSjZxTlJVO+Py6DOpXKCL9/JRj6k3ByQIdYmjkFZJVVX/k8OpokQ2lBKo+6K hlHqs04kAdZTPxf3QuKNXBRXUW1bJOn/IkqcCFbjXSdoDulW296Oo2rjjXXtN4jF WcU9xI77vl5wZ+3h047GWynvs4/HPLhVtv6UAfh7m0BMwPtlWwR9bj7eav+P0VHQ gzgrDZMDZvwIT0hUgZ/XSMsZaX6dDDsE6GnexDFHgdZOM+o5rv7WAhevZg0PxNfO 3iJh2wwZmIv/fI0ZHMc4b9XYm/XbGK0xyaMZyijcvYebChQRyfKWFG3m9cmAm2Yv 73TalF4JUyr4QedD8pRz5kSOzLM/m2sK75cjTUrMM6QOqmEuU67em8ZJ38zrEMBb JEK2GPEO0jZbwRnaZVPB/C0nN/hdTTKdrofEp3beudiuzFAqcOaZ2VdZ4b2YB0Xj -----END CERTIFICATE-----
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment