Uploaded image for project: 'Erlang/OTP'
  1. Erlang/OTP
  2. ERL-423

Allow invalid certificate country attributes to be handled by a verify_fun

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Help Wanted
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 19.3.1, 20
    • Fix Version/s: None
    • Component/s: public_key, ssl
    • Labels:
      None

      Description

      Certificate countries are meant to be 2 letter country codes, and erlang enforces this too strictly in my opinion. There exist (usually self-signed) certificates in the wild where the user has set the country to be the full country name rather than a country code, and it would be good to be able to catch this at the API level.

      I would expect something like a bad_cert (invalid_issuer or invalid_signature) error to make it to an ssl connection's verify fun in this case, where an application could ignore it if it wants to be lenient. Instead, the connection always fails with an un-skippable

      {tls_alert, "certificate unknown"}

      error.

      A workaround might be to catch the bad_range exit here:
      https://github.com/erlang/otp/blob/773c4d4f0416f25e3c0c6939f8d0871dc4486bab/lib/public_key/src/pubkey_cert_records.erl#L65-L70

      Or probably better, make the asn1 more lenient here:
      https://github.com/erlang/otp/blob/773c4d4f0416f25e3c0c6939f8d0871dc4486bab/lib/public_key/asn1/OTP-PKIX.asn1#L227-L239

      The error could then be reported as normal to any verification functions.

        Attachments

          Activity

            People

            Assignee:
            otp_team_ps Team PS
            Reporter:
            jwheare James Wheare
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: