diff options
| author | Ingela Anderton Andin <[email protected]> | 2010-08-27 10:06:22 +0200 |
|---|---|---|
| committer | Ingela Anderton Andin <[email protected]> | 2010-09-01 08:34:52 +0200 |
| commit | a6de8740405037bad55c09089f1d69c8c5511d6c (patch) | |
| tree | 68e7c67d5809a6f6e05ac631fb64e70a447a9f35 /lib/ssl/src/ssl_handshake.erl | |
| parent | cdf4fceaf40ddd00fa2d54d398828f0a4def1d70 (diff) | |
| download | otp-a6de8740405037bad55c09089f1d69c8c5511d6c.tar.gz otp-a6de8740405037bad55c09089f1d69c8c5511d6c.tar.bz2 otp-a6de8740405037bad55c09089f1d69c8c5511d6c.zip | |
Empty certificate chain
Handling of unkown CA certificats was changed in ssl and
public_key to work as intended.
In the process of doing this some test cases has been corrected as
they where wrong but happened to work together with the
incorrect unknown CA handling.
Diffstat (limited to 'lib/ssl/src/ssl_handshake.erl')
| -rw-r--r-- | lib/ssl/src/ssl_handshake.erl | 15 |
1 files changed, 7 insertions, 8 deletions
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index ee725997a4..add5147fb4 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -203,18 +203,15 @@ certify(#certificate{asn1_certificates = ASN1Certs}, CertDbRef, end end, try - %% Allow missing root_cert and check that with VerifyFun - ssl_certificate:trusted_cert_and_path(ASN1Certs, CertDbRef, false) of - {TrustedErlCert, CertPath, VerifyErrors} -> + ssl_certificate:trusted_cert_and_path(ASN1Certs, CertDbRef) of + {TrustedErlCert, CertPath} -> Result = public_key:pkix_path_validation(TrustedErlCert, CertPath, [{max_path_length, MaxPathLen}, {verify, VerifyBool}, {validate_extensions_fun, - ValidateExtensionFun}, - {acc_errors, - VerifyErrors}]), + ValidateExtensionFun}]), case Result of {error, Reason} -> path_validation_alert(Reason, Verify); @@ -474,7 +471,7 @@ get_tls_handshake(Data, Buffer) -> get_tls_handshake_aux(list_to_binary([Buffer, Data]), []). %%-------------------------------------------------------------------- --spec dec_client_key(binary(), key_algo(), tls_version()) -> +-spec decode_client_key(binary(), key_algo(), tls_version()) -> #encrypted_premaster_secret{} | #client_diffie_hellman_public{}. %% %% Description: Decode client_key data and return appropriate type @@ -510,6 +507,8 @@ path_validation_alert({bad_cert, unknown_critical_extension}, _) -> ?ALERT_REC(?FATAL, ?UNSUPPORTED_CERTIFICATE); path_validation_alert({bad_cert, cert_revoked}, _) -> ?ALERT_REC(?FATAL, ?CERTIFICATE_REVOKED); +path_validation_alert({bad_cert, unknown_ca}, _) -> + ?ALERT_REC(?FATAL, ?UNKNOWN_CA); path_validation_alert(_, _) -> ?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE). @@ -1129,7 +1128,7 @@ sig_alg(_) -> key_exchange_alg(rsa) -> ?KEY_EXCHANGE_RSA; key_exchange_alg(Alg) when Alg == dhe_rsa; Alg == dhe_dss; - Alg == dh_dss; Alg == dh_rsa; Alg == dh_anon -> + Alg == dh_dss; Alg == dh_rsa -> ?KEY_EXCHANGE_DIFFIE_HELLMAN; key_exchange_alg(_) -> ?NULL. |