5 files changed, 34 insertions, 41 deletions

diff --git a/lib/ssl/src/ssl.appup.src b/lib/ssl/src/ssl.appup.src
index 88cd73be74..f4e6b59b6d 100644
--- a/lib/ssl/src/ssl.appup.src
+++ b/lib/ssl/src/ssl.appup.src
@@ -1,32 +1,9 @@
 %% -*- erlang -*-
 {"%VSN%",
  [
-  {"4.0", [{restart_application, ssl}]},
-  {"3.11.1", [{restart_application, ssl}]},
-  {"3.11", [{restart_application, ssl}]},			
-  {"3.10", [{restart_application, ssl}]},			
-  {"3.10.1", [{restart_application, ssl}]},
-  {"3.10.2", [{restart_application, ssl}]},
-  {"3.10.3", [{restart_application, ssl}]},
-  {"3.10.4", [{restart_application, ssl}]},
-  {"3.10.5", [{restart_application, ssl}]},
-  {"3.10.6", [{restart_application, ssl}]},
-  {"3.10.7", [{restart_application, ssl}]},
-  {"3.10.8", [{restart_application, ssl}]},
-  {"3.10.9", [{restart_application, ssl}]}
+  {"4.0.1", [{restart_application, ssl}]}
  ], 
  [
-  {"4.0", [{restart_application, ssl}]},
-  {"3.11.1", [{restart_application, ssl}]},
-  {"3.11", [{restart_application, ssl}]},			
-  {"3.10", [{restart_application, ssl}]},	
-  {"3.10.1", [{restart_application, ssl}]},		
-  {"3.10.2", [{restart_application, ssl}]},
-  {"3.10.3", [{restart_application, ssl}]},
-  {"3.10.4", [{restart_application, ssl}]},
-  {"3.10.5", [{restart_application, ssl}]},
-  {"3.10.6", [{restart_application, ssl}]},
-  {"3.10.8", [{restart_application, ssl}]},
-  {"3.10.9", [{restart_application, ssl}]}
+  {"4.0.1", [{restart_application, ssl}]}
  ]}.
 
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 314bdd1aab..ef94750d02 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -621,17 +621,19 @@ handle_options(Opts0, _Role) ->
     
     ReuseSessionFun = fun(_, _, _, _) -> true end,
 
-    VerifyNoneFun =
-	{fun(_,{bad_cert, unknown_ca}, UserState) ->
+    DefaultVerifyNoneFun =
+	{fun(_,{bad_cert, _}, UserState) ->
 		 {valid, UserState};
-	    (_,{bad_cert, _} = Reason, _) ->
-		 {fail, Reason};
 	    (_,{extension, _}, UserState) ->
 		 {unknown, UserState};
 	    (_, valid, UserState) ->
+		 {valid, UserState};
+	    (_, valid_peer, UserState) ->
 		 {valid, UserState}
 	 end, []},
 
+    VerifyNoneFun = handle_option(verify_fun, Opts, DefaultVerifyNoneFun),
+
     UserFailIfNoPeerCert = handle_option(fail_if_no_peer_cert, Opts, false),
     UserVerifyFun = handle_option(verify_fun, Opts, undefined),
     CaCerts = handle_option(cacerts, Opts, undefined),
@@ -727,6 +729,8 @@ validate_option(verify_fun, Fun) when is_function(Fun) ->
 	(_,{extension, _}, UserState) ->
 	     {unknown, UserState};
 	(_, valid, UserState) ->
+	     {valid, UserState};
+	(_, valid_peer, UserState) ->
 	     {valid, UserState}
      end, Fun};
 validate_option(verify_fun, {Fun, _} = Value) when is_function(Fun) ->
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index d2ab21657c..5571fb01f6 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -57,30 +57,32 @@
 trusted_cert_and_path(CertChain, CertDbRef) ->
     Path = [Cert | _] = lists:reverse(CertChain),
     OtpCert = public_key:pkix_decode_cert(Cert, otp),
-    IssuerID =
+    SignedAndIssuerID =
 	case public_key:pkix_is_self_signed(OtpCert) of
 	    true ->
 		{ok, IssuerId} = public_key:pkix_issuer_id(OtpCert, self),
-		IssuerId;
+		{self, IssuerId};
 	    false ->
 		case public_key:pkix_issuer_id(OtpCert, other) of
 		    {ok, IssuerId} ->
-			IssuerId;
+			{other, IssuerId};
 		    {error, issuer_not_found} ->
 			case find_issuer(OtpCert, no_candidate) of
 			    {ok, IssuerId} ->
-				IssuerId;
+				{other, IssuerId};
 			    Other ->
 				Other
 			end
 		end
 	end,
     
-    case IssuerID of
+    case SignedAndIssuerID of
 	{error, issuer_not_found} ->
 	    %% The root CA was not sent and can not be found.
 	    {unknown_ca, Path};
-	{SerialNr, Issuer} ->
+	{self, _} when length(Path) == 1 ->
+	    {selfsigned_peer, Path};
+	{_ ,{SerialNr, Issuer}} ->
 	    case ssl_manager:lookup_trusted_cert(CertDbRef, SerialNr, Issuer) of
 		{ok, {BinCert,_}} ->
 		    {BinCert, Path};
@@ -130,6 +132,8 @@ validate_extension(_, {bad_cert, _} = Reason, _) ->
 validate_extension(_, {extension, _}, Role) ->
     {unknown, Role};
 validate_extension(_, valid, Role) ->
+    {valid, Role};
+validate_extension(_, valid_peer, Role) ->
     {valid, Role}.
 
 %%--------------------------------------------------------------------
diff --git a/lib/ssl/src/ssl_certificate_db.erl b/lib/ssl/src/ssl_certificate_db.erl
index 86477f369d..2a5a7f3394 100644
--- a/lib/ssl/src/ssl_certificate_db.erl
+++ b/lib/ssl/src/ssl_certificate_db.erl
@@ -216,9 +216,15 @@ add_certs_from_file(File, Ref, CertsDb) ->
     [Add(Cert) || {'Certificate', Cert, not_encrypted} <- PemEntries].
     
 add_certs(Cert, Ref, CertsDb) ->
-    ErlCert = public_key:pkix_decode_cert(Cert, otp),
-    TBSCertificate = ErlCert#'OTPCertificate'.tbsCertificate,
-    SerialNumber = TBSCertificate#'OTPTBSCertificate'.serialNumber,
-    Issuer = public_key:pkix_normalize_name(
-	       TBSCertificate#'OTPTBSCertificate'.issuer),
-    insert({Ref, SerialNumber, Issuer}, {Cert,ErlCert}, CertsDb).
+    try  ErlCert = public_key:pkix_decode_cert(Cert, otp),
+	 TBSCertificate = ErlCert#'OTPCertificate'.tbsCertificate,
+	 SerialNumber = TBSCertificate#'OTPTBSCertificate'.serialNumber,
+	 Issuer = public_key:pkix_normalize_name(
+		    TBSCertificate#'OTPTBSCertificate'.issuer),
+	 insert({Ref, SerialNumber, Issuer}, {Cert,ErlCert}, CertsDb)
+    catch
+	error:_ ->
+	    Report = io_lib:format("SSL WARNING: Ignoring a CA cert as "
+				   "it could not be correctly decoded.~n", []),
+	    error_logger:info_report(Report)
+    end.
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 3f01be101c..5b1a510034 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -578,6 +578,8 @@ path_validation_alert({bad_cert, unknown_critical_extension}) ->
     ?ALERT_REC(?FATAL, ?UNSUPPORTED_CERTIFICATE);
 path_validation_alert({bad_cert, cert_revoked}) ->
     ?ALERT_REC(?FATAL, ?CERTIFICATE_REVOKED);
+path_validation_alert({bad_cert, selfsigned_peer}) ->
+    ?ALERT_REC(?FATAL, ?BAD_CERTIFICATE);
 path_validation_alert({bad_cert, unknown_ca}) ->
      ?ALERT_REC(?FATAL, ?UNKNOWN_CA);
 path_validation_alert(_) ->