Skip to content

ssl incorrect certificate order causes error #8601

New issue
New issue
Closed
Closed
ssl incorrect certificate order causes error#8601
Assignees
IngelaAndin
Labels
bugIssue is reported as a bugnot a bugIssue is determined as not a bug by OTPteam:PSAssigned to OTP team PS
@liamwhite

Description

@liamwhite
liamwhite
opened on Jun 20, 2024

Describe the bug
Wix websites present an incorrectly ordered certificate chain which the ssl module cannot verify - however this issue is not present in any web browsers, or openssl s_client as they can verify the certificate just fine.

To Reproduce

1> ssl:start(), ssl:connect("images-wixmp-ed30a86b8c4ca887773594c2.wixmp.com", 443, [{verify, verify_peer},
       {cacerts, public_key:cacerts_get()}]).
=NOTICE REPORT==== 20-Jun-2024::12:34:45.816504 ===
TLS client: In state wait_cert_cr at ssl_handshake.erl:2162 generated CLIENT ALERT: Fatal - Bad Certificate

{error,{tls_alert,{bad_certificate,"TLS client: In state wait_cert_cr at ssl_handshake.erl:2162 generated CLIENT ALERT: Fatal - Bad Certificate\n"}}}

Expected behavior
The connection should be successful

openssl s_client images-wixmp-ed30a86b8c4ca887773594c2.wixmp.com:443 retuns:

depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.wixmp.com
verify return:1
...
Verify return code: 0 (ok)

Affected versions
OTP 27

Metadata

Metadata

Assignees

Labels

bugIssue is reported as a bugnot a bugIssue is determined as not a bug by OTPteam:PSAssigned to OTP team PS

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions