SSL Error

Question

SSL Error

Closed this issue 6 years ago · 5 comments

Given the following CACerts, Certificate and Host the following SSL Error is produced:

CaCerts

Certificate Content (First the full Certificate List was used which didn't work as well)

SwissSign Gold CA - G2
======================
-----BEGIN CERTIFICATE-----
MIIFujCCA6KgAwIBAgIJALtAHEP1Xk+wMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkNIMRUw
EwYDVQQKEwxTd2lzc1NpZ24gQUcxHzAdBgNVBAMTFlN3aXNzU2lnbiBHb2xkIENBIC0gRzIwHhcN
MDYxMDI1MDgzMDM1WhcNMzYxMDI1MDgzMDM1WjBFMQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dp
c3NTaWduIEFHMR8wHQYDVQQDExZTd2lzc1NpZ24gR29sZCBDQSAtIEcyMIICIjANBgkqhkiG9w0B
AQEFAAOCAg8AMIICCgKCAgEAr+TufoskDhJuqVAtFkQ7kpJcyrhdhJJCEyq8ZVeCQD5XJM1QiyUq
t2/876LQwB8CJEoTlo8jE+YoWACjR8cGp4QjK7u9lit/VcyLwVcfDmJlD909Vopz2q5+bbqBHH5C
jCA12UNNhPqE21Is8w4ndwtrvxEvcnifLtg+5hg3Wipy+dpikJKVyh+c6bM8K8vzARO/Ws/BtQpg
vd21mWRTuKCWs2/iJneRjOBiEAKfNA+k1ZIzUd6+jbqEemA8atufK+ze3gE/bk3lUIbLtK/tREDF
ylqM2tIrfKjuvqblCqoOpd8FUrdVxyJdMmqXl2MT28nbeTZ7hTpKxVKJ+STnnXepgv9VHKVxaSvR
AiTysybUa9oEVeXBCsdtMDeQKuSeFDNeFhdVxVu1yzSJkvGdJo+hB9TGsnhQ2wwMC3wLjEHXuend
jIj3o02yMszYF9rNt85mndT9Xv+9lz4pded+p2JYryU0pUHHPbwNUMoDAw8IWh+Vc3hiv69yFGkO
peUDDniOJihC8AcLYiAQZzlG+qkDzAQ4embvIIO1jEpWjpEA/I5cgt6IoMPiaG59je883WX0XaxR
7ySArqpWl2/5rX3aYT+YdzylkbYcjCbaZaIJbcHiVOO5ykxMgI93e2CaHt+28kgeDrpOVG2Y4OGi
GqJ3UM/EY5LsRxmd6+ZrzsECAwEAAaOBrDCBqTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUw
AwEB/zAdBgNVHQ4EFgQUWyV7lqRlUX64OfPAeGZe6Drn8O4wHwYDVR0jBBgwFoAUWyV7lqRlUX64
OfPAeGZe6Drn8O4wRgYDVR0gBD8wPTA7BglghXQBWQECAQEwLjAsBggrBgEFBQcCARYgaHR0cDov
L3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIBACe645R88a7A3hfm
5djV9VSwg/S7zV4Fe0+fdWavPOhWfvxyeDgD2StiGwC5+OlgzczOUYrHUDFu4Up+GC9pWbY9ZIEr
44OE5iKHjn3g7gKZYbge9LgriBIWhMIxkziWMaa5O1M/wySTVltpkuzFwbs4AOPsF6m43Md8AYOf
Mke6UiI0HTJ6CVanfCU2qT1L2sCCbwq7EsiHSycR+R4tx5M/nttfJmtS2S6K8RTGRI0Vqbe/vd6m
Gu6uLftIdxf+u+yvGPUqUfA5hJeVbG4bwyvEdGB5JbAKJ9/fXtI5z0V9QkvfsywexcZdylU6oJxp
mo/a77KwPJ+HbBIrZXAVUjEaJM9vMSNQH4xPjyPDdEFjHFWoFN0+4FFQz/EbMFYOkrCChdiDyyJk
vC24JdVUorgG6q2SpCSgwYa1ShNqR88uC1aVVMvOmttqtKay20EIhid392qgQmwLOM7XdVAyksLf
KzAiSNDVQTglXaTpXZ/GlHXQRf0wl0OPkKsKx4ZzYEppLd6leNcG2mqeSz53OiATIgHQv2ieY2Br
NU0LbbqhPcCT4H8js1WtciVORvnSFu+wZMEBnunKoGqYDs/YYPIvSbjkQuE4NRb0yG5P94FW6Lqj
viOvrv1vA+ACOzB2+httQc8Bsem4yWb02ybzOqR08kkkW8mw0FfB+j564ZfJ
-----END CERTIFICATE-----

Server Certificate

Certificate Content

Certificate chain
 0 s:/C=CH/ST=St. Gallen/L=St. Gallen/O=JOSHMARTIN GmbH/CN=*.joshmartin.ch
   i:/C=CH/O=SwissSign AG/CN=SwissSign Server Gold CA 2014 - G22
-----BEGIN CERTIFICATE-----
MIIHJjCCBg6gAwIBAgIUFvX2oZTCc478FnW6i4PLjdGnzgYwDQYJKoZIhvcNAQEL
BQAwUjELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEsMCoGA1UE
AxMjU3dpc3NTaWduIFNlcnZlciBHb2xkIENBIDIwMTQgLSBHMjIwHhcNMTgwMzAx
MTAxMDUyWhcNMjAwMzAxMTAxMDUyWjBrMQswCQYDVQQGEwJDSDETMBEGA1UECBMK
U3QuIEdhbGxlbjETMBEGA1UEBxMKU3QuIEdhbGxlbjEYMBYGA1UEChMPSk9TSE1B
UlRJTiBHbWJIMRgwFgYDVQQDDA8qLmpvc2htYXJ0aW4uY2gwggIiMA0GCSqGSIb3
DQEBAQUAA4ICDwAwggIKAoICAQCWCpBh8NhMyXf44LHR9HT37Qc91NmuYfQLZvX1
LPmdJE0HMAAIVPCFF0PwCi948i3dzO3fcrFkoc8se1UncFcsFnEOUV8RT8iFWCaF
+O7PJpLDX+hoB+3jiJHmhqppaW5SpjevAs41ojpXbtwagfWAg64rIam54Vj5fk64
JONLDlkIRcUpyV0QGdCiyAgYiEG9iImGV8cEKReJQ495OAnTdhNq21VaWu8Y8/AR
INS5uMbaHl+0FFxw5gG6vXp+rGr9m0g4R40vGXyWAGMse2BL0GZcyv+nMdMNaKOg
0d+aBZWLZE0y1KVwXyZ8Ag8ExNI2dmeyW0uKe97AxQXP8eXXLnOBR1CrcWpJqhI5
PG1UmcDr8/YWbcZ5u4eyvogwRcKEXAvJNjYjNt55NgzqzVo2lW8MtmcNAO6WtMIp
BA76iWG+7dSAPUQP1geMWQmqpuZvQWOs7m3idDRRorUjZ/Icknb/kyN38fqwxfy2
nqzIWCnQaEUJMmp0F6z4LLZCrTQcZdhuEkF6yLNQe4GeLxHsrI+s9vOUkTXdx7y2
19bKtmcFiKKOQVvg1XIWtEgYuspSdlYmX+Hyo+3m/JZ8zuiZBZcTYxwaTSWMBg3D
ktkdrg1WBlKiLFG5CQmsnKq3c27BZMkMyqBqnP+fq4AmNEFXxCGbzAkQSuyvqrjA
rQ9XowIDAQABo4IC2TCCAtUwKQYDVR0RBCIwIIIPKi5qb3NobWFydGluLmNogg1q
b3NobWFydGluLmNoMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwHQYDVR0OBBYEFJd+YO9mpNO11TEwuX5892zGuc2iMB8GA1Ud
IwQYMBaAFOfx5/0uU60R5YEaV6RzjxJ9mMiuMIH/BgNVHR8EgfcwgfQwR6BFoEOG
QWh0dHA6Ly9jcmwuc3dpc3NzaWduLm5ldC9FN0YxRTdGRDJFNTNBRDExRTU4MTFB
NTdBNDczOEYxMjdEOThDOEFFMIGooIGloIGihoGfbGRhcDovL2RpcmVjdG9yeS5z
d2lzc3NpZ24ubmV0L0NOPUU3RjFFN0ZEMkU1M0FEMTFFNTgxMUE1N0E0NzM4RjEy
N0Q5OEM4QUUlMkNPPVN3aXNzU2lnbiUyQ0M9Q0g/Y2VydGlmaWNhdGVSZXZvY2F0
aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MF8G
A1UdIARYMFYwVAYJYIV0AVkBAgEGMEcwRQYIKwYBBQUHAgEWOWh0dHA6Ly9yZXBv
c2l0b3J5LnN3aXNzc2lnbi5jb20vU3dpc3NTaWduLUdvbGQtQ1AtQ1BTLnBkZjCB
1QYIKwYBBQUHAQEEgcgwgcUwZAYIKwYBBQUHMAKGWGh0dHA6Ly9zd2lzc3NpZ24u
bmV0L2NnaS1iaW4vYXV0aG9yaXR5L2Rvd25sb2FkL0U3RjFFN0ZEMkU1M0FEMTFF
NTgxMUE1N0E0NzM4RjEyN0Q5OEM4QUUwXQYIKwYBBQUHMAGGUWh0dHA6Ly9nb2xk
LXNlcnZlci1nMi5vY3NwLnN3aXNzc2lnbi5uZXQvRTdGMUU3RkQyRTUzQUQxMUU1
ODExQTU3QTQ3MzhGMTI3RDk4QzhBRTANBgkqhkiG9w0BAQsFAAOCAQEAYEBBZKe/
LzeH8AOM+IMMIWhE8LOOKaXmVLibIYyhIrvXgAxv7jZnqlcLEVehXRigYGILRj9C
2PR46o2YTWzuLTDmGtlsZczkNOMtyEA5332eth8lhodd3vVe2/LKQHLoit/3wXFf
SDKhEmNNJ7vPDIXFOPOEVkuheoqyyirOxJ5PEI0nPxkMB9pC6Vc9gs3LZvLqk21W
L6qObSVqkg1KrRoCutScOaHeRQKZZJ8+n0qIgWhD7Y7aAYQNtzmSoiMNDYTlK3MF
QdNvP/GwmvjoF7L+FgTTd49pMtmtIgZKVg+Md+3ngknyhd5mMAPm/1+Qg5Kowp1l
Et7UqQGh30b4Pg==
-----END CERTIFICATE-----
 1 s:/C=CH/O=SwissSign AG/CN=SwissSign Server Gold CA 2014 - G22
   i:/C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2
-----BEGIN CERTIFICATE-----
MIIGtzCCBJ+gAwIBAgIQAPodqurJs6X6V5gLmXTaMTANBgkqhkiG9w0BAQsFADBF
MQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dpc3NTaWduIEFHMR8wHQYDVQQDExZT
d2lzc1NpZ24gR29sZCBDQSAtIEcyMB4XDTE0MDkxOTE0MDkxMloXDTI5MDkxNTE0
MDkxMlowUjELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEsMCoG
A1UEAxMjU3dpc3NTaWduIFNlcnZlciBHb2xkIENBIDIwMTQgLSBHMjIwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQzxIi30mNQL6Fa6afsl9Fs7it1XQS
fLb+T3omoxS2IJiUNVCoyMeBEVSFB2a0tEUnyOjfcSn++++pWoAOkU5wWp7bbNo4
yq/T5LBg1HcuPm+wH94V4IwAFFatfZIIrmaTfVRzrZ26CrEM2vISb/1u2SVzAnmP
WoY3JVGbDOXw5HEpI6W/zLnd6cetY/ZPwp/9UICzCQxD5PmPiSP18dhTnm8LP4G/
go5VK5JQu52NvH9iStYs9VVXvHiq7+1RdkQa72CmB9wx6MmXqv3MAde/tt03L9o5
uB6VPx2uJQ6G0S+gpyqwKbeUBhJxBZNRRftXyXnZxg48ZBYb26tiPfTVAgMBAAGj
ggKUMIICkDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
HQ4EFgQU5/Hn/S5TrRHlgRpXpHOPEn2YyK4wHwYDVR0jBBgwFoAUWyV7lqRlUX64
OfPAeGZe6Drn8O4wgf8GA1UdHwSB9zCB9DBHoEWgQ4ZBaHR0cDovL2NybC5zd2lz
c3NpZ24ubmV0LzVCMjU3Qjk2QTQ2NTUxN0VCODM5RjNDMDc4NjY1RUU4M0FFN0Yw
RUUwgaiggaWggaKGgZ9sZGFwOi8vZGlyZWN0b3J5LnN3aXNzc2lnbi5uZXQvQ049
NUIyNTdCOTZBNDY1NTE3RUI4MzlGM0MwNzg2NjVFRTgzQUU3RjBFRSUyQ089U3dp
c3NTaWduJTJDQz1DSD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2Jq
ZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwXwYDVR0gBFgwVjBUBglghXQB
WQECAQYwRzBFBggrBgEFBQcCARY5aHR0cDovL3JlcG9zaXRvcnkuc3dpc3NzaWdu
LmNvbS9Td2lzc1NpZ24tR29sZC1DUC1DUFMucGRmMIHGBggrBgEFBQcBAQSBuTCB
tjBkBggrBgEFBQcwAoZYaHR0cDovL3N3aXNzc2lnbi5uZXQvY2dpLWJpbi9hdXRo
b3JpdHkvZG93bmxvYWQvNUIyNTdCOTZBNDY1NTE3RUI4MzlGM0MwNzg2NjVFRTgz
QUU3RjBFRTBOBggrBgEFBQcwAYZCaHR0cDovL29jc3Auc3dpc3NzaWduLm5ldC81
QjI1N0I5NkE0NjU1MTdFQjgzOUYzQzA3ODY2NUVFODNBRTdGMEVFMA0GCSqGSIb3
DQEBCwUAA4ICAQCOLN7o1oxUHESHOxMtyaF0+Mehvb5xp+4BL9kuUI7GQdY9HiGZ
YLSVhQ+gzKK0/TpxZksZ3klVUpyjqmBZruaTWhd5p0K4hTECK6g3zNG7zDkAR9ZZ
S+O991u0FlqASfWNWKc1n6J4Lu/wyGv72NuqNA/SbGscP4+fOX8yelJ2KFONxQNI
jftNyHX8lmlUj2YAh49yiWkPY1tsFfKKzqNJlTEIEFkJkOIM7wVRIPgRu23jhlpa
jCIayCarJ41gn/UHXVgo4oDmrIA1aE9F2prtHWn+Yd8vtQkixPwJroq1Y0na76WS
j7xnQxSEr7/aXUjPn498Pw3iD+76Vub8nislsEFYjn21pXOWGjr5PciCqdivV5kf
HWo+p6isSu5hW6lkEzKa9bEKZsiUF4NzZeobDegyer8TYXkEDP91oD1iDum0i87k
sljy3pKPKr4Aa5HEDof4Kn2ZWckemrbJwVVxHddoQ3LU004zZUjSAfmmhwcPymCk
CnSXAtLkS8Fz40wHvB1HgpBLLu/ds9gmupv3o4ZPlgbYfQelIKes4Vtg8x/23scU
bv4vuScmpyzbjYrqhAmGafUoCbamKTv/1KfIcTHJrWV8eakrrqI8aSkmcY5jBSyg
IZ+muisznpeXBNZI4fJM/jFJF9W4jqLysCU9w9aDacEsRSLeSVUkc1TN7g==
-----END CERTIFICATE-----
 2 s:/C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2
   i:/C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2
-----BEGIN CERTIFICATE-----
MIIFujCCA6KgAwIBAgIJALtAHEP1Xk+wMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkNIMRUwEwYDVQQKEwxTd2lzc1NpZ24gQUcxHzAdBgNVBAMTFlN3aXNzU2ln
biBHb2xkIENBIC0gRzIwHhcNMDYxMDI1MDgzMDM1WhcNMzYxMDI1MDgzMDM1WjBF
MQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dpc3NTaWduIEFHMR8wHQYDVQQDExZT
d2lzc1NpZ24gR29sZCBDQSAtIEcyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEAr+TufoskDhJuqVAtFkQ7kpJcyrhdhJJCEyq8ZVeCQD5XJM1QiyUqt2/8
76LQwB8CJEoTlo8jE+YoWACjR8cGp4QjK7u9lit/VcyLwVcfDmJlD909Vopz2q5+
bbqBHH5CjCA12UNNhPqE21Is8w4ndwtrvxEvcnifLtg+5hg3Wipy+dpikJKVyh+c
6bM8K8vzARO/Ws/BtQpgvd21mWRTuKCWs2/iJneRjOBiEAKfNA+k1ZIzUd6+jbqE
emA8atufK+ze3gE/bk3lUIbLtK/tREDFylqM2tIrfKjuvqblCqoOpd8FUrdVxyJd
MmqXl2MT28nbeTZ7hTpKxVKJ+STnnXepgv9VHKVxaSvRAiTysybUa9oEVeXBCsdt
MDeQKuSeFDNeFhdVxVu1yzSJkvGdJo+hB9TGsnhQ2wwMC3wLjEHXuendjIj3o02y
MszYF9rNt85mndT9Xv+9lz4pded+p2JYryU0pUHHPbwNUMoDAw8IWh+Vc3hiv69y
FGkOpeUDDniOJihC8AcLYiAQZzlG+qkDzAQ4embvIIO1jEpWjpEA/I5cgt6IoMPi
aG59je883WX0XaxR7ySArqpWl2/5rX3aYT+YdzylkbYcjCbaZaIJbcHiVOO5ykxM
gI93e2CaHt+28kgeDrpOVG2Y4OGiGqJ3UM/EY5LsRxmd6+ZrzsECAwEAAaOBrDCB
qTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUWyV7
lqRlUX64OfPAeGZe6Drn8O4wHwYDVR0jBBgwFoAUWyV7lqRlUX64OfPAeGZe6Drn
8O4wRgYDVR0gBD8wPTA7BglghXQBWQECAQEwLjAsBggrBgEFBQcCARYgaHR0cDov
L3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIBACe6
45R88a7A3hfm5djV9VSwg/S7zV4Fe0+fdWavPOhWfvxyeDgD2StiGwC5+OlgzczO
UYrHUDFu4Up+GC9pWbY9ZIEr44OE5iKHjn3g7gKZYbge9LgriBIWhMIxkziWMaa5
O1M/wySTVltpkuzFwbs4AOPsF6m43Md8AYOfMke6UiI0HTJ6CVanfCU2qT1L2sCC
bwq7EsiHSycR+R4tx5M/nttfJmtS2S6K8RTGRI0Vqbe/vd6mGu6uLftIdxf+u+yv
GPUqUfA5hJeVbG4bwyvEdGB5JbAKJ9/fXtI5z0V9QkvfsywexcZdylU6oJxpmo/a
77KwPJ+HbBIrZXAVUjEaJM9vMSNQH4xPjyPDdEFjHFWoFN0+4FFQz/EbMFYOkrCC
hdiDyyJkvC24JdVUorgG6q2SpCSgwYa1ShNqR88uC1aVVMvOmttqtKay20EIhid3
92qgQmwLOM7XdVAyksLfKzAiSNDVQTglXaTpXZ/GlHXQRf0wl0OPkKsKx4ZzYEpp
Ld6leNcG2mqeSz53OiATIgHQv2ieY2BrNU0LbbqhPcCT4H8js1WtciVORvnSFu+w
ZMEBnunKoGqYDs/YYPIvSbjkQuE4NRb0yG5P94FW6LqjviOvrv1vA+ACOzB2+htt
Qc8Bsem4yWb02ybzOqR08kkkW8mw0FfB+j564ZfJ
-----END CERTIFICATE-----
 3 s:/C=CH/O=SwissSign AG/CN=SwissSign Server Gold CA 2014 - G22
   i:/C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2
-----BEGIN CERTIFICATE-----
MIIGtzCCBJ+gAwIBAgIQAPodqurJs6X6V5gLmXTaMTANBgkqhkiG9w0BAQsFADBF
MQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dpc3NTaWduIEFHMR8wHQYDVQQDExZT
d2lzc1NpZ24gR29sZCBDQSAtIEcyMB4XDTE0MDkxOTE0MDkxMloXDTI5MDkxNTE0
MDkxMlowUjELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEsMCoG
A1UEAxMjU3dpc3NTaWduIFNlcnZlciBHb2xkIENBIDIwMTQgLSBHMjIwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQzxIi30mNQL6Fa6afsl9Fs7it1XQS
fLb+T3omoxS2IJiUNVCoyMeBEVSFB2a0tEUnyOjfcSn++++pWoAOkU5wWp7bbNo4
yq/T5LBg1HcuPm+wH94V4IwAFFatfZIIrmaTfVRzrZ26CrEM2vISb/1u2SVzAnmP
WoY3JVGbDOXw5HEpI6W/zLnd6cetY/ZPwp/9UICzCQxD5PmPiSP18dhTnm8LP4G/
go5VK5JQu52NvH9iStYs9VVXvHiq7+1RdkQa72CmB9wx6MmXqv3MAde/tt03L9o5
uB6VPx2uJQ6G0S+gpyqwKbeUBhJxBZNRRftXyXnZxg48ZBYb26tiPfTVAgMBAAGj
ggKUMIICkDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
HQ4EFgQU5/Hn/S5TrRHlgRpXpHOPEn2YyK4wHwYDVR0jBBgwFoAUWyV7lqRlUX64
OfPAeGZe6Drn8O4wgf8GA1UdHwSB9zCB9DBHoEWgQ4ZBaHR0cDovL2NybC5zd2lz
c3NpZ24ubmV0LzVCMjU3Qjk2QTQ2NTUxN0VCODM5RjNDMDc4NjY1RUU4M0FFN0Yw
RUUwgaiggaWggaKGgZ9sZGFwOi8vZGlyZWN0b3J5LnN3aXNzc2lnbi5uZXQvQ049
NUIyNTdCOTZBNDY1NTE3RUI4MzlGM0MwNzg2NjVFRTgzQUU3RjBFRSUyQ089U3dp
c3NTaWduJTJDQz1DSD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2Jq
ZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwXwYDVR0gBFgwVjBUBglghXQB
WQECAQYwRzBFBggrBgEFBQcCARY5aHR0cDovL3JlcG9zaXRvcnkuc3dpc3NzaWdu
LmNvbS9Td2lzc1NpZ24tR29sZC1DUC1DUFMucGRmMIHGBggrBgEFBQcBAQSBuTCB
tjBkBggrBgEFBQcwAoZYaHR0cDovL3N3aXNzc2lnbi5uZXQvY2dpLWJpbi9hdXRo
b3JpdHkvZG93bmxvYWQvNUIyNTdCOTZBNDY1NTE3RUI4MzlGM0MwNzg2NjVFRTgz
QUU3RjBFRTBOBggrBgEFBQcwAYZCaHR0cDovL29jc3Auc3dpc3NzaWduLm5ldC81
QjI1N0I5NkE0NjU1MTdFQjgzOUYzQzA3ODY2NUVFODNBRTdGMEVFMA0GCSqGSIb3
DQEBCwUAA4ICAQCOLN7o1oxUHESHOxMtyaF0+Mehvb5xp+4BL9kuUI7GQdY9HiGZ
YLSVhQ+gzKK0/TpxZksZ3klVUpyjqmBZruaTWhd5p0K4hTECK6g3zNG7zDkAR9ZZ
S+O991u0FlqASfWNWKc1n6J4Lu/wyGv72NuqNA/SbGscP4+fOX8yelJ2KFONxQNI
jftNyHX8lmlUj2YAh49yiWkPY1tsFfKKzqNJlTEIEFkJkOIM7wVRIPgRu23jhlpa
jCIayCarJ41gn/UHXVgo4oDmrIA1aE9F2prtHWn+Yd8vtQkixPwJroq1Y0na76WS
j7xnQxSEr7/aXUjPn498Pw3iD+76Vub8nislsEFYjn21pXOWGjr5PciCqdivV5kf
HWo+p6isSu5hW6lkEzKa9bEKZsiUF4NzZeobDegyer8TYXkEDP91oD1iDum0i87k
sljy3pKPKr4Aa5HEDof4Kn2ZWckemrbJwVVxHddoQ3LU004zZUjSAfmmhwcPymCk
CnSXAtLkS8Fz40wHvB1HgpBLLu/ds9gmupv3o4ZPlgbYfQelIKes4Vtg8x/23scU
bv4vuScmpyzbjYrqhAmGafUoCbamKTv/1KfIcTHJrWV8eakrrqI8aSkmcY5jBSyg
IZ+muisznpeXBNZI4fJM/jFJF9W4jqLysCU9w9aDacEsRSLeSVUkc1TN7g==
-----END CERTIFICATE-----
 4 s:/C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2
   i:/C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2
-----BEGIN CERTIFICATE-----
MIIFujCCA6KgAwIBAgIJALtAHEP1Xk+wMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkNIMRUwEwYDVQQKEwxTd2lzc1NpZ24gQUcxHzAdBgNVBAMTFlN3aXNzU2ln
biBHb2xkIENBIC0gRzIwHhcNMDYxMDI1MDgzMDM1WhcNMzYxMDI1MDgzMDM1WjBF
MQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dpc3NTaWduIEFHMR8wHQYDVQQDExZT
d2lzc1NpZ24gR29sZCBDQSAtIEcyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEAr+TufoskDhJuqVAtFkQ7kpJcyrhdhJJCEyq8ZVeCQD5XJM1QiyUqt2/8
76LQwB8CJEoTlo8jE+YoWACjR8cGp4QjK7u9lit/VcyLwVcfDmJlD909Vopz2q5+
bbqBHH5CjCA12UNNhPqE21Is8w4ndwtrvxEvcnifLtg+5hg3Wipy+dpikJKVyh+c
6bM8K8vzARO/Ws/BtQpgvd21mWRTuKCWs2/iJneRjOBiEAKfNA+k1ZIzUd6+jbqE
emA8atufK+ze3gE/bk3lUIbLtK/tREDFylqM2tIrfKjuvqblCqoOpd8FUrdVxyJd
MmqXl2MT28nbeTZ7hTpKxVKJ+STnnXepgv9VHKVxaSvRAiTysybUa9oEVeXBCsdt
MDeQKuSeFDNeFhdVxVu1yzSJkvGdJo+hB9TGsnhQ2wwMC3wLjEHXuendjIj3o02y
MszYF9rNt85mndT9Xv+9lz4pded+p2JYryU0pUHHPbwNUMoDAw8IWh+Vc3hiv69y
FGkOpeUDDniOJihC8AcLYiAQZzlG+qkDzAQ4embvIIO1jEpWjpEA/I5cgt6IoMPi
aG59je883WX0XaxR7ySArqpWl2/5rX3aYT+YdzylkbYcjCbaZaIJbcHiVOO5ykxM
gI93e2CaHt+28kgeDrpOVG2Y4OGiGqJ3UM/EY5LsRxmd6+ZrzsECAwEAAaOBrDCB
qTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUWyV7
lqRlUX64OfPAeGZe6Drn8O4wHwYDVR0jBBgwFoAUWyV7lqRlUX64OfPAeGZe6Drn
8O4wRgYDVR0gBD8wPTA7BglghXQBWQECAQEwLjAsBggrBgEFBQcCARYgaHR0cDov
L3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIBACe6
45R88a7A3hfm5djV9VSwg/S7zV4Fe0+fdWavPOhWfvxyeDgD2StiGwC5+OlgzczO
UYrHUDFu4Up+GC9pWbY9ZIEr44OE5iKHjn3g7gKZYbge9LgriBIWhMIxkziWMaa5
O1M/wySTVltpkuzFwbs4AOPsF6m43Md8AYOfMke6UiI0HTJ6CVanfCU2qT1L2sCC
bwq7EsiHSycR+R4tx5M/nttfJmtS2S6K8RTGRI0Vqbe/vd6mGu6uLftIdxf+u+yv
GPUqUfA5hJeVbG4bwyvEdGB5JbAKJ9/fXtI5z0V9QkvfsywexcZdylU6oJxpmo/a
77KwPJ+HbBIrZXAVUjEaJM9vMSNQH4xPjyPDdEFjHFWoFN0+4FFQz/EbMFYOkrCC
hdiDyyJkvC24JdVUorgG6q2SpCSgwYa1ShNqR88uC1aVVMvOmttqtKay20EIhid3
92qgQmwLOM7XdVAyksLfKzAiSNDVQTglXaTpXZ/GlHXQRf0wl0OPkKsKx4ZzYEpp
Ld6leNcG2mqeSz53OiATIgHQv2ieY2BrNU0LbbqhPcCT4H8js1WtciVORvnSFu+w
ZMEBnunKoGqYDs/YYPIvSbjkQuE4NRb0yG5P94FW6LqjviOvrv1vA+ACOzB2+htt
Qc8Bsem4yWb02ybzOqR08kkkW8mw0FfB+j564ZfJ
-----END CERTIFICATE-----

Code

{:ok, conn} =
  Mint.HTTP.connect(
    :https,
    "git.joshmartin.ch",
    443,
    transport_opts: [
      cacerts: SSL.cacerts(),
      depth: 99,
      versions: [:"tlsv1.2", :"tlsv1.1"]
    ]
  )

A custom module for the cacerts is used to be able to provide the application as an escript.

defmodule Acme.Utils.SSL do
  @carcerts :certifi.cacerts()

  def cacerts, do: @carcerts
end

Error

11:39:54.528 [info]  ['TLS', 32, 'client', 58, 32, 73, 110, 32, 115, 116, 97, 116, 101, 32, 'certify', 32, 'at ssl_handshake.erl:1378 generated CLIENT ALERT: Fatal - Unknown CA', 10]
{:error, {:tls_alert, 'unknown ca'}}

Answer 1 · 2019-03-01T12:11:48.000Z

Hum, not sure what is happening. It fails with the default transport settings even though we have CA in the store. The verify_fun also returns :valid.

Ping @voltone.

Answer 2 · 2019-03-01T12:27:00.000Z

@ericmj ok, thank you for the quick answer

Answer 3 · 2019-03-01T12:53:54.000Z

Unfortunately the server certificate chain verification in OTP ssl/public_key is very strict, causing server misconfigurations like this one to cause connection failures, even though other TLS clients work around the issue. Moreover, the hooks provided to customise the verification do not give applications enough control to deal with such issues.

Off the top of my head, the logic used by OTP goes like this:

get the list of certificates sent by the server, ignoring the last one if it is self-signed (because many servers unnecessarily send the root CA)
check if the last certificate in the chain was issued by a CA in the CA trust store
going over the certificate chain in reverse order, check if each certificate was issued by the prior one
verify the hostname of the end-certificate

For the certificate chain presented by the server above, this means: certificate (4) is ignored (because it is self-signed and last in the chain), certificate (3) is successfully checked against the CA trust store, but when certificate (2) is checked against certificate (3) it fails because (2) was not issued by (3).

Many other TLS implementations just treat the CA store along with any intermediate CA certificates sent by the server as a pool from which to try and build a complete chain for the server's end-certificate. This approach is much more flexible, no less secure, and more interoperable. I have tried in the past to come up with a verify_fun that mimics this behaviour, but I believe it is impossible with the currently OTP implementation.

Answer 4 · 2019-03-01T13:08:38.000Z

@voltone Thanks, I didn't even notice that our certificate chain was there twice. It works now with the problem fixed.

Is there a way to get this to pass still? I'd expect Erlang SSL to react similarly to OpenSSL in cases like this.

Answer 5 · 2019-03-01T20:20:29.000Z

@maennchen People have pointed out the interop issues to the OTP team in the past, but they have said they intend to stick to their strict interpretation of the RFCs. I do not think it is possible to make this particular scenario pass using the verify_fun and partial_chain hooks without compromising the security of certificate verification.