How to handle bad certificates

What is the best way to connect to an api that has a bad certificate? I am new to Elixir and was trying for my first project to rewrite a tool I use to give a base config to firewalls. As these firewalls haven’t been configured yet all they have is a self signed certificate.

I tried the following:

{:ok, conn} = Mint.HTTP.connect(:https, "", 4430, transport_opts: [verify: :verify_none])

But errors out with:

** (exit) exited in:<0.225.0>, {:start, 30000}, :infinity)
    ** (EXIT) an exception was raised:
        ** (CaseClauseError) no case clause matching: {:error, {:asn1, {
              {:invalid_choice_tag, {22, "US"}}, 
              [{:"OTP-PUB-KEY", :"dec_OTP-X520countryname", 2, [file: ~c"../src/OTP-PUB-KEY.erl", line: 17797]}, 
              {:"OTP-PUB-KEY", :decode, 2, [file: ~c"../src/OTP-PUB-KEY.erl", line: 1233]}, 
              {:pubkey_cert_records, :transform, 2, [file: ~c"pubkey_cert_records.erl", line: 65]}, 
              {:lists, :map, 2, [file: ~c"lists.erl", line: 1559]}, 
              {:pubkey_cert_records, :transform, 2, [file: ~c"pubkey_cert_records.erl", line: 92]}, 
              {:pubkey_cert_records, :decode_tbs, 1, [file: ~c"pubkey_cert_records.erl", line: 330]}, 
              {:pubkey_cert_records, :decode_cert, 1, [file: ~c"pubkey_cert_records.erl", line: 42]}, 
              {:public_key, :pkix_decode_cert, 2, [file: ~c"public_key.erl", line: 522]}]}}}
            (public_key 1.14.1) pubkey_cert_records.erl:65: :pubkey_cert_records.transform/2
            (stdlib 5.1.1) lists.erl:1559:
            (public_key 1.14.1) pubkey_cert_records.erl:92: :pubkey_cert_records.transform/2
            (public_key 1.14.1) pubkey_cert_records.erl:330: :pubkey_cert_records.decode_tbs/1
            (public_key 1.14.1) pubkey_cert_records.erl:42: :pubkey_cert_records.decode_cert/1
            (public_key 1.14.1) public_key.erl:522: :public_key.pkix_decode_cert/2
            (public_key 1.14.1) public_key.erl:1105: :public_key.pkix_subject_id/1
            (ssl 11.0.3) tls_handshake_1_3.erl:838: :tls_handshake_1_3.split_cert_entries/4
    (stdlib 5.1.1) gen.erl:246: :gen.do_call/4
    (stdlib 5.1.1) gen_statem.erl:905:
    (ssl 11.0.3) ssl_gen_statem.erl:1323:
    (ssl 11.0.3) ssl_gen_statem.erl:253: :ssl_gen_statem.handshake/2
    (ssl 11.0.3) ssl_gen_statem.erl:222: :ssl_gen_statem.connect/8
    (ssl 11.0.3) ssl.erl:631: :ssl.connect/4
    (mint 1.5.1) lib/mint/core/transport/ssl.ex:342: Mint.Core.Transport.SSL.connect/4
    iex:1: (file)

The certificate in question looks like

>openssl x509 -inform pem -noout -text -in .\
        Version: 3 (0x2)
        Serial Number:
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = California, L = Sunnyvale, O = HTTPS Management Certificate for SonicWALL (self-signed), OU = HTTPS Management Certificate for SonicWALL (self-signed), CN =
            Not Before: Jan  1 00:00:01 1970 GMT
            Not After : Jan 19 03:14:07 2038 GMT
        Subject: C = US, ST = California, L = Sunnyvale, O = HTTPS Management Certificate for SonicWALL (self-signed), OU = HTTPS Management Certificate for SonicWALL (self-signed), CN =
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption

Nothing in that jumps out as terribly wrong to me. I was under the impression that :verify_none should skip any certificate checks. I’m not sure what else to try. That same Mint command works with Any help would be appreciated. Thank you.

1 Like

After way more digging I believe the issue with the certificate is that it is using IA5Strings for the Issuer and Subject fields.

If I download the cert, convert it to der, hex edit the 0x16 (IA5Strings) to 0x13 (PrintableStrings) and then run :public_key.pkix_decode_cert(der_file, :otp) that will complete. I’m not sure if using IA5Strings is in spec for a certificate for the issuer and subject fields. I can’t say I’ve ever came across a client that rejected it before now.

I can actually run :public_key.pkix_decode_cert(der_original, :plain) and that doesn’t seem to care about the asn.1 stuff, but I have no idea if it is possible to somehow pass that :plain atom to any http_clients. Definitely over my head as a beginner at this point. Especially with the issue being more on the Erlang side than with Elixir.

If nothing else I’ve learned more about x.509 certificates than planned, but sadly only got to about line 2 of my elixir project.

1 Like