sovap

sovap

How to handle bad certificates

What is the best way to connect to an api that has a bad certificate? I am new to Elixir and was trying for my first project to rewrite a tool I use to give a base config to firewalls. As these firewalls haven’t been configured yet all they have is a self signed certificate.

I tried the following:

{:ok, conn} = Mint.HTTP.connect(:https, "192.168.168.168", 4430, transport_opts: [verify: :verify_none])

But errors out with:

** (exit) exited in: :gen_statem.call(#PID<0.225.0>, {:start, 30000}, :infinity)
    ** (EXIT) an exception was raised:
        ** (CaseClauseError) no case clause matching: {:error, {:asn1, {
              {:invalid_choice_tag, {22, "US"}}, 
              [{:"OTP-PUB-KEY", :"dec_OTP-X520countryname", 2, [file: ~c"../src/OTP-PUB-KEY.erl", line: 17797]}, 
              {:"OTP-PUB-KEY", :decode, 2, [file: ~c"../src/OTP-PUB-KEY.erl", line: 1233]}, 
              {:pubkey_cert_records, :transform, 2, [file: ~c"pubkey_cert_records.erl", line: 65]}, 
              {:lists, :map, 2, [file: ~c"lists.erl", line: 1559]}, 
              {:pubkey_cert_records, :transform, 2, [file: ~c"pubkey_cert_records.erl", line: 92]}, 
              {:pubkey_cert_records, :decode_tbs, 1, [file: ~c"pubkey_cert_records.erl", line: 330]}, 
              {:pubkey_cert_records, :decode_cert, 1, [file: ~c"pubkey_cert_records.erl", line: 42]}, 
              {:public_key, :pkix_decode_cert, 2, [file: ~c"public_key.erl", line: 522]}]}}}
            (public_key 1.14.1) pubkey_cert_records.erl:65: :pubkey_cert_records.transform/2
            (stdlib 5.1.1) lists.erl:1559: :lists.map/2
            (public_key 1.14.1) pubkey_cert_records.erl:92: :pubkey_cert_records.transform/2
            (public_key 1.14.1) pubkey_cert_records.erl:330: :pubkey_cert_records.decode_tbs/1
            (public_key 1.14.1) pubkey_cert_records.erl:42: :pubkey_cert_records.decode_cert/1
            (public_key 1.14.1) public_key.erl:522: :public_key.pkix_decode_cert/2
            (public_key 1.14.1) public_key.erl:1105: :public_key.pkix_subject_id/1
            (ssl 11.0.3) tls_handshake_1_3.erl:838: :tls_handshake_1_3.split_cert_entries/4
    (stdlib 5.1.1) gen.erl:246: :gen.do_call/4
    (stdlib 5.1.1) gen_statem.erl:905: :gen_statem.call/3
    (ssl 11.0.3) ssl_gen_statem.erl:1323: :ssl_gen_statem.call/2
    (ssl 11.0.3) ssl_gen_statem.erl:253: :ssl_gen_statem.handshake/2
    (ssl 11.0.3) ssl_gen_statem.erl:222: :ssl_gen_statem.connect/8
    (ssl 11.0.3) ssl.erl:631: :ssl.connect/4
    (mint 1.5.1) lib/mint/core/transport/ssl.ex:342: Mint.Core.Transport.SSL.connect/4
    iex:1: (file)

The certificate in question looks like

>openssl x509 -inform pem -noout -text -in .\192.168.168.168.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            33:53:ba:3b:ce:a9:9e:68:b0:83:09:64:73:30:4b:7f:4f:4e:b8:b2
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = California, L = Sunnyvale, O = HTTPS Management Certificate for SonicWALL (self-signed), OU = HTTPS Management Certificate for SonicWALL (self-signed), CN = 192.168.168.168
        Validity
            Not Before: Jan  1 00:00:01 1970 GMT
            Not After : Jan 19 03:14:07 2038 GMT
        Subject: C = US, ST = California, L = Sunnyvale, O = HTTPS Management Certificate for SonicWALL (self-signed), OU = HTTPS Management Certificate for SonicWALL (self-signed), CN = 192.168.168.168
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00...
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         3a...

Nothing in that jumps out as terribly wrong to me. I was under the impression that :verify_none should skip any certificate checks. I’m not sure what else to try. That same Mint command works with self-signed.badssl.com. Any help would be appreciated. Thank you.

Most Liked

sovap

sovap

After way more digging I believe the issue with the certificate is that it is using IA5Strings for the Issuer and Subject fields.

If I download the cert, convert it to der, hex edit the 0x16 (IA5Strings) to 0x13 (PrintableStrings) and then run :public_key.pkix_decode_cert(der_file, :otp) that will complete. I’m not sure if using IA5Strings is in spec for a certificate for the issuer and subject fields. I can’t say I’ve ever came across a client that rejected it before now.

I can actually run :public_key.pkix_decode_cert(der_original, :plain) and that doesn’t seem to care about the asn.1 stuff, but I have no idea if it is possible to somehow pass that :plain atom to any http_clients. Definitely over my head as a beginner at this point. Especially with the issue being more on the Erlang side than with Elixir.

If nothing else I’ve learned more about x.509 certificates than planned, but sadly only got to about line 2 of my elixir project.

Where Next?

Popular in Questions Top

jononomo
I am trying to figure out how Mix knows whether the environment is test, dev, or prod – where is this set? Thanks.
New
minhajuddin
I have seen a lot of code which picks the first element from a list using Enum.at(0) instead of List.first. Is there a reason why people ...
New
nobody
How to bind a phoenix app to a specific ip address? could not find anything about that, nowhere, unfortunately, but for me this is quite...
New
jaysoifer
Is there a way to rollback a specific migration and only that one (“skipping” all the other ones)? Would mix ecto.rollback -v 200809061...
New
pmjoe
I have a relationship of love and hate with Elixir. Lots of things are just absolutely right, but there are some things that are kind of ...
New
SoCreat
i’m a new one to elixir which editor can i use vs code? or atom? Thanks! :smiley:
New
script
If I have a string “1000 cfu/ml” . I want to remove the characters and / and space . So the string is like this "1000" What is the ...
New
rms.mrcs
Hi, I need to transform a list of numbers into a map where the keys are the indexes and the values are the original values of the list. ...
New
hariharasudhan94
I would like to know what is the best IDE for elixir development?
New
hariharasudhan94
Lets say I have map like this fetching from my database %{"_id" =&gt; #BSON.ObjectId&lt;58eb1a7a9ad169198c3dXXXX&gt;, "email" =&gt; ...
New

Other popular topics Top

9mm
I am constructing a JSON object (map) and I need to conditionally set a field. I’m trying to write proper elixir-way code… and I’m at a l...
New
siddhant3030
Hi, I have to write a raw query for one of my project. But till now I have used ecto queries and don’t have much experience writing raw ...
New
josevalim
Hi everyone, One of the features added to Elixir early on to help integration with Erlang code was the idea of overridable function defi...
New
vonH
When I run the Plug and I recompile I wind up having to use Ctrl C to quit iex and start again. Witht the help of rlwrap I can use the cu...
New
AstonJ
Please see the new poll here: Which code editor or IDE do you use? (Poll) (2022 Edition) It’s been a while since we first asked this, I...
208 31142 143
New
saif
Hello everyone, Long time lurker first time poster here. I’ve recently begun working on Elixir full-time again! :raised_hands: It’s been...
New
shijith.k
I am trying to start a new phoenix project with elixir 1.9, but mix phx.new does not work. It says that ** (Mix) The task "phx.new" could...
New
joaquinalcerro
Hi there, I am working with Ecto-Postgresql and I need to call all of the records from a specific table but the table has 40,000 records...
New
hariharasudhan94
I would like to know what is the best IDE for elixir development?
New
AstonJ
Seen any cool LiveView demos, sample apps or examples? Please post them here! :003:
New

We're in Beta

About us Mission Statement