Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

{error,enoent} when private key is in system ca-certificates #9565

Open
weisslj opened this issue Mar 10, 2025 · 3 comments
Open

{error,enoent} when private key is in system ca-certificates #9565

weisslj opened this issue Mar 10, 2025 · 3 comments
Assignees
@dgud
Labels
bug Issue is reported as a bug priority:medium team:PS Assigned to OTP team PS team:VM Assigned to OTP team VM

Comments

@weisslj
Copy link
Contributor

weisslj commented Mar 10, 2025

Describe the bug
From an experiment with mitmproxy I had a private key in my /etc/ssl/certs/ca-certificates.crt. Up until now it worked well, but with Elixir >= 1.17 I get a nasty crash in mix, see elixir-lang/elixir#14322 for that. It took a while to debug because despite a parse error OTP returns:

1> pubkey_os_cacerts:load().
{error,enoent}

This is misleading, better would be {error,wrong_format} or something like that. This is due to a "catchall" in the implementation.

To Reproduce
Copy broken-ca-certificates-minimal.crt.txt to e.g. /etc/ssl/certs/ca-certificates.crt, and execute function above.

Expected behavior
An error message that does not say "file not found". Or just skip over the private key, like all other libraries seem to do.

Affected versions
OTP >= 25
@weisslj weisslj added the bug Issue is reported as a bug label Mar 10, 2025
@weisslj
Copy link
Contributor Author

weisslj commented Mar 10, 2025

Here the file to reproduce: broken-ca-certificates-minimal.crt.txt

Related issues:

@weisslj weisslj changed the title {error,enoent} when private key is in system ca-certificates.crt {error,enoent} when private key is in system ca-certificates Mar 10, 2025
@IngelaAndin IngelaAndin added the team:PS Assigned to OTP team PS label Mar 11, 2025
@IngelaAndin IngelaAndin added priority:medium team:VM Assigned to OTP team VM labels Mar 11, 2025
@IngelaAndin
Copy link
Contributor

Although I think it is a very unexpected and strange thing to do (not wise from a security perspective), to add a private key to the ca-cert file, it could be reasonable to ignore the key entry, ssl will do that if the ca-cert-file is added as cacertfile-option. But probably it would in this particular case be good to have an error or at least log to make the user aware of that this is a bad idea. I think it is always a bad idea but when using more customized files they might be better protected. But os-cacert-file is suppose to have public information only.

@weisslj weisslj mentioned this issue Mar 23, 2025
Closed
@weisslj
Copy link
Contributor Author

weisslj commented Mar 23, 2025

@IngelaAndin Yes, I agree, a private certificates in a ca-cert file is of course bad. It was just from a local experiment with mitmproxy. I think it would be better to ignore it (but warning sounds good), as it is in line in what other SSL libraries do. But even error would be fine for me. What is not good in my opinion is returning enoent on any parse error, like it is now (because of this error atom it took me quite some time to find the root cause).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dgud dgud

Labels
bug Issue is reported as a bug priority:medium team:PS Assigned to OTP team PS team:VM Assigned to OTP team VM
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dgud @weisslj @IngelaAndin