ssl

ssl

The SSL Application

The Secure Socket Layer (SSL) application provides secure socket communication over TCP/IP.

In previous versions of Erlang/OTP SSL it was advised, as a work-around, to set the operating system environment variable SSL_CERT_FILE to point at a file containing CA certificates. That variable is no longer needed, and is not recognised by Erlang/OTP SSL any more.

However, the OpenSSL package does interpret that environment variable. Hence a setting of that variable might have unpredictable effects on the Erlang/OTP SSL application. It is therefore adviced to not used that environment variable at all.

The following application environment configuration parameters are defined for the SSL application. Refer to application(3) for more information about configuration parameters.

Note that the environment parameters can be set on the command line, for instance,

erl ... -ssl protcol_version '[sslv2,sslv3]' ....

ephemeral_rsa = true | false <optional>

Enables all SSL servers (those that listen and accept) to use ephemeral RSA key generation when a clients connect with weak handshake cipher specifications, that need equally weak ciphers from the server (i.e. obsolete restrictions on export ciphers). Default is false.

debug = true | false <optional>

Causes debug information to be written to standard output. Default is false.

debugdir = path() | false <optional>

Causes debug information output controlled by debug and msgdebug to be printed to a file named ssl_esock.<pid>.log in the directory specified by debugdir, where <pid> is the operating system specific textual representation of the process indentifier of the external port program of the SSL application. Default is false, i.e. no log file is produced.

msgdebug = true | false <optional>

Sets debug = true and causes also the contents of low level messages to be printed to standard output. Default is false.

port_program = string() | false <optional>

Name of port program. The default is ssl_esock.

protocol_version = [sslv2|sslv3|tlsv1] <optional>.

Name of protocols to use. If this option is not set, all protocols are assumed, i.e. the default value is [sslv2, sslv3, tlsv1].

proxylsport = integer() | false <optional>

Define the port number of the listen port of the SSL port program. Almost never is this option needed.

proxylsbacklog = integer() | false <optional>

Set the listen queue size of the listen port of the SSL port program. The default is 128.

The current implementation of the Erlang SSL application is based on the OpenSSL package version 0.9.7 or higher. There are source and binary releases on the web.

Source releases of OpenSSL can be downloaded from the OpenSSL project home page, or mirror sites listed there.

The same URL also contains links to some compiled binaries and libraries of OpenSSL (see the Related/Binaries menu) of which the Shining Light Productions Win32 and OpenSSL pages are of interest for the Win32 user.

For some Unix flavours there are binary packages available on the net.

If you cannot find a suitable binary OpenSSL package, you have to fetch an OpenSSL source release and compile it.

You then have to compile and install the libraries libcrypto.so and libssl.so (Unix), or the libraries libeay32.dll and ssleay32.dll (Win32).

For Unix The ssl_esock port program is delivered linked to OpenSSL libraries in /usr/local/lib, but the default dynamic linking will also accept libraries in /lib and /usr/lib.

If that is not applicable to the particular Unix operating system used, the example Makefile in the SSL priv/obj directory, should be used as a guide to relinking the final version of the port program.

For Win32 it is only required that the libraries can be found from the PATH environment variable, or that they reside in the appropriate SYSTEM32 directory; hence no particular relinking is need. Hence no example Makefile for Win32 is provided.

Users must be aware of export restrictions and patent rights concerning cryptographic software.

application(3)

Peter Högfeldt - support@erlang.ericsson.se