[erlang-bugs] {error, ekeyfile} when using new ssl implementation

Ingela Anderton Andin <>
Mon Mar 5 09:41:50 CET 2012


Hi!

The problem is that your file includes two keys and new ssl only expects 
there to be one.  old ssl was only a glue on top of openssl so
the keyfile was then passed to openssl.  So it looks like openssl will 
pick a key if there is more than one.  In a future extension of the ssl 
application
there might be a reason to handle more keys, but at the moment I am not 
sure what would be the correct thing to do, we could of course always 
pick the
first key or something like that if  it will preserve some kind of 
backwards compatibility.  Do you know why your file contains two keys? 
That could
help determining what to do.

Regards Ingela Erlang/OTP team - Ericsson AB

mayamatakeshi wrote:
> Hello,
> I have this keyfile that I use with the old SSL implementation and it 
> works fine with this code:
>
> -module(ssl_test).
> -export([connect/0]).
>
> connect() ->
>         ssl:start(),
>
>         Address = "gateway.sandbox.push.apple.com 
> <http://gateway.sandbox.push.apple.com>",
>         Port = 2195,
>         CaCert = "entrust_root_certification_authority.pem",
>         Cert = "server_cerificates_bundle_sandbox.pem",
>         Key = "server_cerificates_bundle_sandbox.pem",
>
>         Options = [{cacertfile, CaCert}, {certfile, Cert}, {keyfile, 
> Key}, {mode, binary}, {ssl_imp, old}],
>         Timeout = 1000,
>         ssl:connect(Address, Port, Options, Timeout).
>
>
> However, when I try to use the new ssl implementation, I get this:
>
> [ erlang]# erl
> Erlang R15B (erts-5.9) [source] [64-bit] [smp:2:2] [async-threads:0] 
> [hipe] [kernel-poll:false]
>
> Eshell V5.9  (abort with ^G)
> 1> ssl_test:connect().
> {error,ekeyfile}
> 2>
> =ERROR REPORT==== 4-Mar-2012::12:08:29 ===
> SSL: 1093: error:[{'RSAPrivateKey',<< .... >>,
>                                    not_encrypted},
>                   {'RSAPrivateKey',<< .... >>,
>                                    not_encrypted}] 
> server_cerificates_bundle_sandbox.pem
>   [{ssl_connection,init_private_key,5,
>                    [{file,"ssl_connection.erl"},{line,1085}]},
>    {ssl_connection,ssl_init,2,[{file,"ssl_connection.erl"},{line,1027}]},
>    {ssl_connection,init,1,[{file,"ssl_connection.erl"},{line,305}]},
>    {gen_fsm,init_it,6,[{file,"gen_fsm.erl"},{line,343}]},
>    {proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,227}]}]
>
>
> The server_cerificates_bundle_sandbox.pem file has this format:
>
> Bag Attributes
>     friendlyName: XXXXXXXX
>     localKeyID: XXXXXX
> subject=XXXXXXX
> issuer=XXXXXXX
> -----BEGIN CERTIFICATE-----
> XXXXXXXXXX
> -----END CERTIFICATE-----
> Bag Attributes
>     friendlyName: XXXXXX
>     localKeyID: 
> XXXXXX                                                    
> subject=XXXXXXXXXX
> issuer=XXXXXXXXX
> -----BEGIN CERTIFICATE-----
> XXXXXXXXXXXX
> -----END CERTIFICATE-----
> Bag Attributes
>     friendlyName: XXXXXXXXX
>     localKeyID: XXXXXXXX
> Key Attributes: <No Attributes>
> -----BEGIN RSA PRIVATE KEY-----
> XXXXXXXXXXXXX
> -----END RSA PRIVATE KEY-----
> Bag Attributes
>     friendlyName: XXXXXXXXXXX
>     localKeyID: XXXXXXXXXXX
> Key Attributes: <No Attributes>
> -----BEGIN RSA PRIVATE KEY-----
> XXXXXXXXXXXXX
> -----END RSA PRIVATE KEY-----
>
> So is this format supported by the new ssl implementation? Is this a bug?
> Or should I somehow convert this to a different format?
>
> regards,
> Takeshi
>                             
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> erlang-bugs mailing list
> 
> http://erlang.org/mailman/listinfo/erlang-bugs
>   



More information about the erlang-bugs mailing list