[erlang-bugs] {error, ekeyfile} when using new ssl implementation
Ingela Anderton Andin
ingela@REDACTED
Mon Mar 5 09:41:50 CET 2012
Hi!
The problem is that your file includes two keys and new ssl only expects
there to be one. old ssl was only a glue on top of openssl so
the keyfile was then passed to openssl. So it looks like openssl will
pick a key if there is more than one. In a future extension of the ssl
application
there might be a reason to handle more keys, but at the moment I am not
sure what would be the correct thing to do, we could of course always
pick the
first key or something like that if it will preserve some kind of
backwards compatibility. Do you know why your file contains two keys?
That could
help determining what to do.
Regards Ingela Erlang/OTP team - Ericsson AB
mayamatakeshi wrote:
> Hello,
> I have this keyfile that I use with the old SSL implementation and it
> works fine with this code:
>
> -module(ssl_test).
> -export([connect/0]).
>
> connect() ->
> ssl:start(),
>
> Address = "gateway.sandbox.push.apple.com
> <http://gateway.sandbox.push.apple.com>",
> Port = 2195,
> CaCert = "entrust_root_certification_authority.pem",
> Cert = "server_cerificates_bundle_sandbox.pem",
> Key = "server_cerificates_bundle_sandbox.pem",
>
> Options = [{cacertfile, CaCert}, {certfile, Cert}, {keyfile,
> Key}, {mode, binary}, {ssl_imp, old}],
> Timeout = 1000,
> ssl:connect(Address, Port, Options, Timeout).
>
>
> However, when I try to use the new ssl implementation, I get this:
>
> [root@REDACTED erlang]# erl
> Erlang R15B (erts-5.9) [source] [64-bit] [smp:2:2] [async-threads:0]
> [hipe] [kernel-poll:false]
>
> Eshell V5.9 (abort with ^G)
> 1> ssl_test:connect().
> {error,ekeyfile}
> 2>
> =ERROR REPORT==== 4-Mar-2012::12:08:29 ===
> SSL: 1093: error:[{'RSAPrivateKey',<< .... >>,
> not_encrypted},
> {'RSAPrivateKey',<< .... >>,
> not_encrypted}]
> server_cerificates_bundle_sandbox.pem
> [{ssl_connection,init_private_key,5,
> [{file,"ssl_connection.erl"},{line,1085}]},
> {ssl_connection,ssl_init,2,[{file,"ssl_connection.erl"},{line,1027}]},
> {ssl_connection,init,1,[{file,"ssl_connection.erl"},{line,305}]},
> {gen_fsm,init_it,6,[{file,"gen_fsm.erl"},{line,343}]},
> {proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,227}]}]
>
>
> The server_cerificates_bundle_sandbox.pem file has this format:
>
> Bag Attributes
> friendlyName: XXXXXXXX
> localKeyID: XXXXXX
> subject=XXXXXXX
> issuer=XXXXXXX
> -----BEGIN CERTIFICATE-----
> XXXXXXXXXX
> -----END CERTIFICATE-----
> Bag Attributes
> friendlyName: XXXXXX
> localKeyID:
> XXXXXX
> subject=XXXXXXXXXX
> issuer=XXXXXXXXX
> -----BEGIN CERTIFICATE-----
> XXXXXXXXXXXX
> -----END CERTIFICATE-----
> Bag Attributes
> friendlyName: XXXXXXXXX
> localKeyID: XXXXXXXX
> Key Attributes: <No Attributes>
> -----BEGIN RSA PRIVATE KEY-----
> XXXXXXXXXXXXX
> -----END RSA PRIVATE KEY-----
> Bag Attributes
> friendlyName: XXXXXXXXXXX
> localKeyID: XXXXXXXXXXX
> Key Attributes: <No Attributes>
> -----BEGIN RSA PRIVATE KEY-----
> XXXXXXXXXXXXX
> -----END RSA PRIVATE KEY-----
>
> So is this format supported by the new ssl implementation? Is this a bug?
> Or should I somehow convert this to a different format?
>
> regards,
> Takeshi
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> erlang-bugs mailing list
> erlang-bugs@REDACTED
> http://erlang.org/mailman/listinfo/erlang-bugs
>
More information about the erlang-bugs
mailing list