Hi <span class="gD">Ingela,<br>I don't know the reason about the two keys: I got the pem file from an iphone app developer. I believe this is how Apple generates the files to be used to connect to its servers (APNs).<br>
But so I tried removing one of the keys and it worked with ssl new implementation.<br>Thanks for the tip.<br><br>Regards,<br>Takeshi<br></span><br><div class="gmail_quote">On Mon, Mar 5, 2012 at 5:41 PM, Ingela Anderton Andin <span dir="ltr"><<a href="mailto:ingela@erix.ericsson.se">ingela@erix.ericsson.se</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi!<br>
<br>
The problem is that your file includes two keys and new ssl only expects there to be one. old ssl was only a glue on top of openssl so<br>
the keyfile was then passed to openssl. So it looks like openssl will pick a key if there is more than one. In a future extension of the ssl application<br>
there might be a reason to handle more keys, but at the moment I am not sure what would be the correct thing to do, we could of course always pick the<br>
first key or something like that if it will preserve some kind of backwards compatibility. Do you know why your file contains two keys? That could<br>
help determining what to do.<br>
<br>
Regards Ingela Erlang/OTP team - Ericsson AB<br>
<br>
mayamatakeshi wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
Hello,<br>
I have this keyfile that I use with the old SSL implementation and it works fine with this code:<br>
<br>
-module(ssl_test).<br>
-export([connect/0]).<br>
<br>
connect() -><br>
ssl:start(),<br>
<br></div>
Address = "<a href="http://gateway.sandbox.push.apple.com" target="_blank">gateway.sandbox.push.apple.<u></u>com</a> <<a href="http://gateway.sandbox.push.apple.com" target="_blank">http://gateway.sandbox.push.<u></u>apple.com</a>>",<div>
<div class="h5"><br>
Port = 2195,<br>
CaCert = "entrust_root_certification_<u></u>authority.pem",<br>
Cert = "server_cerificates_bundle_<u></u>sandbox.pem",<br>
Key = "server_cerificates_bundle_<u></u>sandbox.pem",<br>
<br>
Options = [{cacertfile, CaCert}, {certfile, Cert}, {keyfile, Key}, {mode, binary}, {ssl_imp, old}],<br>
Timeout = 1000,<br>
ssl:connect(Address, Port, Options, Timeout).<br>
<br>
<br>
However, when I try to use the new ssl implementation, I get this:<br>
<br>
[root@ipx029 erlang]# erl<br>
Erlang R15B (erts-5.9) [source] [64-bit] [smp:2:2] [async-threads:0] [hipe] [kernel-poll:false]<br>
<br>
Eshell V5.9 (abort with ^G)<br>
1> ssl_test:connect().<br>
{error,ekeyfile}<br>
2><br>
=ERROR REPORT==== 4-Mar-2012::12:08:29 ===<br>
SSL: 1093: error:[{'RSAPrivateKey',<< .... >>,<br>
not_encrypted},<br>
{'RSAPrivateKey',<< .... >>,<br>
not_encrypted}] server_cerificates_bundle_<u></u>sandbox.pem<br>
[{ssl_connection,init_private_<u></u>key,5,<br>
[{file,"ssl_connection.erl"},{<u></u>line,1085}]},<br>
{ssl_connection,ssl_init,2,[{<u></u>file,"ssl_connection.erl"},{<u></u>line,1027}]},<br>
{ssl_connection,init,1,[{file,<u></u>"ssl_connection.erl"},{line,<u></u>305}]},<br>
{gen_fsm,init_it,6,[{file,"<u></u>gen_fsm.erl"},{line,343}]},<br>
{proc_lib,init_p_do_apply,3,[{<u></u>file,"proc_lib.erl"},{line,<u></u>227}]}]<br>
<br>
<br>
The server_cerificates_bundle_<u></u>sandbox.pem file has this format:<br>
<br>
Bag Attributes<br>
friendlyName: XXXXXXXX<br>
localKeyID: XXXXXX<br>
subject=XXXXXXX<br>
issuer=XXXXXXX<br>
-----BEGIN CERTIFICATE-----<br>
XXXXXXXXXX<br>
-----END CERTIFICATE-----<br>
Bag Attributes<br>
friendlyName: XXXXXX<br>
localKeyID: XXXXXX subject=XXXXXXXXXX<br>
issuer=XXXXXXXXX<br>
-----BEGIN CERTIFICATE-----<br>
XXXXXXXXXXXX<br>
-----END CERTIFICATE-----<br>
Bag Attributes<br>
friendlyName: XXXXXXXXX<br>
localKeyID: XXXXXXXX<br>
Key Attributes: <No Attributes><br>
-----BEGIN RSA PRIVATE KEY-----<br>
XXXXXXXXXXXXX<br>
-----END RSA PRIVATE KEY-----<br>
Bag Attributes<br>
friendlyName: XXXXXXXXXXX<br>
localKeyID: XXXXXXXXXXX<br>
Key Attributes: <No Attributes><br>
-----BEGIN RSA PRIVATE KEY-----<br>
XXXXXXXXXXXXX<br>
-----END RSA PRIVATE KEY-----<br>
<br>
So is this format supported by the new ssl implementation? Is this a bug?<br>
Or should I somehow convert this to a different format?<br>
<br>
regards,<br>
Takeshi<br>
<br>
<br>
<br></div></div>
------------------------------<u></u>------------------------------<u></u>------------<br>
<br>
______________________________<u></u>_________________<br>
erlang-bugs mailing list<br>
<a href="mailto:erlang-bugs@erlang.org" target="_blank">erlang-bugs@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-bugs" target="_blank">http://erlang.org/mailman/<u></u>listinfo/erlang-bugs</a><br>
<br>
</blockquote>
<br>
</blockquote></div><br>