[erlang-patches] SSL distribution fixes

Henrik Nord <>
Mon Jan 16 16:31:35 CET 2012


Yes as Ingela stated I have included this in 'pu'

It was however based on 'master' not maint so I had to rebase it.

A friendly reminder for all of you readers:

pu <base your branch on> maint
bugfixes, small changes, next patch-release. (now R15B01)

master-pu <base your branch on> master
major fixes, changes and new functionality, next major release (now R16)

On 01/16/2012 02:06 PM, Paul Guyot wrote:
> Le 16 janv. 2012 à 10:15, Ingela Andin a écrit :
>> There is one blocking problem that I know of that can happen when
>> a none ssl node tries to contact an ssl node. If the nodename is
>> fairly short the first message can be seen as the begining of a
>> correct "ssl/tls"-packet and then it will wait for more data that
>> never comes and the other end is waiting for the response for its
>> first message. This can be fairly easily fixed by adding a check
>> for the value of the first byte for handshake messages.  We will
>> be adding this for the next release. This has however not
>> interfered with the legitimate nodes in our tests.
> This probably is what happens. The other bug I saw is that the client can timeout (using dist_utils:timer) while the proxy doesn't handle this.
> What is the rationale behind the use of the proxy? Isn't it related to the old implementation of SSL?
> Eventually, we are running a cluster with currently a dozen nodes using the new implementation and the following fixes:
> - the proxy is made more robust to a death of the caller (the crash I reported, typically after a timeout);
> - inet_tls_dist:setup/5 now links the process just like what inet_tcp_dist:setup/5 does (I also set the priority to maximum like inet_tcp_dist does);
> - #hs_data.f_address function was updated to handle the case where the node disappeared, just like inet_tcp_dist does as well. This was done by exporting get_tcp_address from ssl_tls_dist_proxy and changing its return type.
> Besides, the proxy is now running on the loopback interface only (the sockets listen on {127,0,0,1}) as it is not meant to be connected from another node, from what I understand...
> The patch can be found here:
> https://github.com/pguyot/otp/compare/ssl_dist-fixes
> git fetch git://github.com/pguyot/otp.git ssl_dist-fixes
> Paul

/Henrik Nord Erlang/OTP

More information about the erlang-patches mailing list