SSL clients

Peter H|gfeldt peter@REDACTED
Thu May 30 20:56:06 CEST 2002


Having a self-signed certificate at level zero is considered an error
in the OTP SSL application. That is rather silly (I did it), for then
you could not use SSL as a top CA, for instance. I will record it as
a bug to the fixed for R9. 

I attach the following certificate files so you can easily continue
testing.  The certificates are not self-signed and are used in the OTP SSL
test suites. They do work with verify = 0 (the client does not even need
one).  

	file			use for option
	----			--------------
	ssl_server.pem		certfile
	ssl_client.pem		certfile

I also attach a set of certificate and key files for true verifying.   

	file			use for option
	----			--------------
	allcacert.pem 		cacertfile
	servcert.pem		certfile
	servkey.pem		keyfile
	clntcert.pem		certfile
	clntkey.pem		keyfile	

Note however that the option `cacertfile' does not work due to a bug in
SSLeay (maybe it works in OpenSSL), so you have to set the OS environment
variable SSL_CERT_FILE to "<path>/allcacert.pem". This sad fact is 
documented in the release notes. 

For R9 I will abandon SSLeay for OpenSSL, and try to sort out the
weaknesses. 

/Peter

-------------------------------------------------------------------------
Peter Högfeldt			e-mail  : peter@REDACTED
Open Telecom Platform		Phone:  : +46 (8) 727 57 58
Ericsson AB			Mobile	: +46  070-519 57 51
S-126 25 STOCKHOLM		Fax:	: +46 (8) 727 5775
Office address:			Armborstvägen 1, Älvsjö

"Computers are machines that do exactly what you tell them,
 but often surprise you in the result."
		Richard Dawkins in The Blind Watchmaker


On Thu, 30 May 2002, Sean Hinde wrote:

> Hi,
> 
> I'm have a bit of trouble getting ssl:connect/3 to work. I don't have a
> officially CA'd set of certificates but I've tried with self generated ones,
> the ones included with openssl, the ones included with inets, and the ones
> included with yaws..
> 
> I get as far as failing with {error, eselfsignedcert}. Connecting with
> Netscape is fine - I agree to accept the certificate offered and I'm in -
> ssl:connect/3 appears to offer the {verify,N} option which should allow me
> to replicate this sort of behaviour but regardless of what I set this to, I
> always get thrown out.
> 
> Has anyone managed to get this to work? Any useful hints are most welcome.
> 
> Thanks,
> 
> Sean
> 
> 
> 
> NOTICE AND DISCLAIMER:
> This email (including attachments) is confidential.  If you have received
> this email in error please notify the sender immediately and delete this
> email from your system without copying or disseminating it or placing any
> reliance upon its contents.  We cannot accept liability for any breaches of
> confidence arising through use of email.  Any opinions expressed in this
> email (including attachments) are those of the author and do not necessarily
> reflect our opinions.  We will not accept responsibility for any commitments
> made by our employees outside the scope of our business.  We do not warrant
> the accuracy or completeness of such information.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pem-files.tar.gz
Type: application/octet-stream
Size: 5451 bytes
Desc: 
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20020530/030d7a66/attachment.obj>


More information about the erlang-questions mailing list