[erlang-questions] How: SSL for distribution in R11B-5?

Anders Nygren <>
Tue Nov 6 22:56:34 CET 2007


On Nov 6, 2007 3:19 PM, Michael Regen <> wrote:
> Got lots of problems when trying to use SSL as distribution protocol
> for Erlang R11B-5. At the end I either get a crash dump or a pang. I
> am not very experienced with SSL and I'd really appreciate if someone
> here can help!
>
> Currently I am stuck at this point: Everything starts fine but as soon
> as I want to ping the second node I get a pang.
> If I issue a openssl s_client -connect localhost:56047 -showcerts
> I get the following output (... means lines omitted):
>
> CONNECTED(00000003)
> ...
> verify error:num=18:self signed certificate
> ...
> No client certificate CA names sent
> ---
> SSL handshake has read 950 bytes and written 316 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 1024 bit
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : AES256-SHA
> ...
>     Key-Arg   : None
>     Start Time: 1194383094
>     Timeout   : 300 (sec)
>     Verify return code: 18 (self signed certificate)
>
> Does that mean I made something wrong with the certificates? Just for
> now I don't need anything else than self signed certificates.
>
> What I did so far
> Unfortunately  the Erlang user guide for SSL distribution is not easy
> to understand and seems to miss some points. The explanation how a
> certificate should be created does not really work. Whatever
> certificate I try in the SSL examples folder ends with a crash dump.
> Same for certificates built with the make_certs.erl program.
> The tutorial 'Distributed erlang using ssl through firewalls' on
> trapexit also leaves out this point.
>
> This posting here is the only reference I could find which told me how
> the certificate should look like:
> http://www.trapexit.org/forum/viewtopic.php?p=22483&sid=c1b22ed8f4db4feb8e4997dcaa3122e0
>
> Ah, certificate and key need to be in one file. At the end I followed
> this guide to create my certificate:
> http://sial.org/howto/openssl/self-signed/
>
> I also patched ssl_prim.erl following
> http://www.erlang.org/pipermail/erlang-questions/2007-July/027879.html.
> If I don't patch it, openssl s_client stops after the line
> 'CONNECTED(00000003)'.
>
> Nevertheless netstat --tcp -n still shows me some bytes hanging in the
> Recv-Q of the Erlang server.
>
> Bruce is also right when saying that setting ERL_SSL_DEBUG stops erts
> from starting up:
> http://www.erlang.org/pipermail/erlang-questions/2007-July/027879.html
>
> So for now I am stuck since I don't know what options I have left.
> Anyone here who can help? Thanks in advance!
>
>

It seems ssl distribution is broken in R11B-5
See these messages for more

http://www.erlang.org/pipermail/erlang-bugs/2007-July/000386.html

http://www.erlang.org/pipermail/erlang-patches/2007-July/000184.html

/Anders

> Cheers,
> Michael
> _______________________________________________
> erlang-questions mailing list
> 
> http://www.erlang.org/mailman/listinfo/erlang-questions
>



More information about the erlang-questions mailing list