[erlang-questions] How: SSL for distribution in R11B-5?

Michael Regen <>
Wed Nov 7 11:17:42 CET 2007


On Nov 7, 2007 2:30 AM, Bruce Fitzsimons <> wrote:
> I'm gald you've got it working, if I could remove that first, incorrect,
> "Success!!" email from the archives I would :-(

No worries! I even saw your second mail that explained your first
patched did only solve half the problem during I browsed the mailing
list search hits for ssl. But my brain was not able to bring both
mails into relation. :)

>
> This issue has been impacting a few people, and I will not hold my
> patches up as the ultimate answer. They solve the distribution problem
> but I may have subtly borked SSL; I'd like to see if the test suite ran
> successfully at least. If I'd had another weekend to spend I would have
> reworked the code into something that didn't have so many side-effects
> and/or reached enlightenment about the reasoning behind the existing
> code structure.

Thanks for the warning. We very likely won't need ssl distribution in
production until R12 comes out. I just tried to test it to be prepared
for the time we will need it. And I think we can rely on our Erlang
maintainers that they will fix ssl in the next release.

Another maybe quite dangerous problem with the current SSL implementation:
Even if I trun on
-ssl_dist_opt verify 1 depth 1
server side and use completely bogus self-signed certificates on the
client, Erlang gladly greets me with a prompt. In my understanding if
I turn on verify, SSL should verify the certificates, realize that no
chain of trust can be built and send me to hell!?
Apologies up-front if this behaviour is normal and I misunderstood
something completely!

>
> I would ask that SSL distribution gets added to the test suite though as
> this code compiled cleanly but could never have worked. I don't know of
> any development shop that would willingly let such a thing occur.
>
> (and dear /// I apologise if the tone of my original reports was
> offensive. I was frustrated.)

Since it's probably questionable whether tiny Michael is allowed to
criticize people who dedicate a tremendous amount of time to build
such a terrific system as Erlang, I hope the following is rather
interpreted as fair comment: Please test cryptography packages before
letting them out into the wild!

Cheers,
Michael



More information about the erlang-questions mailing list