[erlang-questions] [BUG] nasty, nasty bug in ssl module :)

Gaspar Chilingarov <>
Mon Nov 19 18:05:43 CET 2007


Dear OTP Team,

I've found !@#*!&(@#& nasty bug in ssl module :))))  It took me nearly 
one week to localize this in large setup and find the reason why this 
code fails with strangest errors. I'm using R11B-5 release.

What you need to test this

1. Generate certificate authority using openssl (put CA root certificate 
in ca-cert.crt)
2. Generate server certificate and key (xxx-server.*) and sign using 
that authority.
3. Generate client certificate and key and name them zzzz.*

I've not tested if it fails with another set of certificates, but I have 
one, which makes this error happen. If it's mostly ssl bug and not 
options processing bug -- drop me a mail with certificate request.


Now start ssl server executing following commands:

# works
ssl:start(),
{ok, Serv} = ssl:listen(8555,[
{certfile,"../ssl/xxx-server.cert"},
{keyfile,"../ssl/xxx-server.key"},
{cacertfile,"../ssl/ca-cert.crt"},
{verify,2},
{password,[]},
{depth, 2}
]),
{ok, Cli} = ssl:accept(Serv),
erlang:display(ssl:peercert(Cli,[pkix])).


Connect to this server using client certificate in another erlang shell
ssl:start(),
{ok, S} = ssl:connect("IP.IP.IP.IP", 8555, [{certfile, "zzzz.pem"}, 
{keyfile, "zzzz.key"}, {password, "asdasdasd"}]),
erlang:display(S).

You will see on server console client certificate dumped -- which is 
expected behaviour (we analyze client certificate later in our case).


Now one more case:

# fails with {{badmatch,{error,enoservercert}},[{erl_eval,expr,3}]}
ssl:start(),
{ok, Serv} = ssl:listen(8555,[
{password,[]},
{certfile,"../ssl/xxx-server.cert"},
{verify,2},
{keyfile,"../ssl/xxx-server.key"},
{cacertfile,"../ssl/ca-cert.crt"},
{depth, 2}
]),
{ok, Cli} = ssl:accept(Serv),
erlang:display(ssl:peercert(Cli,[pkix])).

This ever will not start ssl server.


# fails with eagain
ssl:start(),
{ok, Serv} = ssl:listen(8555,[
{certfile,"../ssl/xxx-server.cert"},
{password,[]},
{verify,2},
{keyfile,"../ssl/xxx-server.key"},
{cacertfile,"../ssl/ca-cert.crt"},
{depth, 2}
]),
{ok, Cli} = ssl:accept(Serv),
erlang:display(ssl:peercert(Cli,[pkix])).


This is *the most* strangest error -- it starts the ssl server, accepts 
connection, but fails on ssl:peercert call.


It's interesting -- does anyone had _same_ experience and strange errors 
as described here?


/Gaspar



-- 
Gaspar Chilingarov

System Administrator,
Network security consulting

t +37493 419763 (mob)
i 63174784
e 
w http://zanazan.am/



More information about the erlang-questions mailing list