[erlang-questions] Setting up Erlang R12B3 ssl-3.9 inet_ssl distribution (Re: Erlang R12B3 inet_ssl_dist does not work with ssl-3.9)

Kenji Rikitake kenji.rikitake@REDACTED
Wed Sep 3 11:28:01 CEST 2008


In the message <20080824040300.GA78691@REDACTED>
dated Sun, Aug 24, 2008 at 01:02:37PM +0900,
Kenji Rikitake <kenji.rikitake@REDACTED> writes:
> I have been trying many times to start Erlang SSL distribution on R12B3
> with ssl-3.9, which hasn't been successful.  
> I'm running Erlang VM on FreeBSD 6.3-RELEASE.

I finally found out that setting the client/server key pairs of
inet_ssl_dist solved the problem, which was written at:

http://www.trapexit.org/forum/viewtopic.php?p=22404#22404

I had to build client/server self-signed keys as written in:

http://sial.org/howto/openssl/self-signed/

So the real problems were:
 
* ssl-3.9 manual Chapter 5 does not represent the R12B3 implementation
  difference.

In R12B3:

* In creating start_ssl.boot as described in ssl-3.9 manual section
  5.2, two warnings remain:

1> systools:make_script("start_ssl",[]).
*WARNING* ssl: Source code not found: ssl_pkix_oid.erl
*WARNING* ssl: Source code not found: 'OTP-PKIX'.erl
ok

To suppress the warning messages, creating symbolic links worked:
 
(cd $ERLANG_TOP/lib/ssl-3.9/src;
 ln -s ../pkix/OTP-PKIX.erl;
 ln -s ../pkix/ssl_pkix_oid.erl;)

* Even after the boot script is built, ssl_server is not registered,
  which is supposed to be, as described in ssl manual Section 5.2.
  This is due to ssl-3.9 implementation; to invoke ssl_server, do
  ssl:version() so that the version number tuple like following returns:

{ok,{"3.9","OpenSSL 0.9.7e-p1 25 Oct 2004",
           "OpenSSL 0.9.7e-p1 25 Oct 2004"}}

* The starting sequence written in Section 5.5 is *mandatory*
  to start up the Erlang Shell with inet_ssl distribution.
  Specifically, the server_certfile and client_certfile options
  of -ssl_dist_opt are *required*; otherwise, the shell will not
  start.  A startup script example is:
  
erl -boot /my/dir1/start_ssl \
    -proto_dist inet_ssl \
    -name a1 \
    -ssl_dist_opt server_certfile \
        /my/certs/host.pem \
    -ssl_dist_opt client_certfile \
        /my/certs/host.pem \
    -ssl_dist_opt verify 1 depth 1

* Summary: the Section 5 of the manual of ssl-3.9 has to be fixed up-to-date
           to represent the implementation difference.

(Yes, I tcpdump'ed the packets, and the exchange between two inet_ssl hosts
were actually encrypted :-))

Regards,
Kenji Rikitake



More information about the erlang-questions mailing list