[erlang-questions] Setting up Erlang R12B3 ssl-3.9 inet_ssl distribution (Re: Erlang R12B3 inet_ssl_dist does not work with ssl-3.9)
Kenji Rikitake
kenji.rikitake@REDACTED
Wed Sep 3 11:28:01 CEST 2008
In the message <20080824040300.GA78691@REDACTED>
dated Sun, Aug 24, 2008 at 01:02:37PM +0900,
Kenji Rikitake <kenji.rikitake@REDACTED> writes:
> I have been trying many times to start Erlang SSL distribution on R12B3
> with ssl-3.9, which hasn't been successful.
> I'm running Erlang VM on FreeBSD 6.3-RELEASE.
I finally found out that setting the client/server key pairs of
inet_ssl_dist solved the problem, which was written at:
http://www.trapexit.org/forum/viewtopic.php?p=22404#22404
I had to build client/server self-signed keys as written in:
http://sial.org/howto/openssl/self-signed/
So the real problems were:
* ssl-3.9 manual Chapter 5 does not represent the R12B3 implementation
difference.
In R12B3:
* In creating start_ssl.boot as described in ssl-3.9 manual section
5.2, two warnings remain:
1> systools:make_script("start_ssl",[]).
*WARNING* ssl: Source code not found: ssl_pkix_oid.erl
*WARNING* ssl: Source code not found: 'OTP-PKIX'.erl
ok
To suppress the warning messages, creating symbolic links worked:
(cd $ERLANG_TOP/lib/ssl-3.9/src;
ln -s ../pkix/OTP-PKIX.erl;
ln -s ../pkix/ssl_pkix_oid.erl;)
* Even after the boot script is built, ssl_server is not registered,
which is supposed to be, as described in ssl manual Section 5.2.
This is due to ssl-3.9 implementation; to invoke ssl_server, do
ssl:version() so that the version number tuple like following returns:
{ok,{"3.9","OpenSSL 0.9.7e-p1 25 Oct 2004",
"OpenSSL 0.9.7e-p1 25 Oct 2004"}}
* The starting sequence written in Section 5.5 is *mandatory*
to start up the Erlang Shell with inet_ssl distribution.
Specifically, the server_certfile and client_certfile options
of -ssl_dist_opt are *required*; otherwise, the shell will not
start. A startup script example is:
erl -boot /my/dir1/start_ssl \
-proto_dist inet_ssl \
-name a1 \
-ssl_dist_opt server_certfile \
/my/certs/host.pem \
-ssl_dist_opt client_certfile \
/my/certs/host.pem \
-ssl_dist_opt verify 1 depth 1
* Summary: the Section 5 of the manual of ssl-3.9 has to be fixed up-to-date
to represent the implementation difference.
(Yes, I tcpdump'ed the packets, and the exchange between two inet_ssl hosts
were actually encrypted :-))
Regards,
Kenji Rikitake
More information about the erlang-questions
mailing list