[erlang-questions] SSL key / password problems

Ingela Andin <>
Thu Aug 9 15:09:51 CEST 2012


Hi!

2012/7/23, Matthew Harrell <>:
>
> I searched but all the information I found was very dated and didn't seem
> to help any.  Most of these examples are just a few modifications on what
> is found here
>
>   http://www.erlang.org/doc/apps/ssl/using_ssl.html
>
> First, only TLS v1 is supported at the moment in R15B01, right?  Not 1.1 or
> 1.2?

Correct, but support for TLS 1.1 and TLS 1.2 will be released in a near future.

>
> I have a key pair with protected with the password "password" called
> client.crt and client.key.  When I try to start up a client connection
> using that pair I get
>
>   ssl:start().
>   {ok, Socket} = ssl:connect("localhost",
>                              9950,
>                              [{certfile, "client.crt"},
>                               {keyfile, "client.key"}],
>                              infinity).
>   ** exception error: no match of right hand side value {error,ekeyfile}
>
> which is fine because it can't open the private key.  But when I try
>
>   {ok, Socket} = ssl:connect("localhost",
>                              9950,
>                              [{certfile, "example/client.crt"},
>                               {keyfile, "example/client.key"},
>                               {password, "password"}],
>                              infinity).
>   ** exception error: no match of right hand side value {error,ekeyfile}
>
> I get the same error.  What am I doing wrong?  Isn't that the point of the
> password option?  When I try things with openssl like the following it
> works fine
>
>   openssl s_client -cert example/client.crt -key example/client.key \
>    -CAfile example/ca.pem -pass pass:password -state -connect
> 127.0.0.1:9950

The password option should be working fine. You have different paths
in your examples
could that be it?  (I will look further into this to make sure that
nothing is broken, seems we
only have proper tests for this on public key level and not on ssl level)

> Also if I try to load the CA files I get messages about them not being
> decoded properly
>
>   {ok, Socket} = ssl:connect("localhost",
>                              9950,
>                              [{cacertfile,
> "/etc/ssl/certs/ca-certificates.crt"},
>                               {certfile, "example/client.crt"},
>                               {keyfile, "example/client.key"},
>                               {password, "password"}],
>                              infinity).
>
>   =INFO REPORT==== 23-Jul-2012::15:36:56 ===
>   SSL WARNING: Ignoring a CA cert as it could not be correctly decoded.
>
> I get the same message on my own ca.crt file with it's one key but thought
> I
> would try the system one to see whether it differed
>
>
> Finally, on the server side if I do the following using server keys
> (without
> passwords) and the openssl client line above
>
>   ssl:start().
>   {ok, ListenSocket} = ssl:listen ( 9950, [{active, true},
>                                            {reuseaddr, true},
>                                            {keyfile, "example/server.key"},
>                                            {certfile,
> "example/server.crt"},
>                                            {backlog, 30}] ).
>   {ok, Socket} = ssl:transport_accept ( ListenSocket ).
>   ssl:ssl_accept ( Socket ).
>   ssl:setopts ( Socket, [{active, true}] ).
>
> then an SSL connection seems to start up fine according to the messages on
> the openssl side.  If I change this to
>
>   ssl:start().
>   {ok, ListenSocket} = ssl:listen ( 9950, [{active, true},
>                                            {reuseaddr, true},
>                                            {verify, verify_peer},
>                                            {depth, 2},
>                                            {cacertfile, "example/ca.pem"},
>                                            {keyfile, "example/server.key"},
>                                            {certfile,
> "example/server.crt"},
>                                            {backlog, 30}] ).
>   {ok, Socket} = ssl:transport_accept ( ListenSocket ).
>   ssl:ssl_accept ( Socket ).
>   ssl:setopts ( Socket, [{active, true}] ).
>
> where example/ca.pem is the one CA certificate I get
>
>   =INFO REPORT==== 23-Jul-2012::16:12:59 ===
>   SSL WARNING: Ignoring a CA cert as it could not be correctly decoded.
>
>   ** exception exit: {{{badmatch,
>                       {error,
>                        {asn1,
>                         {'Type not compatible with table constraint',
>                          {{component,'Type'},
>                           {value,{5,<<>>}},
>                           {unique_name_and_value,id,{1,3,14,3,2,29}}}}}}},
>                      [{public_key,pkix_decode_cert,2,
>                        [{file,"public_key.erl"},{line,215}]},
>                       {ssl_certificate,trusted_cert_and_path,3,
>                        [{file,"ssl_certificate.erl"},{line,58}]},
>                       {ssl_handshake,certify,7,
>                        [{file,"ssl_handshake.erl"},{line,216}]},
>                       {ssl_connection,certify,2,
>                        [{file,"ssl_connection.erl"},{line,514}]},
>                       {ssl_connection,next_state,4,
>                        [{file,"ssl_connection.erl"},{line,1929}]},
>
> {gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,494}]},
>                       {proc_lib,init_p_do_apply,3,
>                        [{file,"proc_lib.erl"},{line,227}]}]},
>                     {gen_fsm,sync_send_all_state_event,
>                      [<0.50.0>,start,infinity]}}
>      in function  gen_fsm:sync_send_all_state_event/3 (gen_fsm.erl, line
> 240)
>      in call from ssl_connection:sync_send_all_state_event/3
> (ssl_connection.erl, line 1195)
>      in call from ssl_connection:handshake/2 (ssl_connection.erl, line 167)
>
> What does that mean?

A few old certificates that are part of atleast some
linux-distributions breaks the ASN-1 specs
for x509-certificates,  which means that the erlang asn-1 application
can not decode them and hence the erlang ssl-application can not use
them, but if the CA-file has many certs all correctly encoded certs
will be understood.

Regards Ingela Erlang/OTP team Ericsson AB



More information about the erlang-questions mailing list