[erlang-questions] SSL distribution issues

Paul Guyot <>
Sat Jan 14 11:04:04 CET 2012


Hello,

Is anyone successfully using SSL distribution on production servers?
http://www.erlang.org/documentation/doc-5.9/lib/ssl-5.0/doc/html/ssl_distribution.html

While running a couple of nodes works properly on a development machine, we have serious issues on a real production cluster.
Our nodes ping other nodes very early, before our applications are started.

We observed two serious issues:
- pinging another node randomly blocks indefinitely, whether the other node is pingable or not (e.g. not over SSL or with a different cookie) ;
- after a while (after pings timeout), ssl_tls_dist_proxy just crashes.

=ERROR REPORT==== 2012-01-13 16:48:58 ===
** Generic server ssl_tls_dist_proxy terminating 
** Last message in was {connect,IP,25669}				<-- this is another SSL node with the same cookie
** When Server state == {state,{#Port<0.284>,#Port<0.285>},
                               {<0.24.0>,<0.25.0>}}
** Reason for termination == 
** {{badmatch,{error,badarg}},
    [{ssl_tls_dist_proxy,handle_call,3,
                         [{file,"ssl_tls_dist_proxy.erl"},{line,90}]},
     {proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,227}]}]}

The relevant code is the following:

handle_call({connect, Ip, Port}, {From, _}, State) ->
    Me = self(),
    Pid = spawn_link(fun() -> setup_proxy(Ip, Port, Me) end),
    receive 
	{Pid, go_ahead, LPort} -> 
	    Res = {ok, Socket} = try_connect(LPort),
	    ok = gen_tcp:controlling_process(Socket, From),		<---- line 90
	    flush_old_controller(From, Socket),
	    {reply, Res, State};
	{Pid, Error} ->
	    {reply, Error, State}
    end;

The crash happens because From is no longer alive.

For the record, this is master branch and the SSL parameters are the following :

	-proto_dist inet_tls
	-ssl_dist_opt
		server_certfile /otp_root/ssl/${NODE_NAME}.pem
		client_certfile /otp_root/ssl/${NODE_NAME}.pem
		server_secure_renegotiate true
		client_secure_renegotiate true
		server_verify verify_peer
		client_verify verify_peer
		server_fail_if_no_peer_cert true
		server_cacertfile /otp_root/ssl/ca.pem
		client_cacertfile /otp_root/ssl/ca.pem
		server_depth 2
		client_depth 2

Did we miss something obvious?

Paul
-- 
Semiocast            http://semiocast.com/
+33.183627948 - 20 rue Lacaze, 75014 Paris




More information about the erlang-questions mailing list