[erlang-questions] SSL key / password problems

Matthew Harrell <>
Mon Jul 23 22:26:37 CEST 2012


I searched but all the information I found was very dated and didn't seem
to help any.  Most of these examples are just a few modifications on what
is found here

  http://www.erlang.org/doc/apps/ssl/using_ssl.html

First, only TLS v1 is supported at the moment in R15B01, right?  Not 1.1 or
1.2?  


I have a key pair with protected with the password "password" called 
client.crt and client.key.  When I try to start up a client connection
using that pair I get

  ssl:start().
  {ok, Socket} = ssl:connect("localhost",
                             9950,
                             [{certfile, "client.crt"},
                              {keyfile, "client.key"}],
                             infinity).
  ** exception error: no match of right hand side value {error,ekeyfile}

which is fine because it can't open the private key.  But when I try 

  {ok, Socket} = ssl:connect("localhost",
                             9950,
                             [{certfile, "example/client.crt"},
                              {keyfile, "example/client.key"},
                              {password, "password"}],
                             infinity).
  ** exception error: no match of right hand side value {error,ekeyfile}

I get the same error.  What am I doing wrong?  Isn't that the point of the
password option?  When I try things with openssl like the following it
works fine

  openssl s_client -cert example/client.crt -key example/client.key \
   -CAfile example/ca.pem -pass pass:password -state -connect 127.0.0.1:9950


Also if I try to load the CA files I get messages about them not being 
decoded properly

  {ok, Socket} = ssl:connect("localhost",
                             9950,
                             [{cacertfile, "/etc/ssl/certs/ca-certificates.crt"},
                              {certfile, "example/client.crt"},
                              {keyfile, "example/client.key"},
                              {password, "password"}],
                             infinity).

  =INFO REPORT==== 23-Jul-2012::15:36:56 ===
  SSL WARNING: Ignoring a CA cert as it could not be correctly decoded.

I get the same message on my own ca.crt file with it's one key but thought I
would try the system one to see whether it differed


Finally, on the server side if I do the following using server keys (without
passwords) and the openssl client line above

  ssl:start().
  {ok, ListenSocket} = ssl:listen ( 9950, [{active, true},
                                           {reuseaddr, true},
                                           {keyfile, "example/server.key"},
                                           {certfile, "example/server.crt"},
                                           {backlog, 30}] ).
  {ok, Socket} = ssl:transport_accept ( ListenSocket ).
  ssl:ssl_accept ( Socket ).
  ssl:setopts ( Socket, [{active, true}] ).

then an SSL connection seems to start up fine according to the messages on
the openssl side.  If I change this to 

  ssl:start().
  {ok, ListenSocket} = ssl:listen ( 9950, [{active, true},
                                           {reuseaddr, true},
                                           {verify, verify_peer},
                                           {depth, 2},
                                           {cacertfile, "example/ca.pem"},
                                           {keyfile, "example/server.key"},
                                           {certfile, "example/server.crt"},
                                           {backlog, 30}] ).
  {ok, Socket} = ssl:transport_accept ( ListenSocket ).
  ssl:ssl_accept ( Socket ).
  ssl:setopts ( Socket, [{active, true}] ).

where example/ca.pem is the one CA certificate I get

  =INFO REPORT==== 23-Jul-2012::16:12:59 ===
  SSL WARNING: Ignoring a CA cert as it could not be correctly decoded.

  ** exception exit: {{{badmatch,
                      {error,
                       {asn1,
                        {'Type not compatible with table constraint',
                         {{component,'Type'},
                          {value,{5,<<>>}},
                          {unique_name_and_value,id,{1,3,14,3,2,29}}}}}}},
                     [{public_key,pkix_decode_cert,2,
                       [{file,"public_key.erl"},{line,215}]},
                      {ssl_certificate,trusted_cert_and_path,3,
                       [{file,"ssl_certificate.erl"},{line,58}]},
                      {ssl_handshake,certify,7,
                       [{file,"ssl_handshake.erl"},{line,216}]},
                      {ssl_connection,certify,2,
                       [{file,"ssl_connection.erl"},{line,514}]},
                      {ssl_connection,next_state,4,
                       [{file,"ssl_connection.erl"},{line,1929}]},
                      {gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,494}]},
                      {proc_lib,init_p_do_apply,3,
                       [{file,"proc_lib.erl"},{line,227}]}]},
                    {gen_fsm,sync_send_all_state_event,
                     [<0.50.0>,start,infinity]}}
     in function  gen_fsm:sync_send_all_state_event/3 (gen_fsm.erl, line 240)
     in call from ssl_connection:sync_send_all_state_event/3 (ssl_connection.erl, line 1195)
     in call from ssl_connection:handshake/2 (ssl_connection.erl, line 167)

What does that mean?

Thanks for any help



More information about the erlang-questions mailing list