[erlang-questions] Troubleshooting TLS distribution

Mark Steele mark@REDACTED
Sun Jan 10 04:59:43 CET 2016


Hi all,

I've been having a stubborn problem with getting TLS distribution working
and could use a hand.

I'm running a test CA and have a cert that works fine when using it for
erlang cowboy serving TLS traffic, however using the same cert for TLS
distribution is not working.

I've tried several different certs that I've generated (some generated with
the dogtag CA, others with a testca using openssl), and none seem to be
working.

I'm following the steps in the documentation, and have tried with versions
17/18 with identical results.

For v17, my .rel file:

{release,{"start_clean",[]},
         {erts,"6.4"},
         [{kernel,"3.2"},
          {stdlib,"2.4"},
          {sasl,"2.4.1"},
          {crypto,"3.5"},
          {asn1,"3.0.4"},
          {public_key,"0.23"},
          {ssl,"6.0"}
          ]}.

Here's what my session looks like.

erl -boot start_clean -proto_dist inet_tls -ssl_dist_op server_certfile
/tmp/server.pem server_keyfile /tmp/server.key client_certfile
/tmp/server.pem client_keyfile /tmp/server.key  -name test1@REDACTED
Erlang/OTP 17 [erts-6.4] [source-2e19e2f] [64-bit] [smp:4:4]
[async-threads:10] [hipe] [kernel-poll:false]


=PROGRESS REPORT==== 9-Jan-2016::21:58:24 ===
          supervisor: {local,sasl_safe_sup}
             started: [{pid,<0.48.0>},
                       {name,alarm_handler},
                       {mfargs,{alarm_handler,start_link,[]}},
                       {restart_type,permanent},
                       {shutdown,2000},
                       {child_type,worker}]

=PROGRESS REPORT==== 9-Jan-2016::21:58:24 ===
          supervisor: {local,sasl_safe_sup}
             started: [{pid,<0.49.0>},
                       {name,overload},
                       {mfargs,{overload,start_link,[]}},
                       {restart_type,permanent},
                       {shutdown,2000},
                       {child_type,worker}]

=PROGRESS REPORT==== 9-Jan-2016::21:58:24 ===
          supervisor: {local,sasl_sup}
             started: [{pid,<0.47.0>},
                       {name,sasl_safe_sup},
                       {mfargs,
                           {supervisor,start_link,
                               [{local,sasl_safe_sup},sasl,safe]}},
                       {restart_type,permanent},
                       {shutdown,infinity},
                       {child_type,supervisor}]

=PROGRESS REPORT==== 9-Jan-2016::21:58:24 ===
          supervisor: {local,sasl_sup}
             started: [{pid,<0.50.0>},
                       {name,release_handler},
                       {mfargs,{release_handler,start_link,[]}},
                       {restart_type,permanent},
                       {shutdown,2000},
                       {child_type,worker}]

=PROGRESS REPORT==== 9-Jan-2016::21:58:24 ===
         application: sasl
          started_at: 'test1@REDACTED'

=PROGRESS REPORT==== 9-Jan-2016::21:58:24 ===
         application: crypto
          started_at: 'test1@REDACTED'

=PROGRESS REPORT==== 9-Jan-2016::21:58:24 ===
         application: asn1
          started_at: 'test1@REDACTED'

=PROGRESS REPORT==== 9-Jan-2016::21:58:24 ===
         application: public_key
          started_at: 'test1@REDACTED'

=PROGRESS REPORT==== 9-Jan-2016::21:58:24 ===
          supervisor: {local,ssl_sup}
             started: [{pid,<0.59.0>},
                       {name,ssl_manager},
                       {mfargs,{ssl_manager,start_link,[[]]}},
                       {restart_type,permanent},
                       {shutdown,4000},
                       {child_type,worker}]

=PROGRESS REPORT==== 9-Jan-2016::21:58:24 ===
          supervisor: {local,ssl_sup}
             started: [{pid,<0.60.0>},
                       {name,tls_connection},
                       {mfargs,{tls_connection_sup,start_link,[]}},
                       {restart_type,permanent},
                       {shutdown,4000},
                       {child_type,supervisor}]

=PROGRESS REPORT==== 9-Jan-2016::21:58:24 ===
          supervisor: {local,ssl_sup}
             started: [{pid,<0.61.0>},
                       {name,ssl_socket},
                       {mfargs,{ssl_listen_tracker_sup,start_link,[]}},
                       {restart_type,permanent},
                       {shutdown,4000},
                       {child_type,supervisor}]

=PROGRESS REPORT==== 9-Jan-2016::21:58:24 ===
         application: ssl
          started_at: 'test1@REDACTED'
Eshell V6.4  (abort with ^G)
(test1@REDACTED)1> net_adm:ping('test2@REDACTED').

=PROGRESS REPORT==== 9-Jan-2016::21:58:37 ===
          supervisor: {local,inet_gethost_native_sup}
             started: [{pid,<0.68.0>},{mfa,{inet_gethost_native,init,[[]]}}]

=PROGRESS REPORT==== 9-Jan-2016::21:58:37 ===
          supervisor: {local,kernel_safe_sup}
             started: [{pid,<0.67.0>},
                       {name,inet_gethost_native_sup},
                       {mfargs,{inet_gethost_native,start_link,[]}},
                       {restart_type,temporary},
                       {shutdown,1000},
                       {child_type,worker}]

=ERROR REPORT==== 9-Jan-2016::21:58:37 ===
SSL: certify: ssl_alert.erl:92:Fatal error: internal error
pang
(test1@REDACTED)2>

>From the other shell:

erl -boot start_clean -proto_dist inet_tls -ssl_dist_op server_certfile
/tmp/server.pem server_keyfile /tmp/server.key client_certfile
/tmp/server.pem client_keyfile /tmp/server.key  -name test2@REDACTED
Erlang/OTP 17 [erts-6.4] [source-2e19e2f] [64-bit] [smp:4:4]
[async-threads:10] [hipe] [kernel-poll:false]


=PROGRESS REPORT==== 9-Jan-2016::21:58:12 ===
          supervisor: {local,sasl_safe_sup}
             started: [{pid,<0.48.0>},
                       {name,alarm_handler},
                       {mfargs,{alarm_handler,start_link,[]}},
                       {restart_type,permanent},
                       {shutdown,2000},
                       {child_type,worker}]

=PROGRESS REPORT==== 9-Jan-2016::21:58:12 ===
          supervisor: {local,sasl_safe_sup}
             started: [{pid,<0.49.0>},
                       {name,overload},
                       {mfargs,{overload,start_link,[]}},
                       {restart_type,permanent},
                       {shutdown,2000},
                       {child_type,worker}]

=PROGRESS REPORT==== 9-Jan-2016::21:58:12 ===
          supervisor: {local,sasl_sup}
             started: [{pid,<0.47.0>},
                       {name,sasl_safe_sup},
                       {mfargs,
                           {supervisor,start_link,
                               [{local,sasl_safe_sup},sasl,safe]}},
                       {restart_type,permanent},
                       {shutdown,infinity},
                       {child_type,supervisor}]

=PROGRESS REPORT==== 9-Jan-2016::21:58:12 ===
          supervisor: {local,sasl_sup}
             started: [{pid,<0.50.0>},
                       {name,release_handler},
                       {mfargs,{release_handler,start_link,[]}},
                       {restart_type,permanent},
                       {shutdown,2000},
                       {child_type,worker}]

=PROGRESS REPORT==== 9-Jan-2016::21:58:12 ===
         application: sasl
          started_at: 'test2@REDACTED'

=PROGRESS REPORT==== 9-Jan-2016::21:58:12 ===
         application: crypto
          started_at: 'test2@REDACTED'

=PROGRESS REPORT==== 9-Jan-2016::21:58:12 ===
         application: asn1
          started_at: 'test2@REDACTED'

=PROGRESS REPORT==== 9-Jan-2016::21:58:12 ===
         application: public_key
          started_at: 'test2@REDACTED'

=PROGRESS REPORT==== 9-Jan-2016::21:58:12 ===
          supervisor: {local,ssl_sup}
             started: [{pid,<0.59.0>},
                       {name,ssl_manager},
                       {mfargs,{ssl_manager,start_link,[[]]}},
                       {restart_type,permanent},
                       {shutdown,4000},
                       {child_type,worker}]

=PROGRESS REPORT==== 9-Jan-2016::21:58:12 ===
          supervisor: {local,ssl_sup}
             started: [{pid,<0.60.0>},
                       {name,tls_connection},
                       {mfargs,{tls_connection_sup,start_link,[]}},
                       {restart_type,permanent},
                       {shutdown,4000},
                       {child_type,supervisor}]

=PROGRESS REPORT==== 9-Jan-2016::21:58:12 ===
          supervisor: {local,ssl_sup}
             started: [{pid,<0.61.0>},
                       {name,ssl_socket},
                       {mfargs,{ssl_listen_tracker_sup,start_link,[]}},
                       {restart_type,permanent},
                       {shutdown,4000},
                       {child_type,supervisor}]

=PROGRESS REPORT==== 9-Jan-2016::21:58:12 ===
         application: ssl
          started_at: 'test2@REDACTED'
Eshell V6.4  (abort with ^G)
(test2@REDACTED)1>
=ERROR REPORT==== 9-Jan-2016::21:58:37 ===
SSL: hello: ssl_handshake.erl:167:Fatal error: internal error

The errors are the same between v17 and v18 (same error message).

The cert:
-----BEGIN CERTIFICATE-----
MIIE7jCCA9agAwIBAgIBBzANBgkqhkiG9w0BAQsFADBPMSwwKgYDVQQKDCNjb250
cm9sLWFsdC1kZWwub3JnIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2ln
bmluZyBDZXJ0aWZpY2F0ZTAeFw0xNTA5MzAwMTQ1MzBaFw0xNzA5MTkwMTQ1MzBa
MIGFMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzEQMA4GA1UEBwwHVG9y
b250bzEcMBoGA1UECgwTQ29udHJvbC1hbHQtZGVsLm9yZzERMA8GA1UECwwIU2Vj
dXJpdHkxITAfBgNVBAMMGGRldjEuY29udHJvbC1hbHQtZGVsLm9yZzCCAiIwDQYJ
KoZIhvcNAQEBBQADggIPADCCAgoCggIBAMRWGZVic7I8GxviniEkDkgyd8yQFgtT
Cg9o7JFuZ8Mfr8hvvVpBvxT2lYCU4e/x3314ATB0avDy6ZFQtRNHgF9r88+dPTxp
muMOTJV8iJCW1eelFS6HpO+78kZDZ3CAwbUd7Sn92FsCg9m2O0Ad4NIQjCE9lRb7
qDkg99u82SBBSIQs0f62fSlqttlgjXbNYtGHnuiTPPFIgBFAEAffTjgxggwDFKO9
0b1hSsA4m9s1E7kQDSQ+lNb0Acx/2px1lpUpAilhy3oHKcD6iaIz9eC0awC/7bkb
nGAf+oSoMQxANivMHhRUJqzgXplbvxGbmCRVaznSSkLIAlhKmjBM26IOIi7DbN42
kD9Auzo007gnrdELVgoLXSty/lNmQkU3RxBRYIKxm9EKF96B4/kwDUNcxTA3h2OR
rKgxhfxoqTQ3thBuSkdPiEzRiHdisbDccoRUnERxOIaH25Ui56X82xJPGVD69pkJ
E8h8dwze8eEU7M2woGXBsC3RjEgJc8hAaTYxULv6U/ayJl5ubgvZm8taBPcP9B6t
xX5tiPHA0wvLJZAW0yHsLrK+lYeJVWDllgnUgYrBuBktSRTSonvNX6rz4ay2GuJM
FKPb4miRn0MR+si+S8qBRWGsd72C8Hff5JU1UlZhS8XZgmWM24oYAjHRwGlirrqS
KE2/xTmqXPIpAgMBAAGjgZ0wgZowHwYDVR0jBBgwFoAU+hEBZGlQeoMP90iO3cdq
EzWfY7UwSAYIKwYBBQUHAQEEPDA6MDgGCCsGAQUFBzABhixodHRwOi8vZGV2MS5j
b250cm9sLWFsdC1kZWwub3JnOjgwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IB
AQAY/D3vEcUH1lzuDOmcBkREdwPRaoK5Md6K1wRZpWNrgH31Hr0e4xssGqkh9pTR
GdEi/9KSjk6gLLm2ZvzvZ9xynAO45xOuAHQoO5iU0lCj/HA+Qorf8DdFIC7ExtPg
+q8D83q4pZaICOlMt8Po42YJnM2P/A9actneou1CvETEHsiGxNYG7H5Md7jG3/ss
hr4RmmHr8x9n3tPFry3+iWbCGuj+gHeQaf75Y/Sk9UZYqOgFWOTANF8M/dgiGT6t
dC+RNIDO4FGJqd/y8EYPEwgTtxBj/pOPvNQsbNf9WEe2RAV+Lw4A9XSk+hMCTzjd
mqNOAQclbr/xGsLHVa77m+lZ
-----END CERTIFICATE-----

Key (just using for internal testing no security concern in sharing this):

-----BEGIN RSA PRIVATE KEY-----
MIIJKgIBAAKCAgEAxFYZlWJzsjwbG+KeISQOSDJ3zJAWC1MKD2jskW5nwx+vyG+9
WkG/FPaVgJTh7/HffXgBMHRq8PLpkVC1E0eAX2vzz509PGma4w5MlXyIkJbV56UV
Loek77vyRkNncIDBtR3tKf3YWwKD2bY7QB3g0hCMIT2VFvuoOSD327zZIEFIhCzR
/rZ9KWq22WCNds1i0Yee6JM88UiAEUAQB99OODGCDAMUo73RvWFKwDib2zUTuRAN
JD6U1vQBzH/anHWWlSkCKWHLegcpwPqJojP14LRrAL/tuRucYB/6hKgxDEA2K8we
FFQmrOBemVu/EZuYJFVrOdJKQsgCWEqaMEzbog4iLsNs3jaQP0C7OjTTuCet0QtW
CgtdK3L+U2ZCRTdHEFFggrGb0QoX3oHj+TANQ1zFMDeHY5GsqDGF/GipNDe2EG5K
R0+ITNGId2KxsNxyhFScRHE4hofblSLnpfzbEk8ZUPr2mQkTyHx3DN7x4RTszbCg
ZcGwLdGMSAlzyEBpNjFQu/pT9rImXm5uC9mby1oE9w/0Hq3Ffm2I8cDTC8slkBbT
Iewusr6Vh4lVYOWWCdSBisG4GS1JFNKie81fqvPhrLYa4kwUo9viaJGfQxH6yL5L
yoFFYax3vYLwd9/klTVSVmFLxdmCZYzbihgCMdHAaWKuupIoTb/FOapc8ikCAwEA
AQKCAgEAuKM/6/xqUXO1CsRTcVc3Fy5e+0GFeaDeFR/XWe06J4XlCdoLeJXb3RsH
/aQF1mDgjF4OwEK7T10hykbcAwV69EHRR63XqLinsGACJZK320H+Z5oYEWn+8nUN
ooZBAMwVXv6Fyreuf+gdluCJWALBKsvk/F2tl6+SxCb88OjoSC0cxTBhS+jSS+DP
lB3464C7LdEc4BuXdFF6Hr7gVIbsSGxGoIVFI7efRzn30k1qRPvlUGSH903jK0LN
bkPOktUCh8PJBKGzeU7DNXhnduLmmCsTdeEI7svIg52POrHxblP0nbuXjgaVWH6o
eBCP3z80FPc/n2Dj9WmiyuVdm46r/FURMgmnP/UtY7qHEqxZy2ZHYCHpdohEDXm5
aGWK61dU7c8XbAcm/3t4nwnW/IplT+p1x9175lZqNy19TrZthwenYm/lVyP7yd0+
nezsYoeXa29mrIrsmBX/2uuQaa8okzmktjYNHh5y/o4tGvHS+VQcqWV8ZUgmQ6S8
cVneUgIGrppJwRcT9Tni4kCUHxESI6Kjf7QvWEA/O0YpTh8QP9/9BPrHDCqyDdLo
cKA+Gl+w4RQQaTVZMBUil2gdFnsNiSPRLcygL2ZT421lvIQN6laZVImEBGWvZBog
zdU3rh071ZnVepbzycJzIUjfmit3ewZaOazBre9q3wBoceTBgwECggEBAOQpLg4F
PEY8ZX5EDJZJzdCExrW5MKp+o+wGmCGjUVaeOiS0nsx0HTtJNvuLVZ8mVkO1gl/g
pD9JGiV1foO4gFQzOQJesK6WM9JsLLkgwkAhy+uSHTTGAOoVYM2kRExW0JjQEugL
lVuTfnIOAIaxwvpJb4cq2SEw6FqwLit6PT+wjbadGkOCDhz6VvffK2PriOo9df42
ioejvBOjXA8nbJ60sCdQl/c7FKWGCXIeRxbwjTNXU9N491TBJI4+aseyE+K87JsW
iWIxDUIj9lvGsljRKwZ/lGOO7qkKTttcr97UUwV+nXRQwvkBNBgOyfIQiFOGHN5B
6Aknu4r+0FpPHfsCggEBANxK2cj4vTOpWKnUspbpHnGqedBjl8a09/wsOa1ptx/t
ZqO+hN1d58S8/8WoGO1FuGWZLEzejpkIURJ+CC4PjNsT0CW1EBO1S+7b+rsRiFBP
tf1NByE6SP60dMA3EJyAynm1gTgfCNBBKma9acpegm181PtQBZA7szV2uc7BzQ/F
e2qEdwtEstOLFN+acS+RvDxxfxwttbZiHC5p4wR8LKntqgFFXicztxDcK+lMH8w1
CPhrWw93VX3Nqxr34IouPL5b+JrTczRPNhjGg1Dq+yv9CtTwCpyRMQvp8XzBObHv
nYtciwRygGRfSJm/UC9w1m2oWtfqt79lQ1bFZ6mxaysCggEBAJOZ5FZjoquZVNtL
cI0lL8VusBJNvKL/jFIbrf1M50jO0bR/OJ/xmhuJcM1oRTrRFUt2N+KItBjQ1N5Y
1UCncjWGcaIL2ecH+nxtSL126NOOSZqbCtPiKCNHMzm1xA1SuF2zdhexrqzwjQOB
9WstwoIiUckyugbT2e0ZPrUXvlnegL8bgSsdDr5GYU63jB12+Tr4CcYsSJAZJ4nY
y6xuB8HgCHlWlQj2qpOuU5wE5F59vgrxuqP7BJ5K2LhAvtlzZZPwPmzSNoxUSUx5
cV3L/AKjRl9M15VUmSa4KW2V15yi5RaP45Kk0I0/7xCFOLWlZlwKTdCm+FI75wKz
d9yEhFMCggEBAIMKv5yuYpY9sbFtBkOBLwv8lfPhmqKoei/2+uRuU3HZncngBldM
ihddOmUQxqs2YyeEw3aCmZ7s9JUkhacotuiHU7VqjMK8gQv4raDkIAtuL1sbnBcm
/c8N97lzyBzg/BEEaHbC91IywY9WM30fVUTeEi/g/T48VTGDi6ozXNF57x2A6PO6
DQqL3IHa9GOQtMHb3focMtDocc0mTdYYK9V1vEB/TC/Tsp2D61cfYnbuQYTND+EW
YrOwSY2EUHzCXn36Zdtr10cRq6N3Sxwye/FB2FSs6hMSx3NH2dAVfUWcvUHubf/a
QQf0KlLTHFbsL5IRqOByDpX7HeCbEzw9fvsCggEAGX3QAjCGkfpZeMxx9HYlUVeV
Ntbc1eHiCzeLs4dLUnAmPx5FaEV8njmyIiylC95wYQ9YfmUb2BoQku1jhlDGk/NN
XqEi0BqyAihN3dFJeG2WLPT5Ve4PNaYdJwe5Qvn58+Jee15lkeznAMg5GUxHpU5O
MmrJi3LA/JFPSOnXBWVPW4gzH4ZRaiJQqJKoCH228uA/ve/NFvGa0vOHmYA2nYhh
+GwkQ+K/XqvqT1pH/yM+2NfKMbtbgd6azwTrRfcfzqhO6UV/ef2FaYc9xjJDre6B
x6M2+vVZ7094C7shX49/n0JGmOd6l5fshPCVXk+5YG8uEMYQr3LEOhH61cphLg==
-----END RSA PRIVATE KEY-----


CA cert:
-----BEGIN CERTIFICATE-----
MIIDyDCCArCgAwIBAgIBATANBgkqhkiG9w0BAQsFADBPMSwwKgYDVQQKDCNjb250
cm9sLWFsdC1kZWwub3JnIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2ln
bmluZyBDZXJ0aWZpY2F0ZTAeFw0xNTA5MjkwMjQ4MTlaFw0zNTA5MjkwMjQ4MTla
ME8xLDAqBgNVBAoMI2NvbnRyb2wtYWx0LWRlbC5vcmcgU2VjdXJpdHkgRG9tYWlu
MR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAxf3rfwJvl6vJ58OnTEkSYzxkGpuZB9A6ybPM0gMV
s/4ME+gbdgxa8oq92pc9TRo1kmUrrrKKMHfK8xVmLx0DSvMgoLscMmuxwWybD43n
QpThnM+bzQmiPiUuulIMpeSCzOVX+3Ry3pasVTVWBxKublVOL9degZko0T/UyKWj
l1om4V1N8miE4wHNqQq0+0jT9bPF+E0ts6hKMQ3g3lA1N1UnAtYFWAhsYDe3ELvR
TzVMkLT/UaIqv6//V8SmpPFJh1E0Hly+/mmyGv9vIaZmwu1CdpMHfU9r+1aoP0ln
Qzee2BFYC95Z/N7KVZGlBaF3DiBfu9y8GLv1xa06Zb0qCwIDAQABo4GuMIGrMB8G
A1UdIwQYMBaAFPoRAWRpUHqDD/dIjt3HahM1n2O1MA8GA1UdEwEB/wQFMAMBAf8w
DgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBT6EQFkaVB6gw/3SI7dx2oTNZ9jtTBI
BggrBgEFBQcBAQQ8MDowOAYIKwYBBQUHMAGGLGh0dHA6Ly9kZXYxLmNvbnRyb2wt
YWx0LWRlbC5vcmc6ODA4MC9jYS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBAQAfvDWt
shNfLp+5iFqTm2DqnSzND+oh+BR5CLw0/N/2vEaxY6pBXwormVdfIwqoWTsmkXb3
uJ5rjvbTlHt2lnT3wz0Amy/UgW55tHUr/g+4dCtoVedLX8IQmX1201DIpabPcVB+
0j9eiJ1GisM30heKf0M5JtMTtZpGkUTsPXgsyEW8dgHwQO1alR8HnG3ZAeM2zbPT
/BzLgptDt4mJlYtLrtrqhzEcfWWFthdWxTqyR5Rj9ncsPR2+evQraMNfoPQCbLFj
9VupHLt5w3ml/xu5D3bV+3WRJZC73bj6cJ55DySuWnl5LD5HRxv2KeCZMw/gn6dy
TkemFdOW2XcVSI5K
-----END CERTIFICATE-----

Testing with the openssl command line appears to work just fine:

openssl s_server -cert cert.pem -key key_clear.pem -CAfile cacert.pem
-Verify 1 -www
verify depth is 1, must return a certificate
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
depth=1 O = control-alt-del.org Security Domain, CN = CA Signing Certificate
verify return:1
depth=0 C = CA, ST = Ontario, L = Toronto, O = Control-alt-del.org, OU =
Security, CN = dev1.control-alt-del.org
verify return:1
ACCEPT


 openssl s_client -cert cert.pem -key key_clear.pem -CAfile cacert.pem
-connect localhost:4433
CONNECTED(00000003)
depth=1 O = control-alt-del.org Security Domain, CN = CA Signing Certificate
verify return:1
depth=0 C = CA, ST = Ontario, L = Toronto, O = Control-alt-del.org, OU =
Security, CN = dev1.control-alt-del.org
verify return:1
---
Certificate chain
 0 s:/C=CA/ST=Ontario/L=Toronto/O=Control-alt-del.org/OU=Security/CN=
dev1.control-alt-del.org
   i:/O=control-alt-del.org Security Domain/CN=CA Signing Certificate
 1 s:/O=control-alt-del.org Security Domain/CN=CA Signing Certificate
   i:/O=control-alt-del.org Security Domain/CN=CA Signing Certificate
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE7jCCA9agAwIBAgIBBzANBgkqhkiG9w0BAQsFADBPMSwwKgYDVQQKDCNjb250
cm9sLWFsdC1kZWwub3JnIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2ln
bmluZyBDZXJ0aWZpY2F0ZTAeFw0xNTA5MzAwMTQ1MzBaFw0xNzA5MTkwMTQ1MzBa
MIGFMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzEQMA4GA1UEBwwHVG9y
b250bzEcMBoGA1UECgwTQ29udHJvbC1hbHQtZGVsLm9yZzERMA8GA1UECwwIU2Vj
dXJpdHkxITAfBgNVBAMMGGRldjEuY29udHJvbC1hbHQtZGVsLm9yZzCCAiIwDQYJ
KoZIhvcNAQEBBQADggIPADCCAgoCggIBAMRWGZVic7I8GxviniEkDkgyd8yQFgtT
Cg9o7JFuZ8Mfr8hvvVpBvxT2lYCU4e/x3314ATB0avDy6ZFQtRNHgF9r88+dPTxp
muMOTJV8iJCW1eelFS6HpO+78kZDZ3CAwbUd7Sn92FsCg9m2O0Ad4NIQjCE9lRb7
qDkg99u82SBBSIQs0f62fSlqttlgjXbNYtGHnuiTPPFIgBFAEAffTjgxggwDFKO9
0b1hSsA4m9s1E7kQDSQ+lNb0Acx/2px1lpUpAilhy3oHKcD6iaIz9eC0awC/7bkb
nGAf+oSoMQxANivMHhRUJqzgXplbvxGbmCRVaznSSkLIAlhKmjBM26IOIi7DbN42
kD9Auzo007gnrdELVgoLXSty/lNmQkU3RxBRYIKxm9EKF96B4/kwDUNcxTA3h2OR
rKgxhfxoqTQ3thBuSkdPiEzRiHdisbDccoRUnERxOIaH25Ui56X82xJPGVD69pkJ
E8h8dwze8eEU7M2woGXBsC3RjEgJc8hAaTYxULv6U/ayJl5ubgvZm8taBPcP9B6t
xX5tiPHA0wvLJZAW0yHsLrK+lYeJVWDllgnUgYrBuBktSRTSonvNX6rz4ay2GuJM
FKPb4miRn0MR+si+S8qBRWGsd72C8Hff5JU1UlZhS8XZgmWM24oYAjHRwGlirrqS
KE2/xTmqXPIpAgMBAAGjgZ0wgZowHwYDVR0jBBgwFoAU+hEBZGlQeoMP90iO3cdq
EzWfY7UwSAYIKwYBBQUHAQEEPDA6MDgGCCsGAQUFBzABhixodHRwOi8vZGV2MS5j
b250cm9sLWFsdC1kZWwub3JnOjgwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IB
AQAY/D3vEcUH1lzuDOmcBkREdwPRaoK5Md6K1wRZpWNrgH31Hr0e4xssGqkh9pTR
GdEi/9KSjk6gLLm2ZvzvZ9xynAO45xOuAHQoO5iU0lCj/HA+Qorf8DdFIC7ExtPg
+q8D83q4pZaICOlMt8Po42YJnM2P/A9actneou1CvETEHsiGxNYG7H5Md7jG3/ss
hr4RmmHr8x9n3tPFry3+iWbCGuj+gHeQaf75Y/Sk9UZYqOgFWOTANF8M/dgiGT6t
dC+RNIDO4FGJqd/y8EYPEwgTtxBj/pOPvNQsbNf9WEe2RAV+Lw4A9XSk+hMCTzjd
mqNOAQclbr/xGsLHVa77m+lZ
-----END CERTIFICATE-----
subject=/C=CA/ST=Ontario/L=Toronto/O=Control-alt-del.org/OU=Security/CN=
dev1.control-alt-del.org
issuer=/O=control-alt-del.org Security Domain/CN=CA Signing Certificate
---
Acceptable client certificate CA names
/O=control-alt-del.org Security Domain/CN=CA Signing Certificate
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4547 bytes and written 3156 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
AAF2D6ACAF687FD0079806B7F19BDC1F9FFF1A6AE4F5FFEAE39184A33160923B
    Session-ID-ctx:
    Master-Key:
155BE3B00A85F909004AB1F8F7F8FC337DE87BF296CBF90EC68F0517D25AC075EA52DCC5EACCCD2D0706B6982210ADE8
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 9c f2 94 4d a2 11 1e 10-44 a7 55 ae 4b 2b e6 c1
...M....D.U.K+..
    0010 - 4d e2 85 24 61 7c 9c 79-05 85 d3 28 cc f8 7a d1
M..$a|.y...(..z.
    0020 - 48 52 c3 56 02 86 61 f4-1e 09 42 d5 0a c9 f4 76
HR.V..a...B....v
    0030 - 78 73 0e 89 e6 0f 16 e3-8e b5 f2 53 65 45 45 8f
xs.........SeEE.
    0040 - 43 40 a2 61 84 a1 bd af-54 4c 3f 6b c2 5c e7 66   C@
.a....TL?k.\.f
    0050 - 56 95 5b c6 6d cc 0e 57-3a 92 50 85 3c f4 b5 94
V.[.m..W:.P.<...
    0060 - 46 84 06 6b 25 d4 ca a0-17 f6 40 1d 46 3d 68 26   F..k%.....@
.F=h&
    0070 - f0 32 62 ff 1f e5 84 f6-c7 42 58 a3 2e df d1 a7
.2b......BX.....
    0080 - 2c fd 8c 4f 69 49 d1 67-a2 5e 23 4b 83 0b d1 0d
,..OiI.g.^#K....
    0090 - 8e 2a 0e f0 0a 35 cc 4c-5a 7e 41 08 e2 04 36 a8
.*...5.LZ~A...6.
    00a0 - f6 41 10 c9 6b 67 c0 df-0a 9e c5 e1 df 9e 2f f1
.A..kg......../.
    00b0 - 5b 2b a0 b5 f1 44 2c b5-d4 b8 ac 4d 71 4d e1 38
[+...D,....MqM.8
    00c0 - b0 db b9 30 11 48 d9 71-b1 c8 ed 59 e8 74 0e 5b
...0.H.q...Y.t.[
    00d0 - 8c fb 77 45 c1 d1 77 01-a4 13 41 9a 73 8c 86 4b
..wE..w...A.s..K
    00e0 - e1 04 ed 1b 09 1d ca 1d-fd 7a 54 02 c9 46 3c 3a
.........zT..F<:
    00f0 - 92 af 83 f9 98 37 23 cb-95 ed 21 98 22 45 0c ca
.....7#...!."E..
    0100 - c9 dc 27 82 c1 02 56 d2-f2 41 d0 a6 84 25 df 6c
..'...V..A...%.l
    0110 - bc 3d 24 7e bb a6 58 2c-a0 54 40 f0 73 dc 19 cf   .=$~..X,.T@
.s...
    0120 - a3 2e f8 ea bd e1 85 5b-d1 7c 0c a4 9d 57 40 d3   .......[.|...W@
.
    0130 - 06 b5 1c bd 1b 5f 19 ae-c3 9f ee e7 97 4c 3b 4c
....._.......L;L
    0140 - 2d 31 fc 85 be b4 2e 0a-9a 75 63 60 b0 fe 02 67
-1.......uc`...g
    0150 - 7e 81 5e 5e b4 7c 15 c5-95 13 5f d9 8d de 03 54
~.^^.|...._....T
    0160 - cc 02 6b 70 e2 91 5e eb-d5 ea 79 12 ca d8 90 44
..kp..^...y....D
    0170 - e6 27 1e 5d 5a 6d 0f 2a-f7 bf 7e ff 5b 62 4e 23
.'.]Zm.*..~.[bN#
    0180 - 42 9d 4e 69 83 89 d6 6f-11 cf bd ab fb 9d ab 8b
B.Ni...o........
    0190 - 44 88 bf e9 b7 d0 41 9a-33 a9 ab 2c d4 84 82 1c
D.....A.3..,....
    01a0 - c5 2f 24 bb 0f 01 cd ad-af 18 57 bc 6d e2 ec cb
./$.......W.m...
    01b0 - 7a 3b db 1c 8b 4d fe 38-6d 10 12 ad a4 e1 f7 da
z;...M.8m.......
    01c0 - 0a 61 cb da d9 89 85 2f-6b e6 ec 31 27 e3 04 96
.a...../k..1'...
    01d0 - 0d ad 65 2e 17 10 c9 ff-36 64 2c 9a b2 5c fe f1
..e.....6d,..\..
    01e0 - 28 79 1d e7 f3 e9 92 f4-57 ea bd 27 e0 9c 7b bd
(y......W..'..{.
    01f0 - c3 6a 08 f1 d4 70 19 81-43 9a 5b 9a 99 d0 ff 04
.j...p..C.[.....
    0200 - 3e d5 fe 36 df c6 71 cc-93 08 af ab f7 8d b0 30
>..6..q........0
    0210 - 39 d8 0b 26 a9 01 be c1-d9 1e d5 96 ae 4c 44 0b
9..&.........LD.
    0220 - 18 99 ee ab 20 ba 8c fc-9b 1e 49 9e c6 cd ce b9   ....
.....I.....
    0230 - b9 23 5e 50 f2 8c e7 e8-21 ff cb 00 ea 4b fb 68
.#^P....!....K.h
    0240 - 20 75 3d 61 f7 d5 c1 77-f1 65 bb bf 8e ae c6 94
 u=a...w.e......
    0250 - 6d cb 8d 50 02 7d 4d cb-32 f3 2a ce 2b e3 2a 5a
m..P.}M.2.*.+.*Z
    0260 - 15 1b 54 3c ba a2 5c 3f-02 f8 1b e3 af 4f fa f9
..T<..\?.....O..
    0270 - 5a 30 af 0e 01 af d6 f1-a6 8d eb b2 2b 04 59 88
Z0..........+.Y.
    0280 - 83 60 03 dd e5 b8 60 b2-f7 9f 7a e6 e7 ee b2 a1
.`....`...z.....
    0290 - 97 89 21 36 f3 e0 ae 27-39 1b 0b af 65 e8 0d 0e
..!6...'9...e...
    02a0 - 4b 23 f4 7a 9f e8 7b 18-d9 2c 69 da 2e 6e 9e 21
K#.z..{..,i..n.!
    02b0 - 6b ef a0 2e a8 ae 9e 96-1b 77 f1 ca 1c df a7 cc
k........w......
    02c0 - 34 ee 34 7c 8f de 2c ab-06 29 75 8e 0c 6e d3 84
4.4|..,..)u..n..
    02d0 - 35 9f 85 69 99 84 7b 74-c4 09 40 57 61 1f ea 14   5..i..{t..@REDACTED
..
    02e0 - ab a2 4c 5e f8 f1 a1 cb-d9 b8 ce 56 19 12 27 eb
..L^.......V..'.
    02f0 - 99 97 cb fe 6c a0 00 01-10 db d3 ab 38 1d de da
....l.......8...
    0300 - ed 4b fe c0 8a 80 ef 76-9d 62 d6 ff 9a 98 78 04
.K.....v.b....x.
    0310 - e6 14 66 42 1c 6e 4e c4-90 09 03 93 3b e5 87 fa
..fB.nN.....;...
    0320 - 54 cc 0f 34 68 ce b8 f8-68 ad 62 f7 07 7f 1f 62
T..4h...h.b....b
    0330 - 6b 63 ec b2 b9 40 a2 20-8f 10 d4 18 b9 e5 71 90   kc...@REDACTED
......q.
    0340 - f6 4c 31 e5 e0 68 3d 68-c1 18 2f 2a 48 4a 34 7f
.L1..h=h../*HJ4.
    0350 - ff 08 3f 5a d0 72 dc 79-aa 86 c3 47 bd 07 15 ad
..?Z.r.y...G....
    0360 - d9 91 58 bf f4 c2 bc e4-7b dc 21 ff 6e 35 46 b0
..X.....{.!.n5F.
    0370 - fe 16 e1 43 1b a8 c3 33-cb 03 2e 9a 86 85 71 7a
...C...3......qz
    0380 - af be 31 c2 6e 01 97 5c-74 9c ec 11 cc e9 94 3d
..1.n..\t......=
    0390 - c5 92 ee 45 ba 0d 41 a4-c3 55 9f dc cd d5 30 f7
...E..A..U....0.
    03a0 - ba 78 41 3e b9 48 02 64-e8 cc 51 c9 20 00 13 1f   .xA>.H.d..Q.
...
    03b0 - 17 b9 24 83 c0 ab 84 dd-8b e2 eb 84 6b e9 78 17
..$.........k.x.
    03c0 - 0c 9d 78 17 a1 58 e6 09-9b ee 0e 3e 39 be 17 e1
..x..X.....>9...
    03d0 - f2 d9 da c4 8f 45 07 91-6a 3c d4 ca 7b dc 6b 24
.....E..j<..{.k$
    03e0 - b2 03 92 1a ea 96 4f 85-67 4b a7 17 2b 61 c4 2a
......O.gK..+a.*
    03f0 - c4 87 32 fd b1 41 36 6e-e0 f3 cc 92 00 5b 54 19
..2..A6n.....[T.
    0400 - 72 3a 73 dd 2e b4 6f 22-42 4f 27 42 f5 ec f5 0f
r:s...o"BO'B....
    0410 - b4 0a 16 58 60 55 81 18-ea 10 9b 0a 67 80 34 1f
...X`U......g.4.
    0420 - b1 e1 69 40 e1 b5 a2 c6-d5 49 7c b9 e8 9e 1a 48   ..i@
.....I|....H
    0430 - 0b 43 36 30 28 24 fa c3-33 b2 80 94 16 6f 87 66
.C60($..3....o.f
    0440 - ae dc 74 44 f6 9a 65 95-11 ab 05 e9 2b b5 cc 23
..tD..e.....+..#
    0450 - 0a 84 56 d0 b3 14 ce d1-2f 24 e6 6c da 7c 25 bd
..V...../$.l.|%.
    0460 - f0 7d 64 07 69 f5 20 a4-d1 1e 3f 1c 83 41 2f 23   .}d.i.
...?..A/#
    0470 - 09 fd 8b 38 43 d7 8a 0d-b9 58 ba 41 7b 66 9d 5c
...8C....X.A{f.\
    0480 - 2e 25 6a 13 8a 68 6c d0-09 61 73 9c 38 87 9e 5d
.%j..hl..as.8..]
    0490 - 17 b6 da 9c 31 ec 0b f8-f4 3b 62 1e a5 7a fb ee
....1....;b..z..
    04a0 - 7d 3e 72 f6 4d 1d 76 fa-cf 6f f2 b5 82 62 e1 af
}>r.M.v..o...b..
    04b0 - d4 c4 a3 d6 48 c9 22 13-d4 26 bc ba 2b 76 ab 0a
....H."..&..+v..
    04c0 - 89 e6 ca fb 26 84 0e 95-89 26 d3 7a ea d9 6d 97
....&....&.z..m.
    04d0 - 50 86 cd 13 b4 70 ad f2-fe 79 4a 05 f7 69 a4 b8
P....p...yJ..i..
    04e0 - 9e 87 ba 2d e9 6f 01 ce-dc 09 28 b3 09 ff 64 a0
...-.o....(...d.
    04f0 - 5d 64 19 66 cb 7d 5b f0-2b a2 c3 b2 de 09 ef f0
]d.f.}[.+.......
    0500 - 7c 60 fa a8 cb e6 b5 fa-31 d5 0a a4 81 72 f0 a2
|`......1....r..
    0510 - 73 31 48 15 91 6b 66 32-6e 90 86 2c f9 00 45 7b
s1H..kf2n..,..E{
    0520 - e0 47 3c 6e 48 d4 20 09-b8 00 c4 08 a6 d8 1c c7   .G<nH.
.........
    0530 - 00 02 8f ac 10 56 f6 98-24 b1 e5 1e d9 83 99 20   .....V..$......
    0540 - d9 f3 da bc 74 e9 03 a9-59 cb 72 da 7c 77 e5 d1
....t...Y.r.|w..
    0550 - bc fb 61 ca 15 ea 05 9a-b9 94 db 32 37 93 fb 6e
..a........27..n
    0560 - 0d 94 e4 09 53 b8 c8 70-89 81 40 36 8b 0f 3b 35   ....S..p..@REDACTED
.;5
    0570 - 31 cf 1e 1f 8f 3f a6 88-e7 62 40 0f 33 3c 91 7f   1....?...b@
.3<..
    0580 - 4a aa 2e 39 86 53 90 7a-95 e2 cb 2e 36 1e a0 c7
J..9.S.z....6...

    Start Time: 1452397215
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

So my guess at this point is that either TLS distribution is broken, or
there's something that it doesn't like about my certificate.

Is it doing some weird hostname checking against the CN (or is there some
rule for CN naming that needs to be followed?).

I've tried a slew of permutations of -inet_dist_op (concatenating cert/key,
session renegotiate, verify, etc...) to no avail.

Someone please let me know what I've missed or if there is better
documentation somewhere that will highlight what I've been doing wrong.

Regards,

Mark Steele
CISSP, GPEN, GCIA, CSM
mark@REDACTED

LinkedIn: https://ca.linkedin.com/in/markrsteele
Github: https://github.com/marksteele
Personal: http://www.control-alt-del.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160109/b7190c19/attachment.htm>


More information about the erlang-questions mailing list