[erlang-questions] Erlang TLS distribution... again...

Mark Steele mark@REDACTED
Fri Jan 22 18:51:04 CET 2016 

The server start-up command:

 /root/cinched/rel/cinched/bin/erl +P 256000 -env ERL_MAX_ETS_TABLES 256000
-env ERL_CRASH_DUMP /dev/null -env ERL_FULLSWEEP_AFTER 0 -env ERL_MAX_PORTS
65536 +A 64 +K true +W w -smp auto +Mlpm all -proto_dist inet_tls
-ssl_dist_opt client_cacertfile /var/lib/cinched/cacert.pem client_keyfile
/var/lib/cinched/key.pem client_certfile /var/lib/cinched/client.pem
server_cacertfile /var/lib/cinched/cacert.pem server_keyfile
/var/lib/cinched/key.pem server_certfile /var/lib/cinched/cert.pem
server_fail_if_no_peer_cert true server_depth 1 client_depth 1
server_verify verify_peer -name cinched@REDACTED -config
/var/lib/cinched/sys.config -setup verify_directories false

The client start-up command:

/root/cinched/rel/cinched/bin/erl -env ERL_CRASH_DUMP /dev/null +K true +W
w -smp disable +Mlpm all -proto_dist inet_tls -ssl_dist_opt
client_cacertfile /var/lib/cinched/cacert.pem client_keyfile
/var/lib/cinched/k.pem client_certfile /var/lib/cinched/client.pem
server_cacertfile /var/lib/cinched/cacert.pem server_keyfile
/var/lib/cinched/key.pem server_certfile /var/lib/cinched/cert.pem -name
rpc@REDACTED -boot /root/cinched/rel/cinched/bin/start_clean  -extra
--target cinched@REDACTED --module cinched_console --function status -u
root

The default boot file and start_clean both start the same apps
(crypto,asn1,public_key,ssl).

Cheers,

Mark

On Fri, Jan 22, 2016 at 12:28 PM, Magnus Henoch <magnus@REDACTED
> wrote:

> If I read the source code correctly, this error occurs when the server
> expects the client to present a certificate, but the client doesn't present
> one. What options do you use when starting the client?
>
> Regards,
> Magnus
>
>
> On Fri, Jan 22, 2016 at 4:43 PM, Mark Steele <mark@REDACTED>
> wrote:
>
>> Hello list,
>>
>> Once again I'm banging my head against TLS distribution in Erlang.
>>
>> This time around, everything is almost working.
>>
>> My problem is now getting the certificate validation to work.
>>
>> As soon as I add ' server_verify verify_peer ' to my ssl options on the
>> server-side, the connection is failing.
>>
>> Server:
>>
>> SSL: certify: ssl_connection.erl:398:Fatal error: handshake failure
>>
>> Client:
>>
>> SSL: cipher: ssl_alert.erl:92:Fatal error: handshake failure
>>
>>
>> The client and server certs are the same.
>>
>> I can use the same certs with Cowboy/Ranch or plain ssl sockets (with the
>> verify_peer option) and it works flawlessly, so it would appear that it's
>> something specific to TLS distribution that's wonky.
>>
>> Running on Erlang/OTP 17 [erts-6.4]
>>
>> Any help would be appreciated.
>>
>>
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160122/39e41e38/attachment.htm>

More information about the erlang-questions mailing list