[erlang-questions] Erlang TLS distribution... again...

Paul Guyot pguyot@REDACTED
Sat Jan 23 17:28:08 CET 2016 

> Date: Fri, 22 Jan 2016 12:51:04 -0500
> From: Mark Steele <mark@REDACTED>
> Subject: Re: [erlang-questions] Erlang TLS distribution... again...
> 
> The server start-up command:
> 
> /root/cinched/rel/cinched/bin/erl +P 256000 -env ERL_MAX_ETS_TABLES 256000
> -env ERL_CRASH_DUMP /dev/null -env ERL_FULLSWEEP_AFTER 0 -env ERL_MAX_PORTS
> 65536 +A 64 +K true +W w -smp auto +Mlpm all -proto_dist inet_tls
> -ssl_dist_opt client_cacertfile /var/lib/cinched/cacert.pem client_keyfile
> /var/lib/cinched/key.pem client_certfile /var/lib/cinched/client.pem
> server_cacertfile /var/lib/cinched/cacert.pem server_keyfile
> /var/lib/cinched/key.pem server_certfile /var/lib/cinched/cert.pem
> server_fail_if_no_peer_cert true server_depth 1 client_depth 1
> server_verify verify_peer -name cinched@REDACTED -config
> /var/lib/cinched/sys.config -setup verify_directories false
> 
> The client start-up command:
> 
> /root/cinched/rel/cinched/bin/erl -env ERL_CRASH_DUMP /dev/null +K true +W
> w -smp disable +Mlpm all -proto_dist inet_tls -ssl_dist_opt
> client_cacertfile /var/lib/cinched/cacert.pem client_keyfile
> /var/lib/cinched/k.pem client_certfile /var/lib/cinched/client.pem
> server_cacertfile /var/lib/cinched/cacert.pem server_keyfile
> /var/lib/cinched/key.pem server_certfile /var/lib/cinched/cert.pem -name
> rpc@REDACTED -boot /root/cinched/rel/cinched/bin/start_clean  -extra
> --target cinched@REDACTED --module cinched_console --function status -u
> root
> 
> The default boot file and start_clean both start the same apps
> (crypto,asn1,public_key,ssl).

If it works without verify_peer then the boot files are correct.
You could have exactly the same ssl_dist_opt options for both clients and server as client will consider client_ settings and server will consider server_ settings.

Is the following a typo :

server :
> client_keyfile /var/lib/cinched/key.pem


client :
> client_keyfile /var/lib/cinched/k.pem 

?

Also, you might need to set server_depth and client_depth to 2. You currently set it to 1 for server (and therefore client_depth is just not used, but this is the default anyway).
You can also add "client_verify verify_peer" for the client to make sure that the server's certificate is indeed signed by the CA certificate.

Paul

More information about the erlang-questions mailing list