[erlang-questions] Enabling TLS-PSK issue, Erlang is missing Ciphers? How would I add new ones?

asdf asdf <>
Fri Jul 7 16:39:03 CEST 2017

Hello everyone,

I am currently working on adding PSK functionality to EMQTT and/or RabbitMQ, and my first goal is to get it working in standard Erlang. I have a client that will connect with public-keys, and I am attempting to modify it to suit my needs.

A problem I have just encountered though is that Erlang does not seem to have any psk-ciphers , when I run rp(ssl:cipher_suites(erlang)). in the erlang terminal, I get a long list of ciphers but none of them are psk ciphers. For example, a cipher I am looking for is {psk, aes_256, sha512}, but none are psk:

... etc

When I run rp(ssl:cipher_suites(openssl)). in the terminal, similarly, there are no psk ciphers ------

However, the Erlang documentation for ssl (http://erlang.org/doc/man/ssl.html <http://erlang.org/doc/man/ssl.html>) clearly states that psk is possible. And my openssl does contain psk ciphers for that matter. When I run openssl ciphers, two psk ciphers are available : 

So, when I run my program, the server doesn't recognize the suite:

HERE is the output when I try to connect:
Eshell V7.2  (abort with ^G)
1> c(s).
2> s:start().
3> s:client("hello").

=ERROR REPORT==== 7-Jul-2017::10:20:34 ===
Error in process <0.52.0> with exit value:
** exception exit: {badmatch,{error,{options,{ciphers,[{psk,aes_256_cbc,
     in function  s:client/1 (s.erl, line 36)

Is there any way to add any ciphers to erlang?

- I know/think that I also need to use a lookup_fun on my server in ssl:listen to go and match the psk_identity presented by the client to a profile , I received this link: https://github.com/erlang/otp/blob/32a1dca92c0f949ef6ce2c751b23aff82f9d998f/lib/ssl/test/ssl_test_lib.erl#L404 <https://github.com/erlang/otp/blob/32a1dca92c0f949ef6ce2c751b23aff82f9d998f/lib/ssl/test/ssl_test_lib.erl#L404> 
from another thread, pointing me to example implementation of the lookup_fun (sort of, not really). IF anyone can shed more light on this, I would greatly appreciate it. This is the next step once my server begins to recognize the cipher suite.

HERE is my erlang code I am working on to enable psks: 

 1     -module(s).
  2     -export([start/0, client/1, accept/1]).
  4     start() ->
  5        ssl:start(),
  6        server(4000).
  8     server(Port) ->
  9             {ok, LSocket} = ssl:listen(Port, [{psk_identity, "abcde"}, {reuseaddr, true}]),
 10             spawn(fun() -> accept(LSocket) end).
 12     accept(LSocket) ->
 13        {ok, Socket} = ssl:transport_accept(LSocket),
 14        ok = ssl:ssl_accept(Socket),
 15         Pid = spawn(fun() ->
 16             io:format("Connection accepted ~p~n", [Socket]),
 17             loop(Socket)
 18        end),
 19        ssl:controlling_process(Socket, Pid),
 20        accept(LSocket).
 22     loop(Socket) ->
 23        ssl:setopts(Socket, [{active, once}]),
 24        receive
 25        {ssl,Sock, Data} ->
 26             io:format("Got packet: ~p~n", [Data]),
 27             ssl:send(Sock, Data),
 28             loop(Socket);
 29        {ssl_closed, Sock} ->
 30             io:format("Closing socket: ~p~n", [Sock]);
 31        Error ->
 32             io:format("Error on socket: ~p~n", [Error])
 33        end.
 35     client(N) ->
 36         {ok, Socket} = ssl:connect("localhost", 4000,  [{ciphers, [{psk, aes_256_cbc, sha512}]}, {psk_identity,"abcde"}]),
 37         io:format("Client opened socket: ~p~n",[Socket]),
 38         ok = ssl:send(Socket, N),
 39         Value = receive
 40                 {ssl,{sslsocket,new_ssl,_}, Data} ->
 41                     io:format("Client received: ~p~n",[Data])
 42                 after 2000 ->
 43                     0
 44                 end,
 45         ssl:close(Socket),
 46         Value.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20170707/b57bad91/attachment.html>

More information about the erlang-questions mailing list