SSL in Erlang/OTP

Peter H|gfeldt peter@REDACTED
Wed Nov 19 20:37:35 CET 2003


On Mon, 17 Nov 2003, Alexey Shchepin wrote:

> Hi!
> Can anyone help with following issues with SSL application?
> * ssl:accept locks when when one TCP connection is established, but SSL
>   handshake is not finished.  E.g. if Yaws is listen for SSL connections on
>   port 443 and someone runs "telnet this.server 443" (note that this is not
>   SSL-enabled telnet), then noone will be able to retreive web pages via this
>   port until this connection will be closed.  As temporary solution I use
>   ssl:accept with small timeout value, but this is just workaround.  IMHO
>   ssl:accept should not have such behaviour.

In Erlang/OTP SSL you can have several processes, each waiting for an
ssl:accept/N on one and the the same port. That is needed to obtain
acceptable (no pun intended) parallellism. 

That it not practically possible with gen_tcp:accept/N (if you try it you 
will get an error return). I think gen_tcp should accept multiple accepts
as well. 

> * ssl:send locks if another process runs ssl:recv on the same port.  And I
>   can't use "{active, true}" option, because I need flow control.  Again, as a
>   temporary solution I use timeout value in ssl:recv/3, so ssl:send can work
>   several times in second.  But this makes notable increase of CPU load:
>   e.g. with ejabberd on (~440 connected users, ~100 using SSL) with
>   20ms timeout -- CPU load is ~40%, with 200ms -- 9-12%, with SSL switched
>   off -- 3-4%.

When an SSL-connection has been established all data flow through gen_tcp
to/from the SSL portprogram, which is then just a multiplexer of data 
(slow connections will not impair fast connections). 

Seems as if your problem is really a gen_tcp problem? 
> * (Feature Request) Many protocols have some kinds of STARTTLS command
>   (e.g. IMAP, POP3 (RFC2595), Jabber/XMPP).  So this would be great to have
>   ability to convert gen_tcp sockets to ssl ones.

Ok, I am not familiar with STARTTLS or similar, but I will investigate it. 


More information about the erlang-questions mailing list