[erlang-questions] How: SSL for distribution in R11B-5?
Michael Regen
michael.regen@REDACTED
Tue Nov 6 22:19:59 CET 2007
Got lots of problems when trying to use SSL as distribution protocol
for Erlang R11B-5. At the end I either get a crash dump or a pang. I
am not very experienced with SSL and I'd really appreciate if someone
here can help!
Currently I am stuck at this point: Everything starts fine but as soon
as I want to ping the second node I get a pang.
If I issue a openssl s_client -connect localhost:56047 -showcerts
I get the following output (... means lines omitted):
CONNECTED(00000003)
...
verify error:num=18:self signed certificate
...
No client certificate CA names sent
---
SSL handshake has read 950 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
...
Key-Arg : None
Start Time: 1194383094
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
Does that mean I made something wrong with the certificates? Just for
now I don't need anything else than self signed certificates.
What I did so far
Unfortunately the Erlang user guide for SSL distribution is not easy
to understand and seems to miss some points. The explanation how a
certificate should be created does not really work. Whatever
certificate I try in the SSL examples folder ends with a crash dump.
Same for certificates built with the make_certs.erl program.
The tutorial 'Distributed erlang using ssl through firewalls' on
trapexit also leaves out this point.
This posting here is the only reference I could find which told me how
the certificate should look like:
http://www.trapexit.org/forum/viewtopic.php?p=22483&sid=c1b22ed8f4db4feb8e4997dcaa3122e0
Ah, certificate and key need to be in one file. At the end I followed
this guide to create my certificate:
http://sial.org/howto/openssl/self-signed/
I also patched ssl_prim.erl following
http://www.erlang.org/pipermail/erlang-questions/2007-July/027879.html.
If I don't patch it, openssl s_client stops after the line
'CONNECTED(00000003)'.
Nevertheless netstat --tcp -n still shows me some bytes hanging in the
Recv-Q of the Erlang server.
Bruce is also right when saying that setting ERL_SSL_DEBUG stops erts
from starting up:
http://www.erlang.org/pipermail/erlang-questions/2007-July/027879.html
So for now I am stuck since I don't know what options I have left.
Anyone here who can help? Thanks in advance!
Cheers,
Michael
More information about the erlang-questions
mailing list