[erlang-questions] How: SSL for distribution in R11B-5?

Michael Regen michael.regen@REDACTED
Tue Nov 6 22:19:59 CET 2007


Got lots of problems when trying to use SSL as distribution protocol
for Erlang R11B-5. At the end I either get a crash dump or a pang. I
am not very experienced with SSL and I'd really appreciate if someone
here can help!

Currently I am stuck at this point: Everything starts fine but as soon
as I want to ping the second node I get a pang.
If I issue a openssl s_client -connect localhost:56047 -showcerts
I get the following output (... means lines omitted):

CONNECTED(00000003)
...
verify error:num=18:self signed certificate
...
No client certificate CA names sent
---
SSL handshake has read 950 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
...
    Key-Arg   : None
    Start Time: 1194383094
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)

Does that mean I made something wrong with the certificates? Just for
now I don't need anything else than self signed certificates.

What I did so far
Unfortunately  the Erlang user guide for SSL distribution is not easy
to understand and seems to miss some points. The explanation how a
certificate should be created does not really work. Whatever
certificate I try in the SSL examples folder ends with a crash dump.
Same for certificates built with the make_certs.erl program.
The tutorial 'Distributed erlang using ssl through firewalls' on
trapexit also leaves out this point.

This posting here is the only reference I could find which told me how
the certificate should look like:
http://www.trapexit.org/forum/viewtopic.php?p=22483&sid=c1b22ed8f4db4feb8e4997dcaa3122e0

Ah, certificate and key need to be in one file. At the end I followed
this guide to create my certificate:
http://sial.org/howto/openssl/self-signed/

I also patched ssl_prim.erl following
http://www.erlang.org/pipermail/erlang-questions/2007-July/027879.html.
If I don't patch it, openssl s_client stops after the line
'CONNECTED(00000003)'.

Nevertheless netstat --tcp -n still shows me some bytes hanging in the
Recv-Q of the Erlang server.

Bruce is also right when saying that setting ERL_SSL_DEBUG stops erts
from starting up:
http://www.erlang.org/pipermail/erlang-questions/2007-July/027879.html

So for now I am stuck since I don't know what options I have left.
Anyone here who can help? Thanks in advance!


Cheers,
Michael



More information about the erlang-questions mailing list