[erlang-questions] YAWS with SSL Connections Problem

Valentin Micic v@REDACTED
Tue Oct 20 12:26:57 CEST 2009


I really don't see how we know more now then we did at the beginning of this
thread. Surely there has to be an explanation as to what really causes the
problem. Instead, I've learned stuff that I really didn't want to know, such
as how insecure Erlang SSL support is.

Considering that most of the fraud comes from within, e.g. people that may
have an access to the machine how do I:

1) prevent someone from "snooping" the local loopback connection?
2) prevent someone from tracing ssl_esock process and see clear text sent
and received via read and write system calls?

I've always assumed that SSL support is tightly coupled with linked-in
driver, hence not exposing anything via clear text (well other than
user-level function call). I agree that such an implementation might have
been more difficult to accomplish; however, one can at least avoid using a
clear-text communication on a loopback connection by providing some form of
pre-aranged symmetric-key encryption.

Am I the only one seeing a *big* problem here?

V/

-----Original Message-----
From: erlang-questions@REDACTED [mailto:erlang-questions@REDACTED] On
Behalf Of Chih - Wei Yu [ MTN - Innovation Centre ]
Sent: 20 October 2009 11:51 AM
To: Tomas Abrahamsson
Cc: erlang-questions@REDACTED
Subject: RE: [erlang-questions] YAWS with SSL Connections Problem

Hi Tomas,

Thank you for your response once again.

Regards,
Chih-Wei Yu

-----Original Message-----
From: Tomas Abrahamsson [mailto:tomas.abrahamsson@REDACTED]
Sent: Tuesday, October 20, 2009 11:12 AM
To: Chih - Wei Yu [ MTN - Innovation Centre ]
Cc: erlang-questions@REDACTED
Subject: Re: [erlang-questions] YAWS with SSL Connections Problem


> Hi Tomas,

> Thank you for your response. But with the enoproxysocket error, will
> it cause a buildup of these IDLE 'connections' that we're seeing on
> the box?

It could be. Does the number of connections in IDLE match
the number of enoproxysocket errors (approximately)?

In a server situation, such as for Yaws, for each incoming
SSL-connection to ssl_esock, the Erlang-side will open
another (plaintext) connection to the ssl_esock (over the
loopback interface).

So shortly after an incoming SSL-connect, the ssl_esock will
use up two file descriptors, one for the SSL-connection and
one for the plaintext connection from the Erlang side. Then
if there's an enoproxysocket error, I guess that after a
while, the client will grow tired of waiting and disconnect,
so then there'll be only the plaintext connection left.


> Is there any other solution perhaps that we can try?

I guess your main options are to either try to make yaws use
the new ssl (and check whether the new ssl works well for
you -- the documentation for new_ssl mentions "alpha
version"), or to move away from Solaris 10 (I guess the same
goes for Solaris 11, but I haven't tested, so I don't know).

BRs
Tomas

NOTE: This e-mail message is subject to the MTN Group disclaimer see
http://www.mtn.co.za/SUPPORT/LEGAL/Pages/EmailDisclaimer.aspx

________________________________________________________________
erlang-questions mailing list. See http://www.erlang.org/faq.html
erlang-questions (at) erlang.org



More information about the erlang-questions mailing list