[erlang-questions] SSL distribution fixes (was: Re: SSL distribution issues)

Paul Guyot pguyot@REDACTED
Mon Jan 16 14:06:43 CET 2012

Le 16 janv. 2012 à 10:15, Ingela Andin a écrit :

> There is one blocking problem that I know of that can happen when

> a none ssl node tries to contact an ssl node. If the nodename is
> fairly short the first message can be seen as the begining of a
> correct "ssl/tls"-packet and then it will wait for more data that
> never comes and the other end is waiting for the response for its
> first message. This can be fairly easily fixed by adding a check
> for the value of the first byte for handshake messages.  We will
> be adding this for the next release. This has however not
> interfered with the legitimate nodes in our tests.

This probably is what happens. The other bug I saw is that the client can timeout (using dist_utils:timer) while the proxy doesn't handle this.

What is the rationale behind the use of the proxy? Isn't it related to the old implementation of SSL?

Eventually, we are running a cluster with currently a dozen nodes using the new implementation and the following fixes:
- the proxy is made more robust to a death of the caller (the crash I reported, typically after a timeout);
- inet_tls_dist:setup/5 now links the process just like what inet_tcp_dist:setup/5 does (I also set the priority to maximum like inet_tcp_dist does);
- #hs_data.f_address function was updated to handle the case where the node disappeared, just like inet_tcp_dist does as well. This was done by exporting get_tcp_address from ssl_tls_dist_proxy and changing its return type.

Besides, the proxy is now running on the loopback interface only (the sockets listen on {127,0,0,1}) as it is not meant to be connected from another node, from what I understand...

The patch can be found here:
git fetch git://github.com/pguyot/otp.git ssl_dist-fixes

Semiocast            http://semiocast.com/
+33.183627948 - 20 rue Lacaze, 75014 Paris

More information about the erlang-questions mailing list