[erlang-questions] SSL key / password problems
Matthew Harrell
mharrell-keyword-erlang.a034fe@REDACTED
Mon Jul 23 22:26:37 CEST 2012
I searched but all the information I found was very dated and didn't seem
to help any. Most of these examples are just a few modifications on what
is found here
http://www.erlang.org/doc/apps/ssl/using_ssl.html
First, only TLS v1 is supported at the moment in R15B01, right? Not 1.1 or
1.2?
I have a key pair with protected with the password "password" called
client.crt and client.key. When I try to start up a client connection
using that pair I get
ssl:start().
{ok, Socket} = ssl:connect("localhost",
9950,
[{certfile, "client.crt"},
{keyfile, "client.key"}],
infinity).
** exception error: no match of right hand side value {error,ekeyfile}
which is fine because it can't open the private key. But when I try
{ok, Socket} = ssl:connect("localhost",
9950,
[{certfile, "example/client.crt"},
{keyfile, "example/client.key"},
{password, "password"}],
infinity).
** exception error: no match of right hand side value {error,ekeyfile}
I get the same error. What am I doing wrong? Isn't that the point of the
password option? When I try things with openssl like the following it
works fine
openssl s_client -cert example/client.crt -key example/client.key \
-CAfile example/ca.pem -pass pass:password -state -connect 127.0.0.1:9950
Also if I try to load the CA files I get messages about them not being
decoded properly
{ok, Socket} = ssl:connect("localhost",
9950,
[{cacertfile, "/etc/ssl/certs/ca-certificates.crt"},
{certfile, "example/client.crt"},
{keyfile, "example/client.key"},
{password, "password"}],
infinity).
=INFO REPORT==== 23-Jul-2012::15:36:56 ===
SSL WARNING: Ignoring a CA cert as it could not be correctly decoded.
I get the same message on my own ca.crt file with it's one key but thought I
would try the system one to see whether it differed
Finally, on the server side if I do the following using server keys (without
passwords) and the openssl client line above
ssl:start().
{ok, ListenSocket} = ssl:listen ( 9950, [{active, true},
{reuseaddr, true},
{keyfile, "example/server.key"},
{certfile, "example/server.crt"},
{backlog, 30}] ).
{ok, Socket} = ssl:transport_accept ( ListenSocket ).
ssl:ssl_accept ( Socket ).
ssl:setopts ( Socket, [{active, true}] ).
then an SSL connection seems to start up fine according to the messages on
the openssl side. If I change this to
ssl:start().
{ok, ListenSocket} = ssl:listen ( 9950, [{active, true},
{reuseaddr, true},
{verify, verify_peer},
{depth, 2},
{cacertfile, "example/ca.pem"},
{keyfile, "example/server.key"},
{certfile, "example/server.crt"},
{backlog, 30}] ).
{ok, Socket} = ssl:transport_accept ( ListenSocket ).
ssl:ssl_accept ( Socket ).
ssl:setopts ( Socket, [{active, true}] ).
where example/ca.pem is the one CA certificate I get
=INFO REPORT==== 23-Jul-2012::16:12:59 ===
SSL WARNING: Ignoring a CA cert as it could not be correctly decoded.
** exception exit: {{{badmatch,
{error,
{asn1,
{'Type not compatible with table constraint',
{{component,'Type'},
{value,{5,<<>>}},
{unique_name_and_value,id,{1,3,14,3,2,29}}}}}}},
[{public_key,pkix_decode_cert,2,
[{file,"public_key.erl"},{line,215}]},
{ssl_certificate,trusted_cert_and_path,3,
[{file,"ssl_certificate.erl"},{line,58}]},
{ssl_handshake,certify,7,
[{file,"ssl_handshake.erl"},{line,216}]},
{ssl_connection,certify,2,
[{file,"ssl_connection.erl"},{line,514}]},
{ssl_connection,next_state,4,
[{file,"ssl_connection.erl"},{line,1929}]},
{gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,494}]},
{proc_lib,init_p_do_apply,3,
[{file,"proc_lib.erl"},{line,227}]}]},
{gen_fsm,sync_send_all_state_event,
[<0.50.0>,start,infinity]}}
in function gen_fsm:sync_send_all_state_event/3 (gen_fsm.erl, line 240)
in call from ssl_connection:sync_send_all_state_event/3 (ssl_connection.erl, line 1195)
in call from ssl_connection:handshake/2 (ssl_connection.erl, line 167)
What does that mean?
Thanks for any help
More information about the erlang-questions
mailing list