[erlang-questions] How to use ecdh self-signed cert files in R19.2 ssl app

赵 汉 botanyzh@REDACTED
Mon Feb 27 14:13:39 CET 2017

Hi !
With so many search In vain,
I can’t find the actual example through google , and I failed again and again with many procedures

Only  the     “…. -nodes rsa:1024…. ‘ somelike self-sign set of cert files can be use in otp’s ssl node to node  communication

Below are the  failed ones

Procedure1 succeed  but   failed to use in otp’s ssl

With aes256  encrypt generation

First to generate key csr and crt Root CA some like below

openssl genrsa -aes256 -out private/cakey.pem 1024

openssl req -new -key private/cakey.pem -out private/ca.csr -subj \


openssl req -x509 -days 365 -sha1 -extensions v3_ca -signkey \

private/cakey.pem -in private/ca.csr -out certs/ca.cer

sign the server-side

openssl genrsa -aes256 -out private/server-key.pem 1024

openssl req -new -key private/server-key.pem -out private/server.csr -subj \


openssl req -x509 -days 365 -sha1 -extensions v3_req -CA certs/ca.cer -CAkey private/cakey.pem \

-CAserial ca.srl -CAcreateserial -in private/server.csr -out certs/server.cer

Procedure2 succeed  but   failed to use in otp’s ssl

Openssl  config file some like (may not actully be)


[ ca ]

default_ca = CA_own

[ CA_own ]

certs = .

new_certs_dir = ./db/certs

database = ./db/index

serial = ./db/serial

RANDFILE = ./db/rand

certificate = ./ca.cert.pem

private_key = ./ca.key.pem

default_days = 7300

default_crl_days = 30

default_md = sha1

preserve = no

policy = policy_anything

extensions = v3_ca

[ policy_anything ]

countryName = optional

stateOrProvinceName = optional

localityName = optional

organizationName = optional

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

[ req ]

distinguished_name = req_distinguished_name

attributes = req_attributes

req_extensions = v3_req

[ req_distinguished_name ]

countryName = Country Name (2 letter code)

countryName_default = US

stateOrProvinceName = State or Province Name (full name)

stateOrProvinceName_default = New York

localityName = Locality Name (eg, city)

localityName_default = New York0

organizationName = Organization Name (eg, company)

organizationName_default = Microsoft Corp.

organizationalUnitName = Organizational Unit Name (eg, section)

commonName = Common Name (eg, YOUR name)

commonName_max = 64

emailAddress = Email Address

emailAddress_max = 64

[ req_attributes ]

challengePassword = A challenge password

challengePassword_min = 4

challengePassword_max = 20

unstructuredName = An optional company name

unstructuredName_default = Microsoft"

[ v3_ca ]


authorityKeyIdentifier=keyid:always, issuer

basicConstraints = CA:true

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectAltName = @alt_names


DNS.1 = rpslc_1@REDACTED

DNS.2 = rpslc_2@REDACTED

First to generate key csr and crt Root CA some like below

openssl genrsa -out CA.key.pem 2048

openssl req -x509 -new -nodes -key ca.key.pem -days 365 -out ca.cert.pem

openssl genpkey -genparam -algorithm EC -out ecdh.pem \

                                        -pkeyopt ec_paramgen_curve:brainpoolP512r1

openssl req   -nodes  -new -newkey ec:ecdh.pem   -keyout  1ecdh.key.pem -out 1ecdh.csr.pem


openssl ca -in 1ecdh.csr.pem  -out 1ecdh.crt.pem -config $CONF_FILE

and finally I get 8 files for 2 nodes to connect each other

baseOptions from app gen_rpc

-define(SSL_DEFAULT_COMMON_OPTS, [binary,




        {nodelay,true}, % Send our requests immediately

        {send_timeout_close,true}, % When the socket times out, close the connection

        {delay_send,false}, % Scheduler should favor timely delivery

        {linger,{true,2}}, % Allow the socket to flush outgoing data for 2" before closing it - useful for casts

        {reuseaddr,true}, % Reuse local port numbers

        {keepalive,true}, % Keep our channel open

        {tos,72}, % Deliver immediately


        %% SSL options


















-define(SSL_DEFAULT_SERVER_OPTS, [{fail_if_no_peer_cert,true},




-define(SSL_DEFAULT_CLIENT_OPTS, [{server_name_indication,disable},


And extra options

ssl_client_options: [

            certfile: certfile,

            keyfile: keyfile,

            cacertfile: './priv/ssl/ca.cert.pem',

            eccs: [:brainpoolP512r1]


        ssl_server_options: [

            certfile: certfile,

            keyfile: keyfile,

            cacertfile: './priv/ssl/ca.cert.pem',

            eccs: [:brainpoolP512r1]


The two node are both in one centos system
And when I try to ssl:connect/4 , i get such error below:

“ tls_connection.erl:704:Fatal error: handshake failure - malformed_handshake_data”;

{tls_alert,"handshake failure"};

And when I try to openssl s_client with error below:

openssl s_client -connect  -cert 2.crt.pem -key 2.key.pem   -CAfile ca.cert.pem -cipher ECDH-RSA-AES256-GCM-SHA384  -debug


depth=1 C = CN, ST = cq, L = cq, O = s, OU = p, CN = botanyzh, emailAddress = botanyzh@REDACTED

verify return:1

depth=0 C = US, ST = Uniden, L = 00abcdef1234, O = sprt, OU = potato, CN = rpslc_1@REDACTED, emailAddress = botanyzh@REDACTED

verify return:1

140467656820416:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1493:SSL alert number 40

140467656820416:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

With extra  “-debug”

write to 0x159aa30 [0x15acb00] (6 bytes => -1 (0xFFFFFFFFFFFFFFFF))


Please help me

about the ssl’s source
the ecdh cert seems is not usable for otp's ssl
when i debuged i found that the ssl_connection:handle_peer_cert_key/5 call to public_key :generate_key/1 can never match

the public_key's interface is

generate_key(#'DHParameter'{prime = P, base = G}) ->

crypto:generate_key(dh, [P, G]);

generate_key({namedCurve, _} = Params) ->


generate_key(#'ECParameters'{} = Params) ->


but the arg called is {ecParameters, 'ECParameters'{} = Params}

发送自 Windows 10 版邮件<https://go.microsoft.com/fwlink/?LinkId=550986>应用

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20170227/eb0a7c26/attachment.htm>

More information about the erlang-questions mailing list