From e74ae61325c4bc6f3a4503b2e628361784214274 Mon Sep 17 00:00:00 2001 From: Raimo Niskanen Date: Wed, 29 Nov 2017 09:58:22 +0100 Subject: Read in -ssl_dist_optfile to ETS --- lib/ssl/doc/src/ssl_distribution.xml | 128 +++++++++++++++++++++++++++++------ 1 file changed, 106 insertions(+), 22 deletions(-) (limited to 'lib/ssl/doc/src') diff --git a/lib/ssl/doc/src/ssl_distribution.xml b/lib/ssl/doc/src/ssl_distribution.xml index 61f88e3860..7f8a08f704 100644 --- a/lib/ssl/doc/src/ssl_distribution.xml +++ b/lib/ssl/doc/src/ssl_distribution.xml @@ -4,7 +4,7 @@
- 20002016 + 20002017 Ericsson AB. All Rights Reserved. @@ -180,10 +180,96 @@ Eshell V5.0 (abort with ^G)
Specifying SSL Options -

For SSL to work, at least - a public key and a certificate must be specified for the server - side. In the following example, the PEM-files consist of two - entries, the server certificate and its private key.

+ +

+ The SSL distribution options can be written into a file + that is consulted when the node is started. This file name + is then specified with the command line argument + -ssl_dist_optfile. +

+

+ Any available SSL option can be specified in an options file, + but note that options that take a fun() has to use + the syntax fun Mod:Func/Arity since a function + body can not be compiled when consulting a file. +

+

+ Do not tamper with the socket options + list, binary, active, packet, + nodelay and deliver since they are used + by the distribution protocol handler itself. + Other raw socket options such as packet_size may + interfere severely, so beware! +

+

+ For SSL to work, at least a public key and a certificate + must be specified for the server side. + In the following example, the PEM file + "/home/me/ssl/erlserver.pem" contains both + the server certificate and its private key. +

+

+ Create a file named for example + "/home/me/ssl/ssl_test@myhost.conf": +

+ + +

+ And then start the node like this + (line breaks in the command are for readability, + and shall not be there when typed): +

+ + +

+ The options in the {server, Opts} tuple are used + when calling ssl:ssl_accept/3, and the options in the + {client, Opts} tuple are used when calling + ssl:connect/4. +

+

+ For the client, the option + {server_name_indication, atom_to_list(TargetNode)} + is added when connecting. + This makes it possible to use the client option + {verify, verify_peer}, + and the client will verify that the certificate matches + the node name you are connecting to. + This only works if the the server certificate is issued + to the name atom_to_list(TargetNode). +

+

+ For the server it is also possible to use the option + {verify, verify_peer} and the server will only accept + client connections with certificates that are trusted by + a root certificate that the server knows. + A client that presents an untrusted certificate will be rejected. + This option is preferably combined with + {fail_if_no_peer_cert, true} or a client will + still be accepted if it does not present any certificate. +

+

+ A node started in this way is fully functional, using SSL + as the distribution protocol. +

+
+ +
+ Specifying SSL Options (Legacy) + +

+ As in the previous section the PEM file + "/home/me/ssl/erlserver.pem" contains both + the server certificate and its private key. +

On the erl command line you can specify options that the SSL distribution adds when creating a socket.

@@ -226,24 +312,26 @@ Eshell V5.0 (abort with ^G) SSL options and their values. Argument -ssl_dist_opt can be repeated any number of times.

-

An example command line can now look as follows +

+ An example command line doing the same as the example + in the previous section can now look as follows (line breaks in the command are for readability, - and are not be there when typed):

- + and shall not be there when typed): +

+ -

A node started in this way is fully functional, using SSL - as the distribution protocol.

+(ssl_test@myhost)1>]]> +
- Setting up Environment to Always Use SSL + Setting up Environment to Always Use SSL (Legacy)

A convenient way to specify arguments to Erlang is to use environment variable ERL_FLAGS. All the flags needed to use the SSL distribution can be specified in that variable and are @@ -285,15 +373,11 @@ Eshell V5.0 (abort with ^G) variable.

An example command line with this option would look like this:

- + + -ssl_dist_optfile "/home/me/ssl/ssl_test@myhost.conf" + -sname ssl_test]]> +

A node started in this way will only be able to communicate with other nodes using SSL distribution over IPv6.

-- cgit v1.2.3