This chapter describes how the Erlang distribution can use SSL to get additional verification and security.
The Erlang distribution can in theory use almost any connection
based protocol as bearer. A module that implements the protocol
specific parts of the connection setup is however needed. The
default distribution module is
In the SSL application there is an additional distribution
module,
The security level depends on the parameters provided to the SSL connection setup. Erlang node cookies are however always used, as they can be used to differentiate between two different Erlang networks.
Setting up Erlang distribution over SSL involves some simple but necessary steps:
The rest of this chapter describes the above mentioned steps in more detail.
Boot scripts are built using the
The simplest boot script possible includes only the Kernel
and STDLIB applications. Such a script is located in the
Erlang distributions bin directory. The source for the script
can be found under the Erlang installation top directory under
An example .rel file with SSL added may look like this:
{release, {"OTP APN 181 01","R15A"}, {erts, "5.9"},
[{kernel,"2.15"},
{stdlib,"1.18"},
{crypto, "2.0.3"},
{public_key, "0.12"},
{ssl, "5.0"}
]}.
Note that the version numbers surely will differ in your system. Whenever one of the applications included in the script is upgraded, the script has to be changed.
Assuming the above .rel file is stored in a file
1> systools:make_script("start_ssl",[]).
There will now be a file
whereis(ssl_manager).
<0.41.0> ]]>
The
As an alternative to building a bootscript, one can explicitly
add the path to the SSL
Note that the clone of the SSL application is necessary to enable the use of the SSL code in such an early bootstage as needed to setup the distribution, however this will make it impossible to soft upgrade the SSL application.
The distribution module for SSL is named
Extending the command line from above gives us the following:
$ erl -boot /home/me/ssl/start_ssl -proto_dist inet_tls
For the distribution to actually be started, we need to give the emulator a name as well:
$ erl -boot /home/me/ssl/start_ssl -proto_dist inet_tls -sname ssl_test
Erlang (BEAM) emulator version 5.0 [source]
Eshell V5.0 (abort with ^G)
(ssl_test@myhost)1>
Note however that a node started in this way will refuse to talk to other nodes, as no ssl parameters are supplied (see below).
For SSL to work, at least a public key and certificate needs to be specified for the server side. In the following example the PEM-files consists of two entries the servers certificate and its private key.
On the
One can specify the simpler SSL options certfile, keyfile,
password, cacertfile, verify, reuse_sessions,
secure_renegotiation, depth, hibernate_after and ciphers (use old
string format) by adding the prefix server_ or client_ to the
option name. The server can also take the options dhfile and
fail_if_no_peer_cert (also prefixed).
More complex options such as verify_fun are not available at the moment but a mechanism to handle such options may be added in a future release.
Raw socket options such as packet and size must not be specified on the command line
.The command line argument for specifying the SSL options is named
An example command line would now look something like this (line breaks in the command are for readability, they should not be there when typed):
$ erl -boot /home/me/ssl/start_ssl -proto_dist inet_tls
-ssl_dist_opt server_certfile "/home/me/ssl/erlserver.pem"
-ssl_dist_opt server_secure_renegotiation true client_secure_renegotiate true
-sname ssl_test
Erlang (BEAM) emulator version 5.0 [source]
Eshell V5.0 (abort with ^G)
(ssl_test@myhost)1>
A node started in this way will be fully functional, using SSL as the distribution protocol.
A convenient way to specify arguments to Erlang is to use the
In a Unix (Bourne) shell it could look like this (line breaks for readability, they should not be there when typed):
$ ERL_FLAGS="-boot /home/me/ssl/start_ssl -proto_dist inet_tls
-ssl_dist_opt server_certfile /home/me/ssl/erlserver.pem
-ssl_dist_opt server_secure_renegotiation true client_secure_renegotiate true"
$ export ERL_FLAGS
$ erl -sname ssl_test
Erlang (BEAM) emulator version 5.0 [source]
Eshell V5.0 (abort with ^G)
(ssl_test@myhost)1> init:get_arguments().
[{root,["/usr/local/erlang"]},
{progname,["erl "]},
{sname,["ssl_test"]},
{boot,["/home/me/ssl/start_ssl"]},
{proto_dist,["inet_tls"]},
{ssl_dist_opt,["server_certfile","/home/me/ssl/erlserver.pem"]},
{ssl_dist_opt,["server_secure_renegotiation","true",
"client_secure_renegotiate","true"]
{home,["/home/me"]}]
The