To see relevant version information for ssl, call
To see all supported cipher suites, call
This section shows a small example of how to set up client/server connections
using the Erlang shell. The returned value of the
The minimal setup is not the most secure setup of SSL/TLS/DTLS.
To set up client/server connections:
Step 1: Start the server side:
1 server> ssl:start().
ok
Step 2: Create an TLS listen socket: (To run DTLS add the option {protocol, dtls})
2 server> {ok, ListenSocket} =
ssl:listen(9999, [{certfile, "cert.pem"}, {keyfile, "key.pem"},{reuseaddr, true}]).
{ok,{sslsocket, [...]}}
Step 3: Do a transport accept on the TLS listen socket:
3 server> {ok, Socket} = ssl:transport_accept(ListenSocket).
{ok,{sslsocket, [...]}}
Step 4: Start the client side:
1 client> ssl:start().
ok
To run DTLS add the option {protocol, dtls} to third argument.
2 client> {ok, Socket} = ssl:connect("localhost", 9999, [], infinity).
{ok,{sslsocket, [...]}}
Step 5: Do the TLS handshake:
4 server> ok = ssl:ssl_accept(Socket).
ok
Step 6: Send a message over TLS:
5 server> ssl:send(Socket, "foo").
ok
Step 7: Flush the shell message queue to see that the message was sent on the server side:
3 client> flush().
Shell got {ssl,{sslsocket,[...]},"foo"}
ok
To upgrade a TCP/IP connection to an SSL connection, the client and server must agree to do so. The agreement can be accomplished by using a protocol, for example, the one used by HTTP specified in RFC 2817.
To upgrade to an SSL connection:
Step 1: Start the server side:
1 server> ssl:start().
ok
Step 2: Create a normal TCP listen socket:
2 server> {ok, ListenSocket} = gen_tcp:listen(9999, [{reuseaddr, true}]).
{ok, #Port<0.475>}
Step 3: Accept client connection:
3 server> {ok, Socket} = gen_tcp:accept(ListenSocket).
{ok, #Port<0.476>}
Step 4: Start the client side:
1 client> ssl:start().
ok
2 client> {ok, Socket} = gen_tcp:connect("localhost", 9999, [], infinity).
Step 5: Ensure
4 server> inet:setopts(Socket, [{active, false}]).
ok
Step 6: Do the TLS handshake:
5 server> {ok, TLSSocket} = ssl:ssl_accept(Socket, [{cacertfile, "cacerts.pem"},
{certfile, "cert.pem"}, {keyfile, "key.pem"}]).
{ok,{sslsocket,[...]}}
Step 7: Upgrade to an TLS connection. The client and server
must agree upon the upgrade. The server must call
3 client>{ok, TLSSocket} = ssl:connect(Socket, [{cacertfile, "cacerts.pem"},
{certfile, "cert.pem"}, {keyfile, "key.pem"}], infinity).
{ok,{sslsocket,[...]}}
Step 8: Send a message over TLS:
4 client> ssl:send(TLSSocket, "foo").
ok
Step 9: Set
4 server> ssl:setopts(TLSSocket, [{active, true}]).
ok
Step 10: Flush the shell message queue to see that the message was sent on the client side:
5 server> flush().
Shell got {ssl,{sslsocket,[...]},"foo"}
ok