1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
|
<?xml version="1.0" encoding="latin1" ?>
<!DOCTYPE appref SYSTEM "appref.dtd">
<appref>
<header>
<copyright>
<year>1999</year><year>2009</year>
<holder>Ericsson AB. All Rights Reserved.</holder>
</copyright>
<legalnotice>
The contents of this file are subject to the Erlang Public License,
Version 1.1, (the "License"); you may not use this file except in
compliance with the License. You should have received a copy of the
Erlang Public License along with this software. If not, it can be
retrieved online at http://www.erlang.org/.
Software distributed under the License is distributed on an "AS IS"
basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
the License for the specific language governing rights and limitations
under the License.
</legalnotice>
<title>ssl</title>
<prepared>Peter Högfeldt</prepared>
<responsible>Peter Högfeldt</responsible>
<docno></docno>
<approved>Peter Högfeldt</approved>
<checked>Peter Högfeldt</checked>
<date>2005-03-10</date>
<rev>E</rev>
<file>ssl_app.sgml</file>
</header>
<app>ssl</app>
<appsummary>The SSL Application</appsummary>
<description>
<p>The Secure Socket Layer (SSL) application provides secure
socket communication over TCP/IP.
</p>
</description>
<section>
<title>Warning</title>
<p>In previous versions of Erlang/OTP SSL it was advised, as a
work-around, to set the operating system environment variable
<c>SSL_CERT_FILE</c> to point at a file containing CA
certificates. That variable is no longer needed, and is not
recognised by Erlang/OTP SSL any more.
</p>
<p>However, the OpenSSL package does interpret that environment
variable. Hence a setting of that variable might have
unpredictable effects on the Erlang/OTP SSL application. It is
therefore adviced to not used that environment variable at all.</p>
</section>
<section>
<title>Environment</title>
<p>The following application environment configuration parameters
are defined for the SSL application. Refer to application(3) for
more information about configuration parameters.
</p>
<p>Note that the environment parameters can be set on the command line,
for instance,</p>
<p><c>erl ... -ssl protocol_version '[sslv2,sslv3]' ...</c>.
</p>
<taglist>
<tag><c><![CDATA[ephemeral_rsa = true | false <optional>]]></c></tag>
<item>
<p>Enables all SSL servers (those that listen and accept)
to use ephemeral RSA key generation when a clients connect with
weak handshake cipher specifications, that need equally weak
ciphers from the server (i.e. obsolete restrictions on export
ciphers). Default is <c>false</c>.
</p>
</item>
<tag><c><![CDATA[debug = true | false <optional>]]></c></tag>
<item>
<p>Causes debug information to be written to standard
output. Default is <c>false</c>.
</p>
</item>
<tag><c><![CDATA[debugdir = path() | false <optional>]]></c></tag>
<item>
<p>Causes debug information output controlled by <c>debug</c>
and <c>msgdebug</c> to be printed to a file named
<c><![CDATA[ssl_esock.<pid>.log]]></c> in the directory specified by
<c>debugdir</c>, where <c><![CDATA[<pid>]]></c> is the operating system
specific textual representation of the process identifier
of the external port program of the SSL application. Default
is <c>false</c>, i.e. no log file is produced.
</p>
</item>
<tag><c><![CDATA[msgdebug = true | false <optional>]]></c></tag>
<item>
<p>Sets <c>debug = true</c> and causes also the contents
of low level messages to be printed to standard output.
Default is <c>false</c>.
</p>
</item>
<tag><c><![CDATA[port_program = string() | false <optional>]]></c></tag>
<item>
<p>Name of port program. The default is <c>ssl_esock</c>.
</p>
</item>
<tag><c><![CDATA[protocol_version = [sslv2|sslv3|tlsv1] <optional>]]></c>.</tag>
<item>
<p>Name of protocols to use. If this option is not set,
all protocols are assumed, i.e. the default value is
<c>[sslv2, sslv3, tlsv1]</c>.
</p>
</item>
<tag><c><![CDATA[proxylsport = integer() | false <optional>]]></c></tag>
<item>
<p>Define the port number of the listen port of the
SSL port program. Almost never is this option needed.
</p>
</item>
<tag><c><![CDATA[proxylsbacklog = integer() | false <optional>]]></c></tag>
<item>
<p>Set the listen queue size of the listen port of the
SSL port program. The default is 128.
</p>
</item>
</taglist>
</section>
<section>
<title>OpenSSL libraries</title>
<p>The current implementation of the Erlang SSL application is
based on the <em>OpenSSL</em> package version 0.9.7 or higher.
There are source and binary releases on the web.
</p>
<p>Source releases of OpenSSL can be downloaded from the <url href="http://www.openssl.org">OpenSSL</url> project home page,
or mirror sites listed there.
</p>
<p>The same URL also contains links to some compiled binaries and
libraries of OpenSSL (see the <c>Related/Binaries</c> menu) of
which the <url href="http://www.shininglightpro.com/search.php?searchname=Win32+OpenSSL">Shining Light Productions Win32 and OpenSSL</url> pages are of
interest for the Win32 user.
</p>
<p>For some Unix flavours there are binary packages available
on the net.
</p>
<p>If you cannot find a suitable binary OpenSSL package, you
have to fetch an OpenSSL source release and compile it.
</p>
<p>You then have to compile and install the libraries
<c>libcrypto.so</c> and <c>libssl.so</c> (Unix), or the
libraries <c>libeay32.dll</c> and <c>ssleay32.dll</c> (Win32).
</p>
<p>For Unix The <c>ssl_esock</c> port program is delivered linked
to OpenSSL libraries in <c>/usr/local/lib</c>, but the default
dynamic linking will also accept libraries in <c>/lib</c> and
<c>/usr/lib</c>.
</p>
<p>If that is not applicable to the particular Unix operating
system used, the example <c>Makefile</c> in the SSL
<c>priv/obj</c> directory, should be used as a guide to
relinking the final version of the port program.
</p>
<p>For <c>Win32</c> it is only required that the libraries can be
found from the <c>PATH</c> environment variable, or that they
reside in the appropriate <c>SYSTEM32</c> directory; hence no
particular relinking is need. Hence no example <c>Makefile</c>
for Win32 is provided.</p>
</section>
<section>
<title>Restrictions</title>
<p>Users must be aware of export restrictions and patent rights
concerning cryptographic software.
</p>
</section>
<section>
<title>SEE ALSO</title>
<p>application(3)</p>
</section>
</appref>
|
