1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
<?xml version="1.0" encoding="latin1" ?>
<!DOCTYPE chapter SYSTEM "chapter.dtd">
<chapter>
<header>
<copyright>
<year>2003</year><year>2009</year>
<holder>Ericsson AB. All Rights Reserved.</holder>
</copyright>
<legalnotice>
The contents of this file are subject to the Erlang Public License,
Version 1.1, (the "License"); you may not use this file except in
compliance with the License. You should have received a copy of the
Erlang Public License along with this software. If not, it can be
retrieved online at http://www.erlang.org/.
Software distributed under the License is distributed on an "AS IS"
basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
the License for the specific language governing rights and limitations
under the License.
</legalnotice>
<title>Using the SSL application</title>
<prepared>Peter Högfeldt</prepared>
<docno></docno>
<date>2003-04-23</date>
<rev>PA2</rev>
<file>using_ssl.xml</file>
</header>
<p>Here we provide an introduction to using the Erlang/OTP SSL
application, which is accessed through the <c>ssl</c> interface
module.
</p>
<p>We also present example code in the Erlang module
<c>client_server</c>, also provided in the directory
<c>ssl-X.Y.Z/examples</c>, with source code in <c>src</c> and the
compiled module in <c>ebin</c> of that directory.
</p>
<section>
<title>The ssl Module</title>
<p>The <c>ssl</c> module provides the user interface to the Erlang/OTP
SSL application. The interface functions provided are very similar
to those provided by the <c>gen_tcp</c> and <c>inet</c> modules.
</p>
<p>Servers use the interface functions <c>listen</c> and
<c>accept</c>. The <c>listen</c> function specifies a TCP port
to to listen to, and each call to the <c>accept</c> function
establishes an incoming connection.
</p>
<p>Clients use the <c>connect</c> function which specifies the address
and port of a server to connect to, and a successful call establishes
such a connection.
</p>
<p>The <c>listen</c> and <c>connect</c> functions have almost all
the options that the corresponding functions in <c>gen_tcp/</c> have,
but there are also additional options specific to the SSL protocol.
</p>
<p>The most important SSL specific option is the <c>cacertfile</c>
option which specifies a local file containing trusted CA
certificates which are and used for peer authentication. This
option is used by clients and servers in case they want to
authenticate their peers.
</p>
<p>The <c>certfile</c> option specifies a local path to a file
containing the certificate of the holder of the connection
endpoint. In case of a server endpoint this option is mandatory
since the contents of the sever certificate is needed in the
the handshake preceding the establishment of a connection.
</p>
<p>Similarly, the <c>keyfile</c> option points to a local file
containing the private key of the holder of the endpoint. If the
<c>certfile</c> option is present, this option has to be
specified as well, unless the private key is provided in the
same file as specified by the <c>certfile</c> option (a
certificate and a private key can thus coexist in the same file).
</p>
<p>The <c>verify</c> option specifies how the peer should be verified:
</p>
<taglist>
<tag>0</tag>
<item>Do not verify the peer,</item>
<tag>1</tag>
<item>Verify peer,</item>
<tag>2</tag>
<item>Verify peer, fail the verification if the peer has no
certificate. </item>
</taglist>
<p>The <c>depth</c> option specifies the maximum length of the
verification certificate chain. Depth = 0 means the peer
certificate, depth = 1 the CA certificate, depth = 2 the next CA
certificate etc. If the verification process does not find a
trusted CA certificate within the maximum length, the verification
fails.
</p>
<p>The <c>ciphers</c> option specifies which ciphers to use (a
string of colon separated cipher names). To obtain a list of
available ciphers, evaluate the <c>ssl:ciphers/0</c> function
(the SSL application has to be running).
</p>
</section>
<section>
<title>A Client-Server Example</title>
<p>Here is a simple client server example.
</p>
<codeinclude file="../../examples/src/client_server.erl" tag="" type="erl"></codeinclude>
</section>
</chapter>
|
