1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- This document was generated using DocBuilder-0.9.8.4 -->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Using the SSL application</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<script type="text/javascript" src="../../../../doc/erlresolvelinks.js"></script>
<style type="text/css">
<!--
body { font-family: Verdana, Arial, Helvetica, sans-serif }
span.bold_code { font-family: courier;font-weight: bold}
span.code { font-family: courier;font-weight: normal}
.note, .warning {
border: solid black 1px;
margin: 1em 3em;
}
.note .label {
background: #30d42a;
color: white;
font-weight: bold;
padding: 5px 10px;
}
.note .content {
background: #eafeea;
color: black;
line-height: 120%;
font-size: 90%;
padding: 5px 10px;
}
.warning .label {
background: #C00;
color: white;
font-weight: bold;
padding: 5px 10px;
}
.warning .content {
background: #FFF0F0;
color: black;
line-height: 120%;
font-size: 90%;
padding: 5px 10px;
}
.example { background-color:#eeeeff }
pre { font-family: courier; font-weight: normal }
.REFBODY { margin-left: 13mm }
.REFTYPES { margin-left: 8mm }
-->
</style>
</head>
<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#FF00FF" alink="#FF0000">
<center>
<a href="http://www.ericsson.com/technology/opensource/erlang"><img border="0" alt="[Ericsson AB]" src="min_head.gif"/></a>
</center><a name="2"><!-- Empty --></a>
<h2>2 Using the SSL application</h2>
<p>Here we provide an introduction to using the Erlang/OTP SSL
application, which is accessed through the <span class="code">ssl</span> interface
module.
</p>
<p>We also present example code in the Erlang module
<span class="code">client_server</span>, also provided in the directory
<span class="code">ssl-X.Y.Z/examples</span>, with source code in <span class="code">src</span> and the
compiled module in <span class="code">ebin</span> of that directory.
</p><a name="2.1"><!-- Empty --></a>
<h3>2.1 The ssl Module</h3>
<p>The <span class="code">ssl</span> module provides the user interface to the Erlang/OTP
SSL application. The interface functions provided are very similar
to those provided by the <span class="code">gen_tcp</span> and <span class="code">inet</span> modules.
</p>
<p>Servers use the interface functions <span class="code">listen</span> and
<span class="code">accept</span>. The <span class="code">listen</span> function specifies a TCP port
to to listen to, and each call to the <span class="code">accept</span> function
establishes an incoming connection.
</p>
<p>Clients use the <span class="code">connect</span> function which specifies the address
and port of a server to connect to, and a successful call establishes
such a connection.
</p>
<p>The <span class="code">listen</span> and <span class="code">connect</span> functions have almost all
the options that the corresponding functions in <span class="code">gen_tcp/</span> have,
but there are also additional options specific to the SSL protocol.
</p>
<p>The most important SSL specific option is the <span class="code">cacertfile</span>
option which specifies a local file containing trusted CA
certificates which are and used for peer authentication. This
option is used by clients and servers in case they want to
authenticate their peers.
</p>
<p>The <span class="code">certfile</span> option specifies a local path to a file
containing the certificate of the holder of the connection
endpoint. In case of a server endpoint this option is mandatory
since the contents of the sever certificate is needed in the
the handshake preceeding the establishment of a connection.
</p>
<p>Similarly, the <span class="code">keyfile</span> option points to a local file
containing the private key of the holder of the endpoint. If the
<span class="code">certfile</span> option is present, this option has to be
specified as well, unless the private key is provided in the
same file as specified by the <span class="code">certfile</span> option (a
certificate and a private key can thus coexist in the same file).
</p>
<p>The <span class="code">verify</span> option specifies how the peer should be verified:
</p>
<dl>
<dt>
0
</dt>
<dd>
Do not verify the peer,
</dd>
<dt>
1
</dt>
<dd>
Verify peer,
</dd>
<dt>
2
</dt>
<dd>
Verify peer, fail the verification if the peer has no
certificate.
</dd>
</dl>
<p>The <span class="code">depth</span> option specifies the maximum length of the
verification certificate chain. Depth = 0 means the peer
certificate, depth = 1 the CA certificate, depth = 2 the next CA
certificate etc. If the verification process does not find a
trusted CA certificate within the maximum length, the verification
fails.
</p>
<p>The <span class="code">ciphers</span> option specifies which ciphers to use (a
string of colon separated cipher names). To obtain a list of
available ciphers, evaluate the <span class="code">ssl:ciphers/0</span> function
(the SSL application has to be running).
</p><a name="2.2"><!-- Empty --></a>
<h3>2.2 A Client-Server Example</h3>
<p>Here is a simple client server example.
</p>
<div class="example"><pre>
%%% Purpose: Example of SSL client and server using example certificates.
-module(client_server).
-export([start/0, start/1, init_connect/1]).
start() ->
start([ssl, subject]).
start(CertOpts) ->
%% Start ssl application
application:start(ssl),
%% Always seed
ssl:seed("ellynatefttidppohjeh"),
%% Let the current process be the server that listens and accepts
%% Listen
{ok, LSock} = ssl:listen(0, mk_opts(listen)),
{ok, LPort} = ssl:port(LSock),
io:fwrite("Listen: port = ~w.~n", [LPort]),
%% Spawn the client process that connects to the server
spawn(?MODULE, init_connect, [{LPort, CertOpts}]),
%% Accept
{ok, ASock} = ssl:accept(LSock),
io:fwrite("Accept: accepted.~n"),
{ok, Cert} = ssl:peercert(ASock, CertOpts),
io:fwrite("Accept: peer cert:~n~p~n", [Cert]),
io:fwrite("Accept: sending \"hello\".~n"),
ssl:send(ASock, "hello"),
{error, closed} = ssl:recv(ASock, 0),
io:fwrite("Accept: detected closed.~n"),
ssl:close(ASock),
io:fwrite("Listen: closing and terminating.~n"),
ssl:close(LSock),
application:stop(ssl).
%% Client connect
init_connect({LPort, CertOpts}) ->
{ok, Host} = inet:gethostname(),
{ok, CSock} = ssl:connect(Host, LPort, mk_opts(connect)),
io:fwrite("Connect: connected.~n"),
{ok, Cert} = ssl:peercert(CSock, CertOpts),
io:fwrite("Connect: peer cert:~n~p~n", [Cert]),
{ok, Data} = ssl:recv(CSock, 0),
io:fwrite("Connect: got data: ~p~n", [Data]),
io:fwrite("Connect: closing and terminating.~n"),
ssl:close(CSock).
mk_opts(listen) ->
mk_opts("server");
mk_opts(connect) ->
mk_opts("client");
mk_opts(Role) ->
Dir = filename:join([code:lib_dir(ssl), "examples", "certs", "etc"]),
[{active, false},
{verify, 2},
{depth, 2},
{cacertfile, filename:join([Dir, Role, "cacerts.pem"])},
{certfile, filename:join([Dir, Role, "cert.pem"])},
{keyfile, filename:join([Dir, Role, "key.pem"])}].
</pre></div>
<center>
<hr/>
<small>ssl 3.9<br/>
Copyright © 1991-2008
<a href="http://www.ericsson.com/technology/opensource/erlang">Ericsson AB</a><br/>
</small>
</center></body>
</html>
|
