How to use ecdh self-signed cert files in R19.2 ssl app

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
Report Content as Inappropriate

How to use ecdh self-signed cert files in R19.2 ssl app

赵 汉

Hi ! 
With so many search In vain,
I can’t find the actual example through google , and I failed again and again with many procedures

Only  the     “…. -nodes rsa:1024…. ‘ somelike self-sign set of cert files can be use in otps ssl node to node  communication


Below are the  failed ones

Procedure1 succeed  but   failed to use in otps ssl


With aes256  encrypt generation


First to generate key csr and crt Root CA some like below


openssl genrsa -aes256 -out private/cakey.pem 1024


openssl req -new -key private/cakey.pem -out private/ca.csr -subj \



openssl req -x509 -days 365 -sha1 -extensions v3_ca -signkey \

private/cakey.pem -in private/ca.csr -out certs/ca.cer

sign the server-side

openssl genrsa -aes256 -out private/server-key.pem 1024


openssl req -new -key private/server-key.pem -out private/server.csr -subj \



openssl req -x509 -days 365 -sha1 -extensions v3_req -CA certs/ca.cer -CAkey private/cakey.pem \

-CAserial ca.srl -CAcreateserial -in private/server.csr -out certs/server.cer


Procedure2 succeed  but   failed to use in otps ssl


Openssl  config file some like (may not actully be)


[ ca ]

default_ca = CA_own

[ CA_own ]

certs = .

new_certs_dir = ./db/certs

database = ./db/index

serial = ./db/serial

RANDFILE = ./db/rand

certificate = ./ca.cert.pem

private_key = ./ca.key.pem

default_days = 7300

default_crl_days = 30

default_md = sha1

preserve = no

policy = policy_anything

extensions = v3_ca

[ policy_anything ]

countryName = optional

stateOrProvinceName = optional

localityName = optional

organizationName = optional

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

[ req ]

distinguished_name = req_distinguished_name

attributes = req_attributes

req_extensions = v3_req


[ req_distinguished_name ]

countryName = Country Name (2 letter code)

countryName_default = US

stateOrProvinceName = State or Province Name (full name)

stateOrProvinceName_default = New York

localityName = Locality Name (eg, city)

localityName_default = New York0

organizationName = Organization Name (eg, company)

organizationName_default = Microsoft Corp.

organizationalUnitName = Organizational Unit Name (eg, section)

commonName = Common Name (eg, YOUR name)

commonName_max = 64

emailAddress = Email Address

emailAddress_max = 64

[ req_attributes ]

challengePassword = A challenge password

challengePassword_min = 4

challengePassword_max = 20

unstructuredName = An optional company name

unstructuredName_default = Microsoft"


[ v3_ca ]


authorityKeyIdentifier=keyid:always, issuer

basicConstraints = CA:true



[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectAltName = @alt_names



DNS.1 = rpslc_1@

DNS.2 = rpslc_2@


First to generate key csr and crt Root CA some like below

openssl genrsa -out CA.key.pem 2048
openssl req -x509 -new -nodes -key ca.key.pem -days 365 -out ca.cert.pem
openssl genpkey -genparam -algorithm EC -out ecdh.pem \
                                        -pkeyopt ec_paramgen_curve:brainpoolP512r1
openssl req   -nodes  -new -newkey ec:ecdh.pem   -keyout  1ecdh.key.pem -out 1ecdh.csr.pem


openssl ca -in 1ecdh.csr.pem  -out 1ecdh.crt.pem -config $CONF_FILE

and finally I get 8 files for 2 nodes to connect each other

baseOptions from app gen_rpc

-define(SSL_DEFAULT_COMMON_OPTS, [binary,
        {nodelay,true}, % Send our requests immediately
        {send_timeout_close,true}, % When the socket times out, close the connection
        {delay_send,false}, % Scheduler should favor timely delivery
        {linger,{true,2}}, % Allow the socket to flush outgoing data for 2" before closing it - useful for casts
        {reuseaddr,true}, % Reuse local port numbers
        {keepalive,true}, % Keep our channel open
        {tos,72}, % Deliver immediately
        %% SSL options
-define(SSL_DEFAULT_SERVER_OPTS, [{fail_if_no_peer_cert,true},
-define(SSL_DEFAULT_CLIENT_OPTS, [{server_name_indication,disable},

And extra options

ssl_client_options: [
            certfile: certfile,
            keyfile: keyfile,
            cacertfile: './priv/ssl/ca.cert.pem',
            eccs: [:brainpoolP512r1]
        ssl_server_options: [
            certfile: certfile,
            keyfile: keyfile,
            cacertfile: './priv/ssl/ca.cert.pem',
            eccs: [:brainpoolP512r1]

The two node are both in one centos system 
And when I try to ssl:connect/4 , i get such error below:

tls_connection.erl:704:Fatal error: handshake failure - malformed_handshake_data;
{tls_alert,"handshake failure"};

And when I try to openssl s_client with error below:

openssl s_client -connect  -cert 2.crt.pem -key 2.key.pem   -CAfile ca.cert.pem -cipher ECDH-RSA-AES256-GCM-SHA384  -debug
depth=1 C = CN, ST = cq, L = cq, O = s, OU = p, CN = botanyzh, emailAddress = [hidden email]
verify return:1
depth=0 C = US, ST = Uniden, L = 00abcdef1234, O = sprt, OU = potato, CN = rpslc_1@, emailAddress = [hidden email]
verify return:1
140467656820416:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1493:SSL alert number 40
140467656820416:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
With extra  -debug
write to 0x159aa30 [0x15acb00] (6 bytes => -1 (0xFFFFFFFFFFFFFFFF))

Please help me

about the ssl’s source
the ecdh cert seems is not usable for otp's ssl
when i debuged i found that the ssl_connection:handle_peer_cert_key/5 call to public_key :generate_key/1 can never match

the public_key's interface is

generate_key(#'DHParameter'{prime = P, base = G}) ->
crypto:generate_key(dh, [P, G]);
generate_key({namedCurve, _} = Params) ->
generate_key(#'ECParameters'{} = Params) ->

but the arg called is {ecParameters, 'ECParameters'{} = Params}




发送自 Windows 10 邮件应用


erlang-questions mailing list
[hidden email]