1
<?xml version="1.0" encoding="latin1" ?>
2
<!DOCTYPE chapter SYSTEM "chapter.dtd">
7
<year>2003</year><year>2009</year>
8
<holder>Ericsson AB. All Rights Reserved.</holder>
11
The contents of this file are subject to the Erlang Public License,
12
Version 1.1, (the "License"); you may not use this file except in
13
compliance with the License. You should have received a copy of the
14
Erlang Public License along with this software. If not, it can be
15
retrieved online at http://www.erlang.org/.
17
Software distributed under the License is distributed on an "AS IS"
18
basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
19
the License for the specific language governing rights and limitations
24
<title>Using the SSL application</title>
25
<prepared>Peter Högfeldt</prepared>
27
<date>2003-04-23</date>
29
<file>using_ssl.sgml</file>
31
<p>Here we provide an introduction to using the Erlang/OTP SSL
32
application, which is accessed through the <c>ssl</c> interface
35
<p>We also present example code in the Erlang module
36
<c>client_server</c>, also provided in the directory
37
<c>ssl-X.Y.Z/examples</c>, with source code in <c>src</c> and the
38
compiled module in <c>ebin</c> of that directory.
42
<title>The ssl Module</title>
43
<p>The <c>ssl</c> module provides the user interface to the Erlang/OTP
44
SSL application. The interface functions provided are very similar
45
to those provided by the <c>gen_tcp</c> and <c>inet</c> modules.
47
<p>Servers use the interface functions <c>listen</c> and
48
<c>accept</c>. The <c>listen</c> function specifies a TCP port
49
to to listen to, and each call to the <c>accept</c> function
50
establishes an incoming connection.
52
<p>Clients use the <c>connect</c> function which specifies the address
53
and port of a server to connect to, and a successful call establishes
56
<p>The <c>listen</c> and <c>connect</c> functions have almost all
57
the options that the corresponding functions in <c>gen_tcp/</c> have,
58
but there are also additional options specific to the SSL protocol.
60
<p>The most important SSL specific option is the <c>cacertfile</c>
61
option which specifies a local file containing trusted CA
62
certificates which are and used for peer authentication. This
63
option is used by clients and servers in case they want to
64
authenticate their peers.
66
<p>The <c>certfile</c> option specifies a local path to a file
67
containing the certificate of the holder of the connection
68
endpoint. In case of a server endpoint this option is mandatory
69
since the contents of the sever certificate is needed in the
70
the handshake preceeding the establishment of a connection.
72
<p>Similarly, the <c>keyfile</c> option points to a local file
73
containing the private key of the holder of the endpoint. If the
74
<c>certfile</c> option is present, this option has to be
75
specified as well, unless the private key is provided in the
76
same file as specified by the <c>certfile</c> option (a
77
certificate and a private key can thus coexist in the same file).
79
<p>The <c>verify</c> option specifies how the peer should be verified:
83
<item>Do not verify the peer,</item>
85
<item>Verify peer,</item>
87
<item>Verify peer, fail the verification if the peer has no
90
<p>The <c>depth</c> option specifies the maximum length of the
91
verification certificate chain. Depth = 0 means the peer
92
certificate, depth = 1 the CA certificate, depth = 2 the next CA
93
certificate etc. If the verification process does not find a
94
trusted CA certificate within the maximum length, the verification
97
<p>The <c>ciphers</c> option specifies which ciphers to use (a
98
string of colon separated cipher names). To obtain a list of
99
available ciphers, evaluate the <c>ssl:ciphers/0</c> function
100
(the SSL application has to be running).
105
<title>A Client-Server Example</title>
106
<p>Here is a simple client server example.
108
<codeinclude file="../../examples/src/client_server.erl" tag="" type="erl"></codeinclude>