[rabbitmq-discuss] CRL support

Balachandher Srinivasan sbchand at gmail.com
Tue Oct 8 01:23:09 BST 2013


Hello all,

Please find below my further observations,

1. Erlang adopted a more elegant way to express higher order functions 
(funs), based on http://www.erlang.org/eeps/eep-0023.html.  So, {Module, 
Function} would be typically represented as Module:Function/Arity

2. Based on the EEP mentioned above and the SSL documentation, I was able 
to write a test program and validate CRL successfully by referring a 
function either internally within the same module or from an external 
module. For internal module's function, I used the form, {verify_fun, {fun 
validate/3, []}}; for external module's function, I used the form 
{verify_fun, {fun cert_util:validate/3, []}}.

3. After successfully writing a test program, I tried to apply the same in 
rabbitmq; however, rabbitmq was unable to start and I witnessed the 
following in the logs,

*/var/log/rabbitmq/startup_log*
{"could not start kernel pid",application_controller,"error in config file 
\"/etc/rabbitmq/rabbitmq.config\" (1): bad term"}

*/var/log/rabbitmq/startup_err*
Crash dump was written to: erl_crash.dump
could not start kernel pid (application_controller) (error in config file 
"/etc/rabbitmq/rabbitmq.config" (1): bad term)


4. It was clear from the above that rabbitmq was unable to take the EEP-23 
form for verify_fun; so I tried reverting back the funs to old type of the 
form {Module, Function}.   When I tried restarting, while it gave no errors 
and started successfully, my CRL validation function was never called.

5. RabbitMQ site suggests that in order to use SSL reliably use R14B(erts 
4.0.1) as the minimum version.  I tried using R16B (erts-5.10.1) on 64-bit 
Cent OS, which internally uses ssl-5.2.1.  Also, I tried 
R16B01(erts-5.10.2) on 64-bit Windows 7, which internally uses ssl-5.3.1. 
 Between these versions, there are lot of bugs fixed and enhancements 
applied in SSL application http://www.erlang.org/doc/apps/ssl/notes.html.  

To summarize, though RabbitMQ states R14B as the minimum version for 
reliable SSL, I wonder whether it is compatible with the latest SSL 
available in the recent Erlang distributions.

Regards
Bala


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20131007/ac747bea/attachment.htm>


More information about the rabbitmq-discuss mailing list