<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Bala,<div><br></div><div>A few things....</div><div><br></div><div>1. the verify_fun is an option that Erlang's SSL application takes, not a rabbit specific item</div><div><br></div><div><br><div><div>On 8 Oct 2013, at 01:23, Balachandher Srinivasan wrote:</div><blockquote type="cite"><div dir="ltr"><div>1. <span style="line-height: 17px;">Erlang adopted a more elegant way to express higher order functions (funs), based on </span><a href="http://www.erlang.org/eeps/eep-0023.html" style="line-height: 17px;">http://www.erlang.org/eeps/eep-0023.html</a><span style="line-height: 17px;">. So, {Module, Function} would be typically represented as Module:Function/Arity</span></div><div><span style="line-height: 17px;"><br></span></div></div></blockquote><div><br></div><div>You can't always do that in a config file - it depends on whether you have literals or are trying to use bound variables (where no binding exists). See <a href="http://www.erlang.org/doc/man/config.html">http://www.erlang.org/doc/man/config.html</a> for details, but basically the file needs to conform to the same specification that file:consult/1 uses - see <a href="http://www.erlang.org/doc/man/file.html#consult-1">http://www.erlang.org/doc/man/file.html#consult-1</a> for more details. If you can't execute `file:consult("/path/to/your/rabbit/config")' then the config file isn't valid.</div><br><blockquote type="cite"><div dir="ltr"><div><span style="line-height: 17px;">2. Based on the EEP mentioned above and the SSL documentation, I was able to write a test program and validate CRL successfully by referring a function either internally within the same module or from an external module. For internal module's function, I used the form, {verify_fun, {fun validate/3, []}}; for external module's function, I used the form {verify_fun, {fun cert_util:validate/3, []}}.</span></div><div><span style="line-height: 17px;"><br></span></div></div></blockquote><div><br></div><div>That won't work in a config file. To test this for yourself, create a text file containing just that term:</div><div><br></div><div>$ echo '[{verify_fun, {fun lists:foldl/3, []}}].' >> foo.config</div><div><br></div><div>And try to parse it in the shell:</div><div><br></div><div>Eshell V5.10.2 (abort with ^G)</div><div>1> file:consult("foo.config").</div><div>{error,{1,erl_parse,"bad term"}} </div><br><blockquote type="cite"><div dir="ltr"><div><span style="line-height: 17px;">3. After successfully writing a test program, I tried to apply the same in rabbitmq; however, rabbitmq was unable to start and I witnessed the following in the logs,</span></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><div><b style="line-height: 17px;">/var/log/rabbitmq/startup_log</b></div><div><div><span style="line-height: 17px;">{"could not start kernel pid",application_controller,"error in config file \"/etc/rabbitmq/rabbitmq.config\" (1): bad term"}</span></div></div><div><div><span style="line-height: 17px;"><br></span></div></div><div><div><span style="line-height: 17px;"><b>/var/log/rabbitmq/startup_err</b></span></div></div><div><div><span style="line-height: 17px;"><div>Crash dump was written to: erl_crash.dump</div></span></div></div><div><div><span style="line-height: 17px;"><div>could not start kernel pid (application_controller) (error in config file "/etc/rabbitmq/rabbitmq.config" (1): bad term)</div></span></div></div></blockquote><div><br></div></div></blockquote><div><br></div><div>This indicates that the config file contains invalid syntax. As I said, the `fun Mod:Func/Arity' syntax isn't valid in a system configuration file. </div><br><blockquote type="cite"><div dir="ltr"><div>4. It was clear from the above that rabbitmq was unable to take the EEP-23 form for verify_fun; so I tried reverting back the funs to old type of the form {Module, Function}. When I tried restarting, while it gave no errors and started successfully, my CRL validation function was never called.</div><div><div><div style="line-height: 17px;"><br></div></div></div></div></blockquote><div><br></div><div>Looking at <a href="https://github.com/erlang/otp/blob/master/lib/ssl/src/ssl_handshake.erl#L359">https://github.com/erlang/otp/blob/master/lib/ssl/src/ssl_handshake.erl#L359</a>, it seems likely that the user fun isn't called since as the documentation states:</div><div><br></div><div>"The verify fun will be called during the X509-path validation when an error or an extension unknown to the ssl application is encountered. Additionally it will be called when a certificate is considered valid by the path validation to allow access to each certificate in the path to the user application."</div><div><br></div><blockquote type="cite"><div dir="ltr"><div><span style="line-height: 17px;">5. RabbitMQ site suggests that in order to use SSL reliably use R14B(erts 4.0.1) as the minimum version. I tried using R16B (erts-5.10.1) on 64-bit Cent OS, which internally uses ssl-5.2.1. Also, I tried R16B01(erts-5.10.2) on 64-bit Windows 7, which internally uses ssl-5.3.1. Between these versions, there are lot of bugs fixed and enhancements applied in SSL application </span><a href="http://www.erlang.org/doc/apps/ssl/notes.html" style="line-height: 17px;">http://www.erlang.org/doc/apps/ssl/notes.html</a>. </div><div><br></div><div>To summarize, though RabbitMQ states R14B as the minimum version for reliable SSL, I wonder whether it is compatible with the latest SSL available in the recent Erlang distributions.</div><div><br></div></div></blockquote><div><br></div><div>I don't see any incompatibility - Rabbit does little more than forward the options you've provided to the SSL application. It looks to me like this problem has more to do with how the SSL application handles the validate_fun. I'd suggest asking on the erlang-questions mailing list to see if you can get some more guidance there - unless someone else on rabbit-discuss has come across this before and can say more about it.</div><div><br></div><div>If/when you find out the cause, please share the outcome with us!</div><div><br></div><div>Thanks,</div><div>Tim</div></div></div></body></html>