如何使用SSL的API
通过使用ssl:versions/0可以查看到ssl的版本信息
ssl:cipher_suites/0查看所支持的cipher_suites,并不是所有的SSL的连接都是可用的,这要考虑到证书的问题。默认使用的是最强的设定。
2.2 设置连接
Here follows some small example of how to set up client/server connections using the erlang shell. The returned value of the sslsocket has been abbreviated with [...] as it can be fairly large and is opaque.
下面的例子将讲述如何通过erlang的shell设置client/server连接。SSL套接字返回值被缩写为[...]并且是加密的。
Minmal example最小限度的例子
The minimal setup is not the most secure setup of ssl.
最小限度创建SLL连接不是安全的
Start server side
开始服务端
1 server> ssl:start(). ok
Create an ssl listen socket
创建一个SSL套接字监听
2 server> {ok, ListenSocket} = ssl:listen(9999, [{certfile, "cert.pem"}, {keyfile, "key.pem"},{reuseaddr, true}]). {ok,{sslsocket, [...]}}
Do a transport accept on the ssl listen socket
让SSL套接字开始监听
3 server> {ok, Socket} = ssl:transport_accept(ListenSocket). {ok,{sslsocket, [...]}}
Start client side
开启客户端
1 client> ssl:start(). ok
2 client> {ok, Socket} = ssl:connect("localhost", 9999, [], infinity). {ok,{sslsocket, [...]}}
Do the ssl handshake
创建SSL握手连接
4 server> ok = ssl:ssl_accept(Socket). ok
Send a messag over ssl
通过ssl发送一个消息
5 server> ssl:send(Socket, "foo"). ok
Flush the shell message queue to see that we got the message sent on the server side
3 client> flush(). Shell got {ssl,{sslsocket,[...]},"foo"} ok
Upgrade example升级版本
To upgrade a TCP/IP connection to an ssl connection the client and server have to aggre to do so. Agreement may be accompliced by using a protocol such the one used by HTTP specified in RFC 2817.
为了让一个TCP/IP连接升级到SSL连接,必须要让客户端和服务器都设定支持SSL. 都必须支持HTTP RFC2817
开始服务端
1 server> ssl:start(). ok
创建一个普通的TCP监听套接字
2 server> {ok, ListenSocket} = gen_tcp:listen(9999, [{reuseaddr, true}]). {ok, #Port<0.475>}
接受客户端连接
3 server> {ok, Socket} = gen_tcp:accept(ListenSocket). {ok, #Port<0.476>}
开启客户端
1 client> ssl:start(). ok
2 client> {ok, Socket} = gen_tcp:connect("localhost", 9999, [], infinity).
确保Socket的active设置为false的,不然会导致SSL握手信息发送的时候发送到错误的进程。
4 server> inet:setopts(Socket, [{active, false}]). ok
处理SLL握手
5 server> {ok, SSLSocket} = ssl:ssl_accept(Socket, [{cacertfile, "cacerts.pem"}, {certfile, "cert.pem"}, {keyfile, "key.pem"}]). {ok,{sslsocket,[...]}}
升级一个SSL连接。升级前必须确保服务器调用ssl:accpet/2是在客户端调用ssl:connect/3之前的。
3 client>{ok, SSLSocket} = ssl:connect(Socket, [{cacertfile, "cacerts.pem"}, {certfile, "cert.pem"}, {keyfile, "key.pem"}], infinity). {ok,{sslsocket,[...]}}
Send a messag over ssl
发送一个结束的SSL消息。
4 client> ssl:send(SSLSocket, "foo"). ok
Set active true on the ssl socket
设置ssl socket中的active为true
4 server> ssl:setopts(SSLSocket, [{active, true}]). ok
Flush the shell message queue to see that we got the message sent on the client side
5 server> flush(). Shell got {ssl,{sslsocket,[...]},"foo"} ok