ask help for dhfile

[zhaohansprt]

hi the gen_rpc ct test was passed and the certs without dhp that i generated followed this page https://help.github.com/enterprise/11.10.340/admin/articles/using-self-signed-ssl-certificates/ was passed too; but when the 2 nodes ' cert files were all both generated follow this page https://appsec-labs.com/portal/openssl-diffie-hellman-and-elliptic-curve-cryptography-with-digital-certificates/ then it can't be used by the gen_rpc please help me check the point where i made wrong

[zhaohansprt]

if i just put the dhfile in the configured path and it can just take effect ? Don't need to refer to the cert generate procedure as such page below? https://appsec-labs.com/portal/openssl-diffie-hellman-and-elliptic-curve-cryptography-with-digital-certificates/ How to verify the configuration takes place into the succeed communication ?

[priestjim]

First of all, to use EC certificates, make sure you're running the latest Erlang available (19.2 as of now) since they only recently introduced support for them. Secondly, you can "copy" the dhparam file to your release directory or generate you own using

openssl dhparam -out dhparam.pem 4096

In order to force SSL communication, set

{gen_rpc, [{default_client_driver, ssl}]}

in your sys.config file

[zhaohansprt]

the ecdh cert seems is not usable for otp's ssl
when i debuged i found that the ssl_connection:handle_peer_cert_key/5 call to public_key :generate_key/1 can never match

the public_key's interface is generate_key(#'DHParameter'{prime = P, base = G}) -> crypto:generate_key(dh, [P, G]); generatekey({namedCurve, } = Params) -> ec_generate_key(Params); generate_key(#'ECParameters'{} = Params) -> ec_generate_key(Params).

but the arg called is {ecParameters, 'ECParameters'{} = Params}

[priestjim]

@zhaohansprt what Erlang version are you running? I implemented an EC certificate CT test that works with the latest Erlang versions in the feature/monitor_nodes branch.

[zhaohansprt]

By that time the erlang version should be R19.２ ,the key point of the problem may be how to generate the certs, so can you provide a procedure or a script to generate the needed ec certs

[priestjim]

The only difference in procedure with EC cryptography is generating the private key, so you can follow any SSL certificate creation tutorial and substitute the private key command with:

openssl ecparam -name sect283k1 -genkey -out server.key.pem