There are a lot of issues with SSL support in OTP. I've been struggling with it recently:
http://www.erlang.org/cgi-bin/ezmlm-cgi?2:mss:2005:201009:nkpigljldefpimkjppbn I've been working on this code: http://github.com/fdmanana/desktopcouch/commit/d5d3adccb4a602699c494f4499684ac545c11320 But not yet ready to go to trunk until I get some more answers. And yes, unknown_ca is not perfect since it might mean a CA not in the list of known CAs or a self-signed certificate (I guess). I was using this in OTP R13: VerifyFun13 = fun(ErrorList) -> Filtered = lists:foldl( fun({bad_cert, unknown_ca}, Acc) -> Acc; ({bad_cert, cert_expired}, Acc) -> Acc; (Other, Acc) -> [Other | Acc] end, [], ErrorList), length(Filtered) =:= 0 end, and this on R14: To make things worse, there are different option values in the new SSL implementation that is the default for R14, like the verify_fun itself: VerifyFun = { fun(_, {bad_cert, unknown_ca}, UserState) -> {valid, UserState}; (_, {bad_cert, cert_expired}, UserState) -> {valid, UserState}; (_, {bad_cert, _} = Reason, _) -> {fail, Reason}; (_, {extension, _}, UserState) -> {unknown, UserState}; (_, valid, UserState) -> {valid, UserState} end, []}, With the default SSL implementation on R13 (basically a wrapper around OpenSSL library) I often get strange errors like: {{'EXIT',<0.336.0>, {error, {badinfo, {tcp,#Port<0.2316>, <<",\n{\"seq\":16,\"id\":\"11548683-15d35f091858b9c33f561ea0922e8b48-responses\",\"changes\":[{\"rev\":\"1-08c70a0b26001af33fa899d3ef314602\"}]}\r\n80\r\n,\n{\"seq\":17,\"id\":\"11551303-15d35f091858b9c33f561ea0922e8b48-responses\",\"changes\":[{\"rev\":\"1-c47fce9036725d71bcb2ff663720455b\"}]}\r\n80\r\n,\n{\"seq\":18,\"id\":\"13049320-15d35f091858b9c33f561ea0922e8b48-responses\",\"changes\":[{\"rev\":\"1-6cc1f285720bc29571fec2ecc315b001\"}]}\r\n80\r\n,\n{\"seq\":19,\"id\":\"13050209-15d35f091858b9c33f561ea0922e8b48-responses\",\"changes\":[{\"rev\":\"1-740341796485458015a17f052425fa3a\"}]}\r\n80\r\n,\n{\"seq\":20,\"id\":\"13062601-15d35f091858b9c33f561ea0922e8b48-responses\",\"changes\":[{\"rev\":\"1-76f97e535654cb2ddedb6e66c05b08b0\"}]}\r\n80\r\n,\n{\"seq\":21,\"id\":\"16406358-15d35f091858b9c33f561ea0922e8b48-responses\",\"changes\":[{\"rev\":\"1-6ee4dad15da6e10b45d70352d957c77e\"}]}\r\n80\r\n,\n{\"seq\":22,\"id\":\"16510937-15d35f091858b9c33f561ea0922e8b48-responses\",\"changes\":[{\"rev\":\"1-7bba444efa1d17c6a7d671301168f132\"}]}\r\n80\r\n,\n{\"seq\":23,\"id\":\"17906615-15d35f091858b9c33f561ea0922e8b48-responses\",\"changes\":[{\"rev\":\"1-c5e149a0ecb271fc83d67b99f07968ad\"}]}\r\n80\r\n,\n{\"seq\":24,\"id\":\"17915955-15d35f091858b9c33f561ea0922e8b48-responses\",\"changes\":[{\"rev\":\"1-6d4927f7f819d9154a16ffeddbef92e9\"}]}\r\n">>}}}}, On the other with the new SSL implementation (default on R14) these ocassional errors seem to be gone. On the other hand with the new implementation I can no longer open the certificates file in Ubuntu (/etc/ssl/certs/ca-certificates.crt) - it throws an exception when invoking ssl:connect/3. I'll keep you informed as I do more progress. cheers On Sat, Sep 18, 2010 at 7:15 PM, Robert Newson <[email protected]> wrote: > > Replicator DB is awesome and the killer feature of 1.1 for sure > (though range support is pretty awesome too...) > > We need to resolve the SSL issues first (the unknown_ca problem, at > least). Also there's speculation that the mochiweb upgrade broke > pipelining (as we can't find the code that used to do it with > unrecv()). > > B. > > On Sat, Sep 18, 2010 at 7:08 PM, Chris Anderson <[email protected]> wrote: > > On Sat, Sep 18, 2010 at 10:57 AM, Jan Lehnardt <[email protected]> wrote: > >> > >> On 15 Sep 2010, at 23:40, David Kendal wrote: > >> > >>> What about full-text indexing and searching (built-in, without > >>> Lucene)? There was a project to do that a while back, did it ever get > >>> anywhere? Or was it integrated into trunk and released and I just > >>> never noticed? > >> > >> FTI is a good feature, but we don't have anything there yet. > >> > >> I think the reason for a 1.1 release would be releasing new features > >> we already have (SSL) or are currently working on (maybe new Futon) > >> but not ones we still have a whole lot of work to do on. > >> > > > > The replicator db is the big one. I think we should get a UI for that > > before we release. Once we have that I think we are good for 1.1. (SSL > > is rad too). > > > > I think we should hold the new Futon for 1.2 so it can go into trunk > > right after a release and get some baking time. > > > > Chris > > > >> Anyone, correct me if I'm wrong :) > >> > >> Cheers > >> Jan > >> -- > >> > >> > > > > > > > > -- > > Chris Anderson > > http://jchrisa.net > > http://couch.io > > -- Filipe David Manana, [email protected], [email protected] "Reasonable men adapt themselves to the world. Unreasonable men adapt the world to themselves. That's why all progress depends on unreasonable men."
