Hi,
 
I did raise the same problem in an earlier thread last year and just wanted to find out if anyone has started using the new SSL implementation in Erlang or came across what we were experiencing.  
 
Thanks for the patch. I assume this will be in the next release of YAWS.
 
Regards,
Chih-Wei Yu


 
On Mon, Feb 1, 2010 at 10:19 AM, Claes Wikstrom <klacke@tail-f.com> wrote:
Chih-Wei Yu wrote:
Thank you for your assistance, i'll have to dig quite some bit before i get to the other side. =)
 

Good news - I did some digging here, and commit:

http://github.com/klacke/yaws/commit/d4fec792ddc73f475514fbf41974a05d65a801aa

Seems to make the new ssl implementation work.
It probably needs spme more testing with things like
error codes on bad certs client certs etc - but the basics work.

You should be able to patch the above into slightly old yaws
releases as well. I attach a regular diff as well


Good luck

/klacke

diff --git a/man/yaws.conf.5 b/man/yaws.conf.5
index efc45b7..2382960 100644
--- a/man/yaws.conf.5
+++ b/man/yaws.conf.5
@@ -92,7 +92,11 @@ to the yaws start script, this value is automatically set to 0.
 This enables traffic or http tracing. Tracing is also possible to enable with
 a command line flag to yaws. Default is false.

-
+.TP
+\fBuse_old_ssl = true | false\fR
+This re-enables the old OTP ssl implementation. By default we use the
+new ssl implementation.
+
 .TP
 \fB auth_log  = true | false\fR
 Enable or disable the auth log. Default is true.
diff --git a/scripts/yaws.conf.template b/scripts/yaws.conf.template
index c526a4c..b97cc96 100644
--- a/scripts/yaws.conf.template
+++ b/scripts/yaws.conf.template
@@ -37,8 +37,9 @@ max_connections = nolimit

 trace = false

-
-
+# Enable this if we want to use the old OTP ssl implementation
+# OTP R13B03 is known to work with this flag set         to false (default)
+use_old_ssl = false


 # it is possible to have yaws start additional
@@ -85,7 +86,10 @@ auth_log = true
 # name. Yaws will write a number of runtime files under
 # ${HOME}/.yaws/yaws/${id}
 # The default value is "default"
-
+# If we're not planning to run multiple webservers on the
+# same host it's mych better to leave this value unset since
+# then all the ctl function (--stop et.el) work without having
+# to supply the id.

 # id = myname

@@ -95,6 +99,7 @@ auth_log = true
 # header doesn't match any name on any Host
 # This is often nice in testing environments but not
 # acceptable in real live hosting scenarios
+# think http://suckmydick.bigcompany.com

 pick_first_virthost_on_nomatch = true

@@ -106,7 +111,9 @@ pick_first_virthost_on_nomatch = true
 # a privileged port.
 # If we use this feature, it requires fdsrv to be properly installed.
 # Doesn't yet work with SSL.
-# Read http://yaws.hyber.org/privbind.yaws for more info
+# Read http://yaws.hyber.org/privbind.yaws for more info and a better
+# solution than fd_srv
+
 use_fdsrv = false


@@ -149,6 +156,7 @@ use_fdsrv = false
        <ssl>
                keyfile = %certdir%/yaws-key.pem
                certfile = %certdir%/yaws-cert.pem
+                depth = 0
        </ssl>
 </server>

diff --git a/src/yaws.erl b/src/yaws.erl
index 79e47bb..323803f 100644
--- a/src/yaws.erl
+++ b/src/yaws.erl
@@ -12,8 +12,6 @@
 -include("../include/yaws_api.hrl").
 -include("yaws_debug.hrl").

-
-
 -include_lib("kernel/include/file.hrl").
 -export([start/0, stop/0, hup/1, restart/0, modules/0, load/0]).
 -export([start_embedded/1, start_embedded/2, start_embedded/3,
@@ -1774,7 +1772,6 @@ do_recv(Sock, Num, nossl) ->
 do_recv(Sock, Num, ssl) ->
    ssl:recv(Sock, Num, ?READ_TIMEOUT).

-
 cli_recv(S, Num, SslBool) ->
    Res = do_recv(S, Num, SslBool),
    cli_recv_trace((get(gc))#gconf.trace, Res),
@@ -1883,7 +1880,6 @@ setopts(Sock, Opts, ssl) ->
    ok = ssl:setopts(Sock, Opts).

 do_http_get_headers(CliSock, SSL) ->
-    setopts(CliSock, [{packet, http}], SSL),
    case http_recv_request(CliSock,SSL) of
        bad_request ->
            {#http_request{method=bad_request, version={0,9}},
@@ -1897,6 +1893,7 @@ do_http_get_headers(CliSock, SSL) ->


 http_recv_request(CliSock, SSL) ->
+    setopts(CliSock, [{packet, http}], SSL),
    case do_recv(CliSock, 0,  SSL) of
        {ok, R} when is_record(R, http_request) ->
            R;
@@ -1912,13 +1909,12 @@ http_recv_request(CliSock, SSL) ->
            closed;
        {error, timeout} -> closed;
        _Other ->
-            ?Debug("Got ~p~n", [_Other]),
+            error_logger:format("Unhandled reply fr. do_recv() ~p~n", [_Other]),
            exit(normal)
    end.

-
-
 http_collect_headers(CliSock, Req, H, SSL, Count) when Count < 1000 ->
+    setopts(CliSock, [{packet, httph}], SSL),
    Recv = do_recv(CliSock, 0, SSL),
    case Recv of
        {ok, {http_header,  _Num, 'Host', _, Host}} ->
diff --git a/src/yaws_config.erl b/src/yaws_config.erl
index ea492ef..dab1817 100644
--- a/src/yaws_config.erl
+++ b/src/yaws_config.erl
@@ -1103,7 +1103,7 @@ fload(FD, ssl, GC, C, Cs, Lno, Chars) ->
            end;
        ["depth", '=', Val0] ->
            Val = (catch list_to_integer(Val0)),
-            case lists:member(Val, [1,2,3,4,5,6,7]) of
+            case lists:member(Val, [0, 1,2,3,4,5,6,7]) of
                true when  is_record(C#sconf.ssl, ssl) ->
                    C2 = C#sconf{ssl = (C#sconf.ssl)#ssl{depth = Val}},
                    fload(FD, ssl, GC, C2, Cs, Lno+1, Next);
@@ -1111,7 +1111,7 @@ fload(FD, ssl, GC, C, Cs, Lno, Chars) ->
                    {error, ?F("Need to set option ssl to true before line ~w",
                               [Lno])};
                _ ->
-                    {error, ?F("Expect reasonable integer at line ~w", [Lno])}
+                    {error, ?F("Expect integer 0..7 at line ~w", [Lno])}
            end;
        ["password", '=', Val] ->
            if
diff --git a/src/yaws_server.erl b/src/yaws_server.erl
index e99d36e..c97c1ff 100644
--- a/src/yaws_server.erl
+++ b/src/yaws_server.erl
@@ -860,11 +860,15 @@ ssl_listen_opts(GC, SSL) ->
            true ->
                 false
         end,
+         if SSL#ssl.depth /= undefined ->
+                 {depth, SSL#ssl.depth};
+            true ->
+                 false
+         end,
         if ?gc_use_old_ssl(GC) ->
                 false;
            true ->
-                 %%{ssl_imp, new} - still doesn't work (R13B)
-                 false
+                 {ssl_imp, new}
         end
        ],
    filter_false(L).


Hi K