I used my browser to check which root certificate AWS uses (Verisign/RSA Secure Server CA), and picked the certificate from http://curl.haxx.se/ca/cacert.pem. That's a modified version of the ca root certificate bundle that comes with Mozilla based browsers. It contains the certificates in pem-form that Erlang understands. The pem portions in the file look like this.
The correct certificate needs to be copy-pasted to it's own file. I named my copy verisign.pem. An alternative way to obtain the certificate is described here.-----BEGIN CERTIFICATE-----
MIICNDCCAaECEAKtZn5ORf5eV288mBle3cAwDQYJKoZIhvc
A1UEBhM......
..............CYCPgmc4RKz
1g39NTUJWdrTJXwT4OPjr0l91X817/OWOgHz8UA==
-----END CERTIFICATE-----
A root certificate is useless unless you can be certain that it hasn't been tampered. I ran
and checked that the output matched with my browser's information on that certificate. That's probably nowhere near paranoid enough.openssl x509 -noout -text \
-in verisign.pem -inform pem
Using the certificate with ibrowse is easy. The last parameter of ibrowse:send_req/5 accepts necessary ssl options. A query using ssl with peer verification looks something like this
Here,ibrowse:send_req(
"https://somehost/path",
[], get, [],
[{is_ssl,true},
{ssl_options,
[{verify,2},
{cacertfile, "verisign.pem"}]}]).
{verify, 2} sets peer verification on and cacertfile provides the path to the root certificate. See the ssl-module documentation to learn more about the options.I'm interested in learning if the Erlang's strength in distributed programming, fault tolerance and management would be a good fit with Amazon EC2. What do you think?
No comments:
Post a Comment