Tls connections: problems with distributed app - in particular gen_server:multi_call(..), -:abcast(..)

3 nodes - 1 server node s, 2 client nodes c1 and c2. all 3 configured for tls communication each with its own crt and key using long names.

[
 {server, [
           {certfile, "/home/xxx/tls-conf/s.pem"},
           {cacertfile, "/home/xxx/tls-conf/ca.crt" },
           {verify, verify_peer},
           {fail_if_no_peer_cert, true},
           {versions, ['tlsv1.3', 'tlsv1.2']},
           %           {log_level, debug},
           {log_alert, true},
           {sni_hosts, [{"s.xxx.de", []}]},
           {secure_renegotiate, true}
          ]}
].
 {client, [
           {cacertfile, "/home/xxx/tls-conf/ca.crt" },
           {certfile, "/home/xxx/tls-conf/c1.pem"},
           {versions, ['tlsv1.3', 'tlsv1.2']},
           {secure_renegotiate, true}
].
 {client, [
           {cacertfile, "/home/xxx/tls-conf/ca.crt" },
           {certfile, "/home/xxx/tls-conf/c2.pem"},
           {versions, ['tlsv1.3', 'tlsv1.2']},
           {secure_renegotiate, true}
].

all 3 are starting without any issue.

started s followed by c1 and c2.

  • the nodes-list (nodes(). on c1 and c2 is empty and gen_server:multi_call(nodes(), …) both do not reach the server s.

  • on c1 executed net_adm:ping(s@fqdn) and the multicall works as expected from c1.

  • on c2 executed net_adm:ping(s@fqdn) and the multicall works as expected from c2.

but then the nodes-list on c1 is empty and the multicall has no effect when executed on c1.

after several net_adm:ping(s@fqdn) on c1 the nodelist contains s again on c1 but is empty on c2.

when i reconfigure the 3 nodes to use unencrypted communication everything works as expected.

questions:

  • did i miss anything?

  • what can i do to get this surprising behaviour fixed?

thanks for any hints.

addendum: forgot to mention - otp_27.2.3 on all nodes.

it seems to be necessary to configure all nodes as clients and as servers.

i feel, the client server concept seems to be different from the one i am used to at least when the nodes are communicating by means of tls.

1 Like