Distribution over TLS
It's possible to use TLS for communication between MongooseIM cluster nodes.
To enable it, find the directory of your release, below it look for
etc/vm.dist.args and, inside the file, the section about
the distribution protocol:
## Use TLS for connections between Erlang cluster members. ## Don't forget to override the paths to point to your certificate(s) and key(s)! ## Once a connection is established, Erlang doesn't differentiate between ## a client and a server - the same certs/keys can be used on both sides. #-proto_dist inet_tls #-ssl_dist_opt server_certfile /Users/erszcz/work/esl/mongooseim/_build/mim1/rel/mongooseim/priv/ssl/fake_cert.pem client_certfile /Users/erszcz/work/esl/mongooseim/_build/mim1/rel/mongooseim/priv/ssl/fake_cert.pem # server_keyfile /Users/erszcz/work/esl/mongooseim/_build/mim1/rel/mongooseim/priv/ssl/fake_key.pem client_keyfile /Users/erszcz/work/esl/mongooseim/_build/mim1/rel/mongooseim/priv/ssl/fake_key.pem # server_cacertfile /Users/erszcz/work/esl/mongooseim/_build/mim1/rel/mongooseim/priv/ssl/cacert.pem client_cacertfile /Users/erszcz/work/esl/mongooseim/_build/mim1/rel/mongooseim/priv/ssl/cacert.pem # client_verify verify_peer # server_verify verify_peer # server_fail_if_no_peer_cert true
By default, the
proto_dist as well as the following options for configuring the cluster member are commented out.
Enable them and provide the correct paths to your CA certificate, server certificate and server key.
There's a number of caveats to remember about when running Erlang distribution over TLS:
TLS-enabled and non-TLS Erlang nodes can't communicate with one another. Remember about it when trying to run
erl -[s]name ...and communicating with the server.
Establishing a TLS connection will fail if a certificate isn't found in the specified location. You might receive a log message indicating that when nodes try to connect:
2017-03-10 16:16:03.844 [warning] <0.4218.2> global: mongooseim@localhost failed to connect to fed1@localhost
If the pointed-at certificate/key/CA-certificate file doesn't exist, it won't be reported before trying to connect. Look for (grep) the log message on all cluster nodes, as the message doesn't have to appear on all nodes if a connection fails.
You can switch a cluster from running non-TLS distribution, to TLS distribution by shutting down a node, enabling TLS on it, starting it up again, and repeating the steps for each remaining node. Again, nodes with and without TLS enabled won't be able to communicate with one another.
It's possible to fortify an Erlang cluster further than the Mongoose's preconfigured
vm.dist.argsdoes. This includes: checking certificate revocation status against a CA's Certificate Revocation List, securing/disabling EPMD (Erlang Port Mapper Daemon), using custom certificate verification functions. For details on these steps please refer to Erlang Distribution over TLS and Erlang (and Elixir) distribution without epmd.