Erlang Distribution Over TLS Starts without required or wrong password for encrypted private key

[amusarra]

When configuring Erlang Distribution over TLS, if the private key used for TLS encryption requires a password but no password is explicitly provided in the configuration, the Erlang runtime does not fail at startup. Instead, it starts the TLS listener without properly loading the certificate, leading to an unusable TLS setup.

This issue affects applications like RabbitMQ, which rely on EDTLS for secure communication. The expected behavior is that the system should fail fast on startup if the required password is missing.

This issue was originally reported in the RabbitMQ repository: RabbitMQ Issue.

Steps to Reproduce

Configure Erlang Distribution over TLS with an encrypted private key that requires a password.

Do not provide the password explicitly in the configuration.

Start the Erlang application.

Expected Behavior

The system should fail immediately at startup with a clear error message stating that the private key requires a password.

Actual Behavior

The Erlang runtime starts without raising an error.

The TLS listener is put in a listening state but without a valid certificate.

Any TLS connections fail due to the missing certificate setup.

Suggested Fix

Introduce a validation step, that checks whether the private key requires a password or wrong before proceeding.

If the password is required and not provided or wrong, the system should fail on startup and log a clear error message.

This issue can lead to security misconfigurations and unexpected failures. Implementing a fail-fast approach would help prevent misconfigured deployments and improve reliability.

Environment

Erlang version: 27.2.4 [jit]
OS (Host): macOS 15.3.2 (24D81)

[IngelaAndin]

Thanks for the report we will look into enhancing the error handling.

[amusarra]

Thanks so much.