SSL on Zotonic 1.x

Hello,

I have some questions regarding SSL.

I’ve generated a CA and signed a certificate, renamed everything, and put the files on ~/.config/zotonic/security/mysite/ca.

The problem is it keeps generating a self signed certificate, is this the expected behaviour?

Also, I guess I’m using a faulty openssl version, because the command

openssl rsa -in sitename.key -out sitename.pem

don’t generate a -----BEGIN RSA PRIVATE KEY----- file.

This causes a Zotonic startup error because .pem file is not in PKCS1 format.

The OpenSSL version I have on my machine is 3.0.2. Is Anyone using this version?

Thanks!

2 Likes

The command changed to:

openssl pkcs8 -in mysite.key -traditional -nocrypt -out mysite.pem

2 Likes

Interesting, so they completely changed the commands.

Is there a command that would work with all openssl versions?

We use the library zotonic_ssl | Hex for the SSL and certificate tasks.

3 Likes

I also see at some places:

openssl rsa -in sitename.key -out sitename.pem -outform PEM

Does that work with openssl 3?

3 Likes

It didn’t work, the result was -----BEGIN PRIVATE KEY-----

2 Likes

Then we have to check if that openssl pkcs8 works in openssl 1.something

3 Likes

This command works on OpenSSL 1.1.1f.

2 Likes

We have just released zotonic_ssl v1.2.0, which incorporates your fix.

Will use that to update Zotonic master as well.

Update: zotonic master has been updated with zotonic_ssl 1.2.0

3 Likes

Thanks :heart: @mworrell !!

I saw you try to enable ubuntu 22 with OpenSSL 3.0 and erlang 25 in the build system.
I compiled erlang 25 with OpenSSL 3.0 and crypto kept warning that OpenSSL 3.0 is not production-ready, Zotonic didn’t boot because some ciphers weren’t available. I had even opened an issue with mochiweb, but it seems the OpenSSL 3.0 from ubuntu is strangely compiled, couldn’t find the problem…

So the only way to get zotonic working was to build OpenSSL 1.1.1o and link it at build time to erlang 25.
Anyway, for new installations ubuntu server 22.04 LTS will be a problem for Zotonic until this is fixed.


Instructions to build OpenSSL 1.1.1o + erlang 25 with kerl
Download OpenSSL 1.1.10 source code, uncompress and execute this command

./config --prefix=~/devel/local/ssl --openssldir=~/devel/local/ssl shared
make && make install

Using kerl to build, the command line is

KERL_CONFIGURE_OPTIONS="--with-ssl=~/devel/local/ssl --disable-dynamic-ssl-lib" ./kerl build 25.0 b25
./kerl install b25 ~/devel/erl/25
4 Likes

I found a problem in OTP25 which makes us wait for the first updates anyway.

So hopefully, by then, we have some working Ubuntu/openssl/erlang combo. We have to wait and see.

3 Likes

Have you tried to build OpenSSL 3.0 yourself and used it with OTP-25.0? That’s how we test it here.

Do you know which ciphers weren’t available? All from 1.1.1 that Erlang/OTP supports should be available also when using 3.0.

2 Likes

Hello @hansn, I didn’t try to compile openssl 3.0, but I’ll give it a try!

The error was occurring in the function:

Crypt = crypto:crypto_one_time(aes_128_cfb128, Key, IV, Data, true),

In this Issue you can see the ciphers that were available at that build.

2 Likes