SSL on Zotonic 1.x

alvaropag · May 11, 2022, 5:18pm

Hello,

I have some questions regarding SSL.

I’ve generated a CA and signed a certificate, renamed everything, and put the files on ~/.config/zotonic/security/mysite/ca.

The problem is it keeps generating a self signed certificate, is this the expected behaviour?

Also, I guess I’m using a faulty openssl version, because the command

openssl rsa -in sitename.key -out sitename.pem

don’t generate a -----BEGIN RSA PRIVATE KEY----- file.

This causes a Zotonic startup error because .pem file is not in PKCS1 format.

The OpenSSL version I have on my machine is 3.0.2. Is Anyone using this version?

Thanks!

alvaropag · May 11, 2022, 5:39pm

The command changed to:

openssl pkcs8 -in mysite.key -traditional -nocrypt -out mysite.pem

mworrell · May 12, 2022, 7:43am

Interesting, so they completely changed the commands.

Is there a command that would work with all openssl versions?

We use the library zotonic_ssl | Hex for the SSL and certificate tasks.

mworrell · May 12, 2022, 7:51am

I also see at some places:

openssl rsa -in sitename.key -out sitename.pem -outform PEM

Does that work with openssl 3?

alvaropag · May 12, 2022, 1:39pm

It didn’t work, the result was -----BEGIN PRIVATE KEY-----

mworrell · May 12, 2022, 2:52pm

Then we have to check if that openssl pkcs8 works in openssl 1.something

alvaropag · May 12, 2022, 7:51pm

This command works on OpenSSL 1.1.1f.

mworrell · May 24, 2022, 7:50am

We have just released zotonic_ssl v1.2.0, which incorporates your fix.

Will use that to update Zotonic master as well.

Update: zotonic master has been updated with zotonic_ssl 1.2.0

alvaropag · May 24, 2022, 12:00pm

Thanks @mworrell !!

I saw you try to enable ubuntu 22 with OpenSSL 3.0 and erlang 25 in the build system.
I compiled erlang 25 with OpenSSL 3.0 and crypto kept warning that OpenSSL 3.0 is not production-ready, Zotonic didn’t boot because some ciphers weren’t available. I had even opened an issue with mochiweb, but it seems the OpenSSL 3.0 from ubuntu is strangely compiled, couldn’t find the problem…

So the only way to get zotonic working was to build OpenSSL 1.1.1o and link it at build time to erlang 25.
Anyway, for new installations ubuntu server 22.04 LTS will be a problem for Zotonic until this is fixed.

Instructions to build OpenSSL 1.1.1o + erlang 25 with kerl
Download OpenSSL 1.1.10 source code, uncompress and execute this command

./config --prefix=~/devel/local/ssl --openssldir=~/devel/local/ssl shared
make && make install

Using kerl to build, the command line is

KERL_CONFIGURE_OPTIONS="--with-ssl=~/devel/local/ssl --disable-dynamic-ssl-lib" ./kerl build 25.0 b25
./kerl install b25 ~/devel/erl/25

mworrell · May 24, 2022, 12:38pm

I found a problem in OTP25 which makes us wait for the first updates anyway.

So hopefully, by then, we have some working Ubuntu/openssl/erlang combo. We have to wait and see.

hansn · May 24, 2022, 3:20pm

Have you tried to build OpenSSL 3.0 yourself and used it with OTP-25.0? That’s how we test it here.

Do you know which ciphers weren’t available? All from 1.1.1 that Erlang/OTP supports should be available also when using 3.0.

alvaropag · May 24, 2022, 4:56pm

Hello @hansn, I didn’t try to compile openssl 3.0, but I’ll give it a try!

The error was occurring in the function:

Crypt = crypto:crypto_one_time(aes_128_cfb128, Key, IV, Data, true),

In this Issue you can see the ciphers that were available at that build.