SSL doesn't like my private key with password

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL doesn't like my private key with password

Attila Rajmund Nohl
Hello!

I'm trying to start an SSL server with a key I got (i.e. I don't know
exactly how it was configured) that has a password. The password is OK
because I can start a server using these keys, certificates and
password using openssl. This is how I'm trying (it's OTP 19):

2> {ok, LS} = ssl:listen(12345, [{password, "password"}, {keyfile,
"node.key.pem"}, {certfile, "node.cert.pem"}, {cacertfile,
"ca-chain.cert.pem"}]).
{ok,{sslsocket,nil,...
3> {ok, TS} = ssl:transport_accept(LS).
{ok,{sslsocket,...

Then I connect to the socket using openssl s_client, then want to
accept the connection on the Erlang side:

4> ssl:ssl_accept(TS).
{error,{keyfile,function_clause}}

I guess it shouldn't happen. I found a question at stackoverflow with
similar contents:
https://stackoverflow.com/questions/50813212/erlang-ssl-password-option-for-private-key
and also a similar problem with RabbitMQ:
https://groups.google.com/forum/#!topic/rabbitmq-users/dW3Lz6omyfw

Is there a solution (other than using a different SSL private key or
upgrade to a newer OTP)?
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: SSL doesn't like my private key with password

Attila Rajmund Nohl
Attila Rajmund Nohl <[hidden email]> ezt írta (időpont: 2018.
júl. 25., Sze, 17:49):
[...]
> 4> ssl:ssl_accept(TS).
> {error,{keyfile,function_clause}}
>
> I guess it shouldn't happen. I found a question at stackoverflow with
> similar contents:
> https://stackoverflow.com/questions/50813212/erlang-ssl-password-option-for-private-key
> and also a similar problem with RabbitMQ:
> https://groups.google.com/forum/#!topic/rabbitmq-users/dW3Lz6omyfw

After some debugging it turned out the error comes from the public key decoding:

** exception error: no function clause matching pubkey_pbe:decode(...,

"password","AES-256-CBC",
                                                                  ...)
(pubkey_pbe.erl, line 59)

Erlang doesn't seem to support the AES-256-CBC cipher for passwords. I
see this(?) cipher in ssl, so I guess there's no legal reason not to
include it for keys.
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions