Bug 1025057
Summary: | SSLProxyMachineCertificateFile doesn't support PKCS#8 key format | ||||||
---|---|---|---|---|---|---|---|
Product: | [JBoss] JBoss Enterprise Web Server 2 | Reporter: | Chris Dolphy <cdolphy> | ||||
Component: | httpd | Assignee: | Weinan Li <weli> | ||||
Status: | CLOSED WONTFIX | QA Contact: | Michal Karm Babacek <mbabacek> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 2.0.1 | CC: | bperkins, jclere, jdoyle, jorton, jpallich, lcosti, mbabacek, myarboro, pslavice, pyaduvan, rmarwaha, rsvoboda, smumford | ||||
Target Milestone: | --- | ||||||
Target Release: | 2.1.1 | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Known Issue | |||||
Doc Text: |
In JBoss Web Server, when a PKCS#8 key generated by OpenSSL is used, JBoss Web Server displays the following error and then terminates:
----
incomplete client cert configured for SSL proxy (missing or encrypted private key?)
----
The PKCS#8 format is not supported by mod_ssl, as mod_ssl uses different functions when loading the proxy key pair.
This is a known issue in JBoss Web Server 3.0. As a workaround, convert from PKCS#8 to the raw PEM encoding of the RSA key and use "openssl pkcs8".
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-10-10 15:53:13 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Chris Dolphy
2013-10-30 21:26:08 UTC
Created attachment 817648 [details]
mod_cluster.conf, script to gen certs, certs
Yes, that is not supported by mod_ssl. When loading the proxy key pair mod_ssl uses different functions, which don't handle the PKCS#8 format. It is simple enough to convert from PKCS#8 to the raw PEM encoding of the RSA key, use "openssl pkcs8". We still have the same kind of issue with:
Fedora 20 OpenSSL/1.0.1e-fips
RHEL 7 OpenSSL/1.0.1e-fips
RHEL 6 OpenSSL/1.0.1e-fips
Windows 2012 R2 OpenSSL/1.0.1e
> [ssl:debug] [pid 5167] ssl_engine_pphrase.c(239): AH02202: Init: Read server certificate from '/home/mbabacek/JWS/jws-3.0/httpd/certs/apache_cert.pem'
> [ssl:debug] [pid 5167] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
> [ssl:info] [pid 5167] AH01887: Init: Initializing (virtual) servers for SSL
> [ssl:debug] [pid 5167] ssl_engine_init.c(1524): AH02209: CA certificate: CN=jboss
> AH02252: incomplete client cert configured for SSL proxy (missing or encrypted private key?)
> [ssl:emerg] [pid 5167] AH02312: Fatal error initialising mod_ssl, exiting.
So it should stay a known issue and be documented for JWS3. Is it resolved by updating OpenSSL to 1.0.2h or is it a mod_ssl code limitation? It is the mod_ssl limitation it won't be fixed in ews-2.1.x |