Bug 1025057

Summary: SSLProxyMachineCertificateFile doesn't support PKCS#8 key format
Product: [JBoss] JBoss Enterprise Web Server 2 Reporter: Chris Dolphy <cdolphy>
Component: httpdAssignee: Weinan Li <weli>
Status: CLOSED WONTFIX QA Contact: Michal Karm Babacek <mbabacek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.0.1CC: bperkins, jclere, jdoyle, jorton, jpallich, lcosti, mbabacek, myarboro, pslavice, pyaduvan, rmarwaha, rsvoboda, smumford
Target Milestone: ---   
Target Release: 2.1.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
In JBoss Web Server, when a PKCS#8 key generated by OpenSSL is used, JBoss Web Server displays the following error and then terminates: ---- incomplete client cert configured for SSL proxy (missing or encrypted private key?) ---- The PKCS#8 format is not supported by mod_ssl, as mod_ssl uses different functions when loading the proxy key pair. This is a known issue in JBoss Web Server 3.0. As a workaround, convert from PKCS#8 to the raw PEM encoding of the RSA key and use "openssl pkcs8".
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-10 15:53:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
mod_cluster.conf, script to gen certs, certs none

Description Chris Dolphy 2013-10-30 21:26:08 UTC 
Description of problem:
When using a PKCS#8 key generated by OpenSSL, EWS gives the following error and then terminates:
incomplete client cert configured for SSL proxy (missing or encrypted private key?)

Version-Release number of selected component (if applicable):
EWS 2.0.1 on RHEL 6.  
OpenSSL 1.0.0-fips 29 Mar 2010

How reproducible:
readily

Steps to Reproduce:
1. Generate certificates
2. Configure mod_cluster configuration with the certificate
3. Start EWS (apachectl -k start)

Actual results:
Apache attempts to start, but terminates after logging:
[Wed Oct 30 16:16:56 2013] [info] Init: Initialized OpenSSL library
[Wed Oct 30 16:16:56 2013] [info] Init: Seeding PRNG with 0 bytes of entropy
[Wed Oct 30 16:16:56 2013] [notice] SSL FIPS mode disabled
[Wed Oct 30 16:16:56 2013] [info] Loading certificate & private key of SSL-aware server
[Wed Oct 30 16:16:56 2013] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Wed Oct 30 16:16:56 2013] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Wed Oct 30 16:16:56 2013] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Wed Oct 30 16:16:56 2013] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Wed Oct 30 16:16:56 2013] [info] Init: Initializing (virtual) servers for SSL
[Wed Oct 30 16:16:56 2013] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv3, TLSv1)
[Wed Oct 30 16:16:56 2013] [debug] ssl_engine_init.c(601): Configuring client authentication
[Wed Oct 30 16:16:56 2013] [debug] ssl_engine_init.c(1199): CA certificate: /CN=jboss
incomplete client cert configured for SSL proxy (missing or encrypted private key?)

Expected results:
Startup and work with PKCS#8 certificates.

Additional info:

OpenSSL changed the default key format to PKCS#8 (from PKCS#1) in version 1.0.0.  So supporting PKCS#8 certificates is more important on RHEL 6.

Also, SSLCertificateKeyFile having a PKCS#8 certificate works fine.
Comment 1 Chris Dolphy 2013-10-30 21:30:45 UTC 
Created attachment 817648 [details]
mod_cluster.conf, script to gen certs, certs
Comment 2 Joe Orton 2013-10-31 12:22:36 UTC 
Yes, that is not supported by mod_ssl.  When loading the proxy key pair mod_ssl uses different functions, which don't handle the PKCS#8 format.  It is simple enough to convert from PKCS#8 to the raw PEM encoding of the RSA key, use "openssl pkcs8".
Comment 4 Michal Karm Babacek 2015-04-27 06:38:16 UTC 
We still have the same kind of issue with:

Fedora 20        OpenSSL/1.0.1e-fips
RHEL 7           OpenSSL/1.0.1e-fips
RHEL 6           OpenSSL/1.0.1e-fips
Windows 2012 R2  OpenSSL/1.0.1e

> [ssl:debug] [pid 5167] ssl_engine_pphrase.c(239): AH02202: Init: Read server certificate from '/home/mbabacek/JWS/jws-3.0/httpd/certs/apache_cert.pem'
> [ssl:debug] [pid 5167] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
> [ssl:info] [pid 5167] AH01887: Init: Initializing (virtual) servers for SSL
> [ssl:debug] [pid 5167] ssl_engine_init.c(1524): AH02209: CA certificate: CN=jboss
> AH02252: incomplete client cert configured for SSL proxy (missing or encrypted private key?)
> [ssl:emerg] [pid 5167] AH02312: Fatal error initialising mod_ssl, exiting.
Comment 5 Jean-frederic Clere 2015-04-27 07:28:12 UTC 
So it should stay a known issue and be documented for JWS3.
Comment 6 Michal Karm Babacek 2016-05-26 09:41:52 UTC 
Is it resolved by updating OpenSSL to 1.0.2h or is it a mod_ssl code limitation?
Comment 7 Jean-frederic Clere 2016-07-27 09:16:18 UTC 
It is the mod_ssl limitation it won't be fixed in ews-2.1.x