Bug 240502

Summary: FC6 PKCS12 erroneously reporting "Private key and certificate do not match"
Product: [Fedora] Fedora Reporter: Dan Hanks <danhanks>
Component: perl-Crypt-SSLeayAssignee: Robin Norwood <robin.norwood>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 6CC: perl-devel, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: 0.56-1.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-29 17:29:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 217138    
Bug Blocks:    
Attachments:
Description Flags
Sample p12 file in which FC6 thinks the key doesn't match the cert
none
p12 file for anonvpn.com none

Description Dan Hanks 2007-05-17 22:37:02 UTC 
Description of problem:

openssl appears to be having problems matching private keys with certificates 
in .p12 (PKCS12) files on FC6


Version-Release number of selected component (if applicable):
openssl-0.9.8b-8.3.fc6


How reproducible:
Always

Steps to Reproduce:
This works on an FC3 machine: (openssl-0.9.7a-40, perl-libwww-perl-5.79-5)

[user@fc3_host ~]$ export HTTPS_PKCS12_PASSWORD=foo
[user@fc3_host ~]$ export HTTPS_PKCS12_FILE=./test.p12 
[user@fc3_host ~]$ GET https://api.bluetiestage.com/bluetiesp.asp
<?xml version="1.0" ?><response><code>20001005</code><descr>Invalid request 
format: customer_id is invalid or omitted.</descr></response>

However, on FC6, we see: (openssl-0.9.8b-8.3.fc6, perl-libwww-perl-5.805-1.1.1)

[user@fc6_host ~]$ export HTTPS_PKCS12_PASSWORD=foo
[user@fc6_host ~]$ export HTTPS_PKCS12_FILE=./test.p12 
[user@fc6_host ~]$ GET https://api.bluetiestage.com/bluetiesp.asp
500 configure certs failed: Private key and certificate do not match

I see similar results with wget, which points me to openssl, as opposed to 
libwww-perl
  
Actual results:
On FC6, you can see openssl thinks the private key in the .p12 file doesn't 
match the cert in the same .p12 file (even though this .p12 file was created on 
FC6)

Expected results:
On FC3, you can see we can talk to the remote host and get some XML back. 
Although we get back an error code, the important thing is we were able to 
establish the connection in the first place.
Comment 1 Dan Hanks 2007-05-17 22:37:02 UTC 
Created attachment 154959 [details]
Sample p12 file in which FC6 thinks the key doesn't match the cert
Comment 2 Tomas Mraz 2007-05-18 09:13:31 UTC 
https://api.bluetiestage.com/bluetiesp.asp is not working currently. (Connection
refused.)

Also how did you test with wget?
Comment 3 Dan Hanks 2007-05-18 15:59:45 UTC 
Grr. I'll see if the vendor (Bluetie) is limiting access by IP. With wget:

First I make a pem file from the .p12 file:
  
  openssl pkcs12 -in test.p12 -out test.pem

Then try to use it with wget:

[user@fc6_host ~]$ wget --certificate=test.pem https://api.bluetiestage.com/
bluetiesp.asp
--09:55:32--  https://api.bluetiestage.com/bluetiesp.asp
Resolving api.bluetiestage.com... 24.39.102.211
Connecting to api.bluetiestage.com|24.39.102.211|:443... connected.
OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake 
failure
Unable to establish SSL connection.

I'll follow up on the connection issues with the server. Is there an IP you'd 
be coming from I can have them open up for you?
Comment 4 Dan Hanks 2007-05-18 17:51:44 UTC 
Created attachment 155020 [details]
p12 file for anonvpn.com

Use this .p12 file to replicate the tests trying to connect to anonvpn.com
Comment 5 Dan Hanks 2007-05-18 17:57:28 UTC 
Let's try a server that's a bit more open for testing. Using the anonvpn_ca.p12 
file I attached above, try this:


On FC3 (same versions as the original post):

[user@fc3_host ~]$ export HTTPS_PKCS12_PASSWORD=
[user@fc3_host ~]$ export HTTPS_PKCS12_FILE=./anonvpn_ca.p12 
[user@fc3_host ~]$ GET https://anonvpn.com
.<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>AnonVPN</title>
...



Now on FC6 (same versions as the original post):

[user@fc6_host ~]$ export HTTPS_PKCS12_PASSWORD=
[user@fc6_host ~]$ export HTTPS_PKCS12_FILE=./anonvpn_ca.p12 
[user@fc6_host ~]$ GET https://anonvpn.com
500 configure certs failed: Private key and certificate do not match

Hopefully you can reproduce this easier with the anonvpn server.

Thanks for your help.
Comment 6 Dan Hanks 2007-05-29 18:30:12 UTC 
Any updates on this? 

Thanks.
Comment 7 Tomas Mraz 2007-05-30 07:47:52 UTC 
This time I can't connect to the anonvpn.com
mraz@perun:~/download$ GET https://anonvpn.com
500 Can't connect to anonvpn.com:443 (connect: No route to host)

I'll retry later today.
Comment 8 Dan Hanks 2007-06-18 16:24:50 UTC 
Hmmm. From what I can see you don't even need to be able to connect to a host 
for the key/cert problem to surface as it happens even before a connection is 
made. The problem can be reproduced by specifying any https url in the test.  
Try this on an FC6 machine:

[user@fc6_host ~]$ export HTTPS_PKCS12_PASSWORD=
[user@fc6_host ~]$ export HTTPS_PKCS12_FILE=./anonvpn_ca.p12 
[user@fc6_host ~]$ GET https://gmail.com

When I do this I get "500 configure certs failed: Private key and certificate 
do not match"

The above test on FC3 is able to successfully open the connection and make the 
request. On FC6 we're not even able to get to the part where a connection is 
made.

I.e., the problem isn't happening when trying to talk with the remote host, the 
problem is happening when openssl tries to use the .p12 file prior to 
initiating the connection.
Comment 9 Tomas Mraz 2007-06-18 18:58:33 UTC 
The problem is caused by non-initialization of PKCS12 part of openssl library in
latest perl-Crypt-SSLeay package in FC6.
Comment 10 Fedora Update System 2007-08-24 05:29:55 UTC 
perl-Crypt-SSLeay-0.56-1.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Robin Norwood 2007-08-24 14:53:26 UTC 
Can someone test the above version and let me know how it works for you? 

x86_64 version:
http://download.fedora.redhat.com/pub/fedora/linux/updates/testing/7/x86_64/perl-Crypt-SSLeay-0.56-1.fc7.x86_64.rpm

x86 version:
http://download.fedora.redhat.com/pub/fedora/linux/updates/testing/7/i386/perl-Crypt-SSLeay-0.56-1.fc7.i386.rpm

(or just enable your updates testing repo and use yum)
Comment 12 Tomas Mraz 2007-08-29 07:47:37 UTC 
The perl-Crypt-SSLeay-0.56-2.fc8.x86_64 on rawhide works for me.
Comment 13 Fedora Update System 2007-08-29 17:29:51 UTC 
perl-Crypt-SSLeay-0.56-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.