Bug 1025057 - SSLProxyMachineCertificateFile doesn't support PKCS#8 key format
SSLProxyMachineCertificateFile doesn't support PKCS#8 key format
Status: CLOSED WONTFIX
Product: JBoss Enterprise Web Server 2
Classification: JBoss
Component: httpd (Show other bugs)
2.0.1
Unspecified Unspecified
unspecified Severity unspecified
: ---
: 2.1.1
Assigned To: Weinan Li
Michal Karm Babacek
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-30 17:26 EDT by Chris Dolphy
Modified: 2017-10-10 11:53 EDT (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Known Issue
Doc Text:
In JBoss Web Server, when a PKCS#8 key generated by OpenSSL is used, JBoss Web Server displays the following error and then terminates: ---- incomplete client cert configured for SSL proxy (missing or encrypted private key?) ---- The PKCS#8 format is not supported by mod_ssl, as mod_ssl uses different functions when loading the proxy key pair. This is a known issue in JBoss Web Server 3.0. As a workaround, convert from PKCS#8 to the raw PEM encoding of the RSA key and use "openssl pkcs8".
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-10-10 11:53:13 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
mod_cluster.conf, script to gen certs, certs (7.38 KB, application/gzip)
2013-10-30 17:30 EDT, Chris Dolphy
no flags Details

  None (edit)
Description Chris Dolphy 2013-10-30 17:26:08 EDT
Description of problem:
When using a PKCS#8 key generated by OpenSSL, EWS gives the following error and then terminates:
incomplete client cert configured for SSL proxy (missing or encrypted private key?)

Version-Release number of selected component (if applicable):
EWS 2.0.1 on RHEL 6.  
OpenSSL 1.0.0-fips 29 Mar 2010

How reproducible:
readily

Steps to Reproduce:
1. Generate certificates
2. Configure mod_cluster configuration with the certificate
3. Start EWS (apachectl -k start)

Actual results:
Apache attempts to start, but terminates after logging:
[Wed Oct 30 16:16:56 2013] [info] Init: Initialized OpenSSL library
[Wed Oct 30 16:16:56 2013] [info] Init: Seeding PRNG with 0 bytes of entropy
[Wed Oct 30 16:16:56 2013] [notice] SSL FIPS mode disabled
[Wed Oct 30 16:16:56 2013] [info] Loading certificate & private key of SSL-aware server
[Wed Oct 30 16:16:56 2013] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Wed Oct 30 16:16:56 2013] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Wed Oct 30 16:16:56 2013] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Wed Oct 30 16:16:56 2013] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Wed Oct 30 16:16:56 2013] [info] Init: Initializing (virtual) servers for SSL
[Wed Oct 30 16:16:56 2013] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv3, TLSv1)
[Wed Oct 30 16:16:56 2013] [debug] ssl_engine_init.c(601): Configuring client authentication
[Wed Oct 30 16:16:56 2013] [debug] ssl_engine_init.c(1199): CA certificate: /CN=jboss
incomplete client cert configured for SSL proxy (missing or encrypted private key?)

Expected results:
Startup and work with PKCS#8 certificates.

Additional info:

OpenSSL changed the default key format to PKCS#8 (from PKCS#1) in version 1.0.0.  So supporting PKCS#8 certificates is more important on RHEL 6.

Also, SSLCertificateKeyFile having a PKCS#8 certificate works fine.
Comment 1 Chris Dolphy 2013-10-30 17:30:45 EDT
Created attachment 817648 [details]
mod_cluster.conf, script to gen certs, certs
Comment 2 Joe Orton 2013-10-31 08:22:36 EDT
Yes, that is not supported by mod_ssl.  When loading the proxy key pair mod_ssl uses different functions, which don't handle the PKCS#8 format.  It is simple enough to convert from PKCS#8 to the raw PEM encoding of the RSA key, use "openssl pkcs8".
Comment 4 Michal Karm Babacek 2015-04-27 02:38:16 EDT
We still have the same kind of issue with:

Fedora 20        OpenSSL/1.0.1e-fips
RHEL 7           OpenSSL/1.0.1e-fips
RHEL 6           OpenSSL/1.0.1e-fips
Windows 2012 R2  OpenSSL/1.0.1e

> [ssl:debug] [pid 5167] ssl_engine_pphrase.c(239): AH02202: Init: Read server certificate from '/home/mbabacek/JWS/jws-3.0/httpd/certs/apache_cert.pem'
> [ssl:debug] [pid 5167] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
> [ssl:info] [pid 5167] AH01887: Init: Initializing (virtual) servers for SSL
> [ssl:debug] [pid 5167] ssl_engine_init.c(1524): AH02209: CA certificate: CN=jboss
> AH02252: incomplete client cert configured for SSL proxy (missing or encrypted private key?)
> [ssl:emerg] [pid 5167] AH02312: Fatal error initialising mod_ssl, exiting.
Comment 5 Jean-frederic Clere 2015-04-27 03:28:12 EDT
So it should stay a known issue and be documented for JWS3.
Comment 6 Michal Karm Babacek 2016-05-26 05:41:52 EDT
Is it resolved by updating OpenSSL to 1.0.2h or is it a mod_ssl code limitation?
Comment 7 Jean-frederic Clere 2016-07-27 05:16:18 EDT
It is the mod_ssl limitation it won't be fixed in ews-2.1.x

Note You need to log in before you can comment on or make changes to this bug.