Red Hat Bugzilla – Bug 240502
FC6 PKCS12 erroneously reporting "Private key and certificate do not match"
Last modified: 2007-11-30 17:12:04 EST
Description of problem: openssl appears to be having problems matching private keys with certificates in .p12 (PKCS12) files on FC6 Version-Release number of selected component (if applicable): openssl-0.9.8b-8.3.fc6 How reproducible: Always Steps to Reproduce: This works on an FC3 machine: (openssl-0.9.7a-40, perl-libwww-perl-5.79-5) [user@fc3_host ~]$ export HTTPS_PKCS12_PASSWORD=foo [user@fc3_host ~]$ export HTTPS_PKCS12_FILE=./test.p12 [user@fc3_host ~]$ GET https://api.bluetiestage.com/bluetiesp.asp <?xml version="1.0" ?><response><code>20001005</code><descr>Invalid request format: customer_id is invalid or omitted.</descr></response> However, on FC6, we see: (openssl-0.9.8b-8.3.fc6, perl-libwww-perl-5.805-1.1.1) [user@fc6_host ~]$ export HTTPS_PKCS12_PASSWORD=foo [user@fc6_host ~]$ export HTTPS_PKCS12_FILE=./test.p12 [user@fc6_host ~]$ GET https://api.bluetiestage.com/bluetiesp.asp 500 configure certs failed: Private key and certificate do not match I see similar results with wget, which points me to openssl, as opposed to libwww-perl Actual results: On FC6, you can see openssl thinks the private key in the .p12 file doesn't match the cert in the same .p12 file (even though this .p12 file was created on FC6) Expected results: On FC3, you can see we can talk to the remote host and get some XML back. Although we get back an error code, the important thing is we were able to establish the connection in the first place.
Created attachment 154959 [details] Sample p12 file in which FC6 thinks the key doesn't match the cert
https://api.bluetiestage.com/bluetiesp.asp is not working currently. (Connection refused.) Also how did you test with wget?
Grr. I'll see if the vendor (Bluetie) is limiting access by IP. With wget: First I make a pem file from the .p12 file: openssl pkcs12 -in test.p12 -out test.pem Then try to use it with wget: [user@fc6_host ~]$ wget --certificate=test.pem https://api.bluetiestage.com/ bluetiesp.asp --09:55:32-- https://api.bluetiestage.com/bluetiesp.asp Resolving api.bluetiestage.com... 24.39.102.211 Connecting to api.bluetiestage.com|24.39.102.211|:443... connected. OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure Unable to establish SSL connection. I'll follow up on the connection issues with the server. Is there an IP you'd be coming from I can have them open up for you?
Created attachment 155020 [details] p12 file for anonvpn.com Use this .p12 file to replicate the tests trying to connect to anonvpn.com
Let's try a server that's a bit more open for testing. Using the anonvpn_ca.p12 file I attached above, try this: On FC3 (same versions as the original post): [user@fc3_host ~]$ export HTTPS_PKCS12_PASSWORD= [user@fc3_host ~]$ export HTTPS_PKCS12_FILE=./anonvpn_ca.p12 [user@fc3_host ~]$ GET https://anonvpn.com .<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>AnonVPN</title> ... Now on FC6 (same versions as the original post): [user@fc6_host ~]$ export HTTPS_PKCS12_PASSWORD= [user@fc6_host ~]$ export HTTPS_PKCS12_FILE=./anonvpn_ca.p12 [user@fc6_host ~]$ GET https://anonvpn.com 500 configure certs failed: Private key and certificate do not match Hopefully you can reproduce this easier with the anonvpn server. Thanks for your help.
Any updates on this? Thanks.
This time I can't connect to the anonvpn.com mraz@perun:~/download$ GET https://anonvpn.com 500 Can't connect to anonvpn.com:443 (connect: No route to host) I'll retry later today.
Hmmm. From what I can see you don't even need to be able to connect to a host for the key/cert problem to surface as it happens even before a connection is made. The problem can be reproduced by specifying any https url in the test. Try this on an FC6 machine: [user@fc6_host ~]$ export HTTPS_PKCS12_PASSWORD= [user@fc6_host ~]$ export HTTPS_PKCS12_FILE=./anonvpn_ca.p12 [user@fc6_host ~]$ GET https://gmail.com When I do this I get "500 configure certs failed: Private key and certificate do not match" The above test on FC3 is able to successfully open the connection and make the request. On FC6 we're not even able to get to the part where a connection is made. I.e., the problem isn't happening when trying to talk with the remote host, the problem is happening when openssl tries to use the .p12 file prior to initiating the connection.
The problem is caused by non-initialization of PKCS12 part of openssl library in latest perl-Crypt-SSLeay package in FC6.
perl-Crypt-SSLeay-0.56-1.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report.
Can someone test the above version and let me know how it works for you? x86_64 version: http://download.fedora.redhat.com/pub/fedora/linux/updates/testing/7/x86_64/perl-Crypt-SSLeay-0.56-1.fc7.x86_64.rpm x86 version: http://download.fedora.redhat.com/pub/fedora/linux/updates/testing/7/i386/perl-Crypt-SSLeay-0.56-1.fc7.i386.rpm (or just enable your updates testing repo and use yum)
The perl-Crypt-SSLeay-0.56-2.fc8.x86_64 on rawhide works for me.
perl-Crypt-SSLeay-0.56-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.