Bug 240502 - FC6 PKCS12 erroneously reporting "Private key and certificate do not match"
Summary: FC6 PKCS12 erroneously reporting "Private key and certificate do not match"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: perl-Crypt-SSLeay
Version: 6
Hardware: i686
OS: Linux
medium
high
Target Milestone: ---
Assignee: Robin Norwood
QA Contact:
URL:
Whiteboard:
Depends On: 217138
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-05-17 22:37 UTC by Dan Hanks
Modified: 2007-11-30 22:12 UTC (History)
2 users (show)

Fixed In Version: 0.56-1.fc7
Clone Of:
Environment:
Last Closed: 2007-08-29 17:29:54 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
Sample p12 file in which FC6 thinks the key doesn't match the cert (1.70 KB, application/x-pkcs12)
2007-05-17 22:37 UTC, Dan Hanks
no flags Details
p12 file for anonvpn.com (6.69 KB, application/x-pkcs12)
2007-05-18 17:51 UTC, Dan Hanks
no flags Details

Description Dan Hanks 2007-05-17 22:37:02 UTC
Description of problem:

openssl appears to be having problems matching private keys with certificates 
in .p12 (PKCS12) files on FC6


Version-Release number of selected component (if applicable):
openssl-0.9.8b-8.3.fc6


How reproducible:
Always

Steps to Reproduce:
This works on an FC3 machine: (openssl-0.9.7a-40, perl-libwww-perl-5.79-5)

[user@fc3_host ~]$ export HTTPS_PKCS12_PASSWORD=foo
[user@fc3_host ~]$ export HTTPS_PKCS12_FILE=./test.p12 
[user@fc3_host ~]$ GET https://api.bluetiestage.com/bluetiesp.asp
<?xml version="1.0" ?><response><code>20001005</code><descr>Invalid request 
format: customer_id is invalid or omitted.</descr></response>

However, on FC6, we see: (openssl-0.9.8b-8.3.fc6, perl-libwww-perl-5.805-1.1.1)

[user@fc6_host ~]$ export HTTPS_PKCS12_PASSWORD=foo
[user@fc6_host ~]$ export HTTPS_PKCS12_FILE=./test.p12 
[user@fc6_host ~]$ GET https://api.bluetiestage.com/bluetiesp.asp
500 configure certs failed: Private key and certificate do not match

I see similar results with wget, which points me to openssl, as opposed to 
libwww-perl
  
Actual results:
On FC6, you can see openssl thinks the private key in the .p12 file doesn't 
match the cert in the same .p12 file (even though this .p12 file was created on 
FC6)

Expected results:
On FC3, you can see we can talk to the remote host and get some XML back. 
Although we get back an error code, the important thing is we were able to 
establish the connection in the first place.

Comment 1 Dan Hanks 2007-05-17 22:37:02 UTC
Created attachment 154959 [details]
Sample p12 file in which FC6 thinks the key doesn't match the cert

Comment 2 Tomas Mraz 2007-05-18 09:13:31 UTC
https://api.bluetiestage.com/bluetiesp.asp is not working currently. (Connection
refused.)

Also how did you test with wget?


Comment 3 Dan Hanks 2007-05-18 15:59:45 UTC
Grr. I'll see if the vendor (Bluetie) is limiting access by IP. With wget:

First I make a pem file from the .p12 file:
  
  openssl pkcs12 -in test.p12 -out test.pem

Then try to use it with wget:

[user@fc6_host ~]$ wget --certificate=test.pem https://api.bluetiestage.com/
bluetiesp.asp
--09:55:32--  https://api.bluetiestage.com/bluetiesp.asp
Resolving api.bluetiestage.com... 24.39.102.211
Connecting to api.bluetiestage.com|24.39.102.211|:443... connected.
OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake 
failure
Unable to establish SSL connection.

I'll follow up on the connection issues with the server. Is there an IP you'd 
be coming from I can have them open up for you?

Comment 4 Dan Hanks 2007-05-18 17:51:44 UTC
Created attachment 155020 [details]
p12 file for anonvpn.com

Use this .p12 file to replicate the tests trying to connect to anonvpn.com

Comment 5 Dan Hanks 2007-05-18 17:57:28 UTC
Let's try a server that's a bit more open for testing. Using the anonvpn_ca.p12 
file I attached above, try this:


On FC3 (same versions as the original post):

[user@fc3_host ~]$ export HTTPS_PKCS12_PASSWORD=
[user@fc3_host ~]$ export HTTPS_PKCS12_FILE=./anonvpn_ca.p12 
[user@fc3_host ~]$ GET https://anonvpn.com
.<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>AnonVPN</title>
...



Now on FC6 (same versions as the original post):

[user@fc6_host ~]$ export HTTPS_PKCS12_PASSWORD=
[user@fc6_host ~]$ export HTTPS_PKCS12_FILE=./anonvpn_ca.p12 
[user@fc6_host ~]$ GET https://anonvpn.com
500 configure certs failed: Private key and certificate do not match

Hopefully you can reproduce this easier with the anonvpn server.

Thanks for your help.

Comment 6 Dan Hanks 2007-05-29 18:30:12 UTC
Any updates on this? 

Thanks.

Comment 7 Tomas Mraz 2007-05-30 07:47:52 UTC
This time I can't connect to the anonvpn.com
mraz@perun:~/download$ GET https://anonvpn.com
500 Can't connect to anonvpn.com:443 (connect: No route to host)

I'll retry later today.


Comment 8 Dan Hanks 2007-06-18 16:24:50 UTC
Hmmm. From what I can see you don't even need to be able to connect to a host 
for the key/cert problem to surface as it happens even before a connection is 
made. The problem can be reproduced by specifying any https url in the test.  
Try this on an FC6 machine:

[user@fc6_host ~]$ export HTTPS_PKCS12_PASSWORD=
[user@fc6_host ~]$ export HTTPS_PKCS12_FILE=./anonvpn_ca.p12 
[user@fc6_host ~]$ GET https://gmail.com

When I do this I get "500 configure certs failed: Private key and certificate 
do not match"

The above test on FC3 is able to successfully open the connection and make the 
request. On FC6 we're not even able to get to the part where a connection is 
made.

I.e., the problem isn't happening when trying to talk with the remote host, the 
problem is happening when openssl tries to use the .p12 file prior to 
initiating the connection.


Comment 9 Tomas Mraz 2007-06-18 18:58:33 UTC
The problem is caused by non-initialization of PKCS12 part of openssl library in
latest perl-Crypt-SSLeay package in FC6.


Comment 10 Fedora Update System 2007-08-24 05:29:55 UTC
perl-Crypt-SSLeay-0.56-1.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Robin Norwood 2007-08-24 14:53:26 UTC
Can someone test the above version and let me know how it works for you? 

x86_64 version:
http://download.fedora.redhat.com/pub/fedora/linux/updates/testing/7/x86_64/perl-Crypt-SSLeay-0.56-1.fc7.x86_64.rpm

x86 version:
http://download.fedora.redhat.com/pub/fedora/linux/updates/testing/7/i386/perl-Crypt-SSLeay-0.56-1.fc7.i386.rpm

(or just enable your updates testing repo and use yum)

Comment 12 Tomas Mraz 2007-08-29 07:47:37 UTC
The perl-Crypt-SSLeay-0.56-2.fc8.x86_64 on rawhide works for me.

Comment 13 Fedora Update System 2007-08-29 17:29:51 UTC
perl-Crypt-SSLeay-0.56-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.