On Fri, Mar 1, 2024 at 1:42 PM Yann Ylavic <ylavic....@gmail.com> wrote: > > On Fri, Mar 1, 2024 at 1:24 PM Joe Orton <jor...@redhat.com> wrote: > > > > Also - I guess the note about *not* accepting PKCS#8 format keys in > > https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxymachinecertificatefile > > is now wrong then? > > OpenSSL >= 3 can surely load keys in pkcs#8 format since it's the > default for genrsa now, hopefully it can still load the pkcs#1 ones > still (I didn't try that) or it would be a mess for mod_proxy (and the > docs).. > Let me try that first and if it's ok I think we can simply say that > the note applies to openssl < 3 only.
The perl framework seems to pass all the tests here if I use openssl >= 3 for both the system and httpd and then force pkcs#1 keys (i.e. genrsa -traditional), so it seems fine to say that SSLProxyMachineCertificateFile works with pkcs#1 and pkcs#8 keys when httpd's openssl >= 3 but only pkcs#1 ones when openssl < 3.
