On 31.01.2014 19:23, Falco Schwarz wrote:
> I tested the patch altering the SSLCertificate* directives with httpd-2.4.x
> and OpenSSL-1.0.2-dev:
> https://people.apache.org/~kbrand/mod_ssl-2.4.x-certkeyfile.diff
Thank you for testing and for the report.
> When putting certificate, CA and encrypted private key all in one file and
> using only the directive SSLCertificateFile, I encountered the following:
> there was no prompt for the passphrase and the errorlog showed this:
>
> [ssl|debug] AH01893: Configuring TLS extension handling
> [ssl|emerg] AH02573: Init: No private key specified for foo.bar:443:0
> [ssl:emerg] [pid 28533] AH02312: Fatal error initialising mod_ssl, exiting.
> [ssl|emerg] AH02564: Failed to configure encrypted (?) private key
> foo.bar:443:0, check /opt/apache/conf/ssl/foo.bar.enc
> [ssl|emerg] SSL Library Error: error:0906A068:PEM routines:PEM_do_header:bad
> password read -- You entered an incorrect pass phrase!?
> [ssl|emerg] SSL Library Error: error:140B0009:SSL
> routines:SSL_CTX_use_PrivateKey_file:PEM lib
> AH00016: Configuration Failed
>
> It worked perfectly fine if the private key is not encrypted.
> Specifying the private key using SSLCertificateKeyFile also worked and
> prompted for the passphrase.
>
> According to updated docs it should be possible to also put an encrypted
> private key alongside its certificate in one file using SSLCertificateFile.
> Am I missing something here?
This indeed a bug I introduced with r1553824 (in trunk). It only
manifests itself when using encrypted private keys and putting them into
the SSLCertificateFile (i.e., not specifying a separate
SSLCertificateKeyFile), as confirmed by your tests.
The attached patch, to be applied on top of
mod_ssl-2.4.x-certkeyfile.diff, should take care of this problem. Note
that the "SSL Library Error" messages you saw in your log were pretty
misleading/inaccurate - they are the consequence of a leftover error
stack (when attempting to read the private key first without supplying a
passphrase). I have added another ERR_clear_error() call to take care of
this as well.
Can you check if this fix is solving your problem? I would then propose
an updated backport
(https://people.apache.org/~kbrand/mod_ssl-2.4.x-certkeyfile-v2.diff)
for 2.4.x.
Kaspar
diff -u modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_init.c
--- modules/ssl/ssl_engine_init.c (working copy)
+++ modules/ssl/ssl_engine_init.c (working copy)
@@ -920,8 +920,10 @@
EVP_PKEY *pkey;
const unsigned char *ptr;
+ ERR_clear_error();
+
/* perhaps it's an encrypted private key, so try again */
- ssl_load_encrypted_pkey(s, ptemp, i, &pphrases);
+ ssl_load_encrypted_pkey(s, ptemp, i, keyfile, &pphrases);
if (!(asn1 = ssl_asn1_table_get(mc->tPrivateKey, key_id)) ||
!(ptr = asn1->cpData) ||
diff -u modules/ssl/ssl_engine_pphrase.c modules/ssl/ssl_engine_pphrase.c
--- modules/ssl/ssl_engine_pphrase.c (working copy)
+++ modules/ssl/ssl_engine_pphrase.c (working copy)
@@ -129,6 +129,7 @@
}
apr_status_t ssl_load_encrypted_pkey(server_rec *s, apr_pool_t *p, int idx,
+ const char *pkey_file,
apr_array_header_t **pphrases)
{
SSLModConfigRec *mc = myModConfig(s);
@@ -145,19 +146,15 @@
apr_status_t rv;
pphrase_cb_arg_t ppcb_arg;
- ppcb_arg.pkey_file = APR_ARRAY_IDX(sc->server->pks->key_files, idx,
- const char *);
-
- if (!ppcb_arg.pkey_file) {
+ if (!pkey_file) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02573)
"Init: No private key specified for %s", key_id);
return ssl_die(s);
}
- else if ((rv = exists_and_readable(ppcb_arg.pkey_file, p,
- &pkey_mtime)) != APR_SUCCESS ) {
+ else if ((rv = exists_and_readable(pkey_file, p, &pkey_mtime))
+ != APR_SUCCESS ) {
ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(02574)
- "Init: Can't open server private key file %s",
- ppcb_arg.pkey_file);
+ "Init: Can't open server private key file %s",
pkey_file);
return ssl_die(s);
}
@@ -170,6 +167,7 @@
ppcb_arg.nPassPhraseDialogCur = 0;
ppcb_arg.bPassPhraseDialogOnce = TRUE;
ppcb_arg.key_id = key_id;
+ ppcb_arg.pkey_file = pkey_file;
/*
* if the private key is encrypted and SSLPassPhraseDialog
diff -u modules/ssl/ssl_private.h modules/ssl/ssl_private.h
--- modules/ssl/ssl_private.h (working copy)
+++ modules/ssl/ssl_private.h (working copy)
@@ -833,7 +833,7 @@
/** Pass Phrase Support */
apr_status_t ssl_load_encrypted_pkey(server_rec *, apr_pool_t *, int,
- apr_array_header_t **);
+ const char *, apr_array_header_t **);
/** Diffie-Hellman Parameter Support */
DH *ssl_dh_GetParamFromFile(const char *);
