[Bug 67609] New: Incomplete OpenSSL error handling/reporting

bugzilla Thu, 05 Oct 2023 00:37:15 -0700

https://bz.apache.org/bugzilla/show_bug.cgi?id=67609


            Bug ID: 67609
           Summary: Incomplete OpenSSL error handling/reporting
           Product: Tomcat Native
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Library
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

Verified with
* Apache Tomcat Native library [1.2.40-dev] using APR version [1.7.4]
* [OpenSSL 1.1.1t  7 Feb 2023]
* Tomcat Apache Tomcat/9.0.81-dev

But also verified on Windows and FreeBSD, this is a purely client code issue of
ours.

Consider the following:
> osipovmi@deblndw024v:~/apache-tomcat-9.0.81-dev
> $ ll conf/certs-localhost/key.crt
> ---------- 1 osipovmi cad 3434 2023-09-29 23:05 conf/certs-localhost/key.crt

Note: the permissions have been removed for demonstration purposes, it is not
about the permissions, but about incomplete error reporting.
Now launch:
> $ openssl s_server -accept 0.0.0.0:20000 -key conf/certs-localhost/key.crt 
> -cert conf/certs-localhost/cert.crt -pass 
> file:conf/certs-localhost/key-password
> Can't open conf/certs-localhost/key.crt for reading, Permission denied
> 1:error:0200100D:system library:fopen:Permission 
> denied:crypto/bio/bss_file.c:69:fopen('conf/certs-localhost/key.crt','r')
> 1:error:2006D002:BIO routines:BIO_new_file:system 
> lib:crypto/bio/bss_file.c:78:
> unable to load server certificate private key file

We can now see two OpenSSL errors: 0200100D and 2006D002:
> $ openssl errstr 2006D002
> error:2006D002:BIO routines:BIO_new_file:system lib
> $ openssl errstr 0200100D
> error:0200100D:system library:fopen:Permission denied

Now let's do this with Tomcat:
> <Connector port="30001" protocol="org.apache.coyote.http11.Http11AprProtocol"
>            maxThreads="150" SSLEnabled="true"
>            maxParameterCount="1000">
>     <SSLHostConfig>
>         <Certificate certificateKeyFile="conf/certs-localhost/key.crt"
>                      certificateFile="conf/certs-localhost/cert.crt"
>                      certificateChainFile="conf/cacerts.crt"
>                      type="RSA" />
>     </SSLHostConfig>
> </Connector>

Output:
> 05-Oct-2023 09:16:13.086 INFORMATION [main] 
> org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler 
> ["https-openssl-apr-30001"]
> 05-Oct-2023 09:16:13.098 INFORMATION [main] 
> org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers The certificate 
> [conf/certs-localhost/cert.crt] or its private key 
> [conf/certs-localhost/key.crt] could not be processed using a JSSE key 
> manager and will be given directly to OpenSSL
> 05-Oct-2023 09:16:13.099 WARNUNG [main] 
> org.apache.tomcat.util.net.openssl.OpenSSLContext.init Error initializing SSL 
> context
>         java.lang.Exception: Unable to load certificate key 
> /net/home/osipovmi/apache-tomcat-9.0.81-dev/conf/certs-localhost/key.crt 
> (error:0200100D:system library:fopen:Berechtigung verweigert)
>                 at org.apache.tomcat.jni.SSLContext.setCertificate(Native 
> Method)
>                 at 
> org.apache.tomcat.util.net.openssl.OpenSSLContext.addCertificate(OpenSSLContext.java:467)
>                 at 
> org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:336)
>                 at 
> org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:268)
>                 at 
> org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:467)
>                 at 
> org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:433)
>                 at 
> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1326)
>                 at 
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1339)
>                 at 
> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:654)
>                 at 
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:75)
>                 at 
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1009)
> ...

According to my humble OpenSSL doc understanding
(https://www.openssl.org/docs/man3.0/man3/ERR_get_error.html) OpenSSL maintains
an error queue per thread which we never consume in a while loop nor do we
clear the queue when not fully consumed.

>From a user's PoV this is unfortunate because he/she might miss important error
information here.

It might be worth looking at mod_ssl's ssl_log_ssl_error() to get all errors
from the queue.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 67609] New: Incomplete OpenSSL error handling/reporting

Reply via email to