https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #19 from Michael Osipov <micha...@apache.org> --- (In reply to ggar from comment #18) > Is it expected for PEM cert/key created with OpenSSL 1.0.2zh (or any 1.0.2) > to stop working after this change? It seems to work fine with items > generated through OpenSSL 1.1.1. Here's an example of the command we use: > openssl req -new -sha256 -x509 -out servercert.pem -keyout serverkey.pem > -subj /"/CN=localhost" -days 90 -passout pass:test > > > I'm seeing the following error after upgrading to 9.0.83: > 13-Dec-2023 02:04:34.337 SEVERE [main] > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to > initialize component [Connector["https-openssl-apr-443"]] > org.apache.catalina.LifecycleException: Protocol handler initialization > failed > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:1011) > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127) > at > org.apache.catalina.core.StandardService.initInternal(StandardService.java: > 554) > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127) > at > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java: > 1039) > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127) > at org.apache.catalina.startup.Catalina.load(Catalina.java:724) > at org.apache.catalina.startup.Catalina.load(Catalina.java:746) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown > Source) > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown > Source) > at java.base/java.lang.reflect.Method.invoke(Unknown Source) > at > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307) > at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477) > Caused by: java.lang.IllegalArgumentException: The pseudo random > function > with DER encoded OID of [2a864886f70d0307] was not recognised > at > org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:467) > at > org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:433) > at > org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint. > java:1332) > at > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1345) > at > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:654) > at > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol. > java:75) > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:1009) > ... 13 more > Caused by: java.security.NoSuchAlgorithmException: The pseudo random > function with DER encoded OID of [2a864886f70d0307] was not recognised > at > org.apache.tomcat.util.net.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:411) > at > org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:213) > at > org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:141) > at > org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:355) > at > org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil. > java:108) > at > org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:268) > at > org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:465) > ... 19 more > 13-Dec-2023 02:04:34.352 INFO [main] > org.apache.catalina.startup.Catalina.load Server initialization in [2478] > milliseconds > > The thrown error seems to have been added with this fix and that's why I'm > writing here. That's my first post so I'm sorry if I should be opening a new > report instead (couldn't find anything specific in the guidelines). Likely a regression, but I wonder whether we should care about keys from OpenSSL 1.0.2 at all. It has been dead for a long time now. For the sake of completeness, please file an new issue and upload the faulty material. One needs to look at the ASN.1 dump compared to 1.1.1. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
