Using OpenSSL 1.0b5, I generated a self-signed CA certificate and then
created a key pair using commands like this:
openssl req -config ssl.cnf -newkey rsa:1024 -passout pass:password \
-keyout key.pem -keyform PEM -out tmp/req.pem
openssl ca -config ssl.cnf -batch -in tmp/req.pem -out cert.pem \
-cert cacert.pem -keyfile cakey.pem
When I try to load this key pair in a program built with OpenSSL 0.9.8m,
the call to SSL_CTX_use_PrivateKey_file fails with the following
error output:
6158:error:06074079:digital envelope
routines:EVP_PBE_CipherInit:unknown pbe
algorithm:evp_pbe.c:89:TYPE=PBES2
6158:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor
cipherinit error:p12_decr.c:83:
6158:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe
crypt error:p12_decr.c:123:
6158:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1
lib:pem_pkey.c:125:
6158:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM
lib:ssl_rsa.c:669:
This error occurs regardless of whether I enter the correct password.
If I generate the key pair without password-protecting the key, the
program can load the key successfully.
I understand that OpenSSL 1.0 uses a different format for storing
private keys, but shouldn't earlier versions of OpenSSL still be able
to use such a key file?
Both OpenSSL 0.9.8m and 1.0b5 were compiled from source on
SLES 11 as follows:
./config threads shared --prefix=...
Here's the test program:
#include <stdio.h>
#include <openssl/err.h>
#include <openssl/ssl.h>
void handleError(const char* msg)
{
int reason = ERR_GET_REASON(ERR_peek_error());
fprintf(stderr, "%s: reason = %d\n", msg, reason);
ERR_print_errors_fp(stderr);
exit(1);
}
int main(int argc, char **argv)
{
SSL_CTX* ctx;
if(!SSL_library_init())
{
fprintf(stderr, "init failure\n");
return 1;
}
SSL_load_error_strings();
ctx = SSL_CTX_new(SSLv23_method());
if(SSL_CTX_use_certificate_chain_file(ctx, "cert.pem") != 1)
{
handleError("error loading certificate");
}
if(SSL_CTX_use_PrivateKey_file(ctx, "key.pem", SSL_FILETYPE_PEM) != 1)
{
handleError("error loading key");
}
printf("Done\n");
SSL_CTX_free(ctx);
return 0;
}
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]