Re: Fuseki https certificate problems
Hi Nikolaos, Thanks for the information. And I've put in a PR to update the Fuseki Jetty HTTPS example using the the one you tested. Andy On 07/07/2022 16:38, Nikolaos Beredimas wrote: Hi Andy, TL;DR: Password-less PKCS12 passwords just don't work. After more testing, I couldn't get a password-less PKCS12 certificate to work, no matter what I tried. And after reading around I suspect it's not just Jetty that suffers from this, so there is nothing to be done. As for the other issue I had with a specific OpenSSL version, it turns out it's a non-issue. The culprit was an unrelated certificate generation script that omitted the provided password when calling openssl. In any case the xml provided back in February is good. NB On Thu, Jul 7, 2022 at 12:42 PM Andy Seaborne wrote: Hi Nikolaos, On 06/07/2022 11:04, Nikolaos Beredimas wrote: While trying to get Fuseki running over https I found this thread from February https://jena.markmail.org/message/2kqpd2tlinpdzpna?q=ssl+order:date-backward=1 1. I can confirm the provided xml works (tested on Fuseki 4.5.0) Thanks for confirming that. 2. I am having some issues generating the needed pkcs12 certificate file. a. When trying to generate a password-less pkcs12 file (openssl ... -passout pass:) Fuseki doesn't complain when loading it, but I always get SSL handshake errors and it doesn't work. It is Jetty that is handling the certificate via the JDK. Mentions like https://stackoverflow.com/questions/58345405/how-to-use-non-password-protected-p12-ssl-certificate-in-spring-boot (which is nearly 3 years old) suggest a password was needed at some time in the past. Current jetty documentation does not mention it one way of the other. b. When trying to generate with a password I get mixed results: OpenSSL 1.1.1f 31 Mar 2020 running on WSL2 Ubuntu 20.04 works fine. Fuseki loads the certificate and works like a charm. However, if I use OpenSSL 1.1.1o 3 May 2022 (running on docker-linuxserver/docker-swag:latest) I get a strange exception stacktrace: java.io.IOException: keystore password was incorrect at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source) ~[?:?] at sun.security.util.KeyStoreDelegator.engineLoad(Unknown Source) ~[?:?] at java.security.KeyStore.load(Unknown Source) ~[?:?] at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:49) ~[fuseki-server.jar:4.5.0] ... Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. ... 28 more I'm afraid I don't know what that indicates. I would appreciate any input to pinpoint and solve any or both issues above. We'd be interested in hearing what you find out. Regards, Nikolaos Beredimas
Re: Fuseki https certificate problems
Hi Andy, TL;DR: Password-less PKCS12 passwords just don't work. After more testing, I couldn't get a password-less PKCS12 certificate to work, no matter what I tried. And after reading around I suspect it's not just Jetty that suffers from this, so there is nothing to be done. As for the other issue I had with a specific OpenSSL version, it turns out it's a non-issue. The culprit was an unrelated certificate generation script that omitted the provided password when calling openssl. In any case the xml provided back in February is good. NB On Thu, Jul 7, 2022 at 12:42 PM Andy Seaborne wrote: > Hi Nikolaos, > > > On 06/07/2022 11:04, Nikolaos Beredimas wrote: > > While trying to get Fuseki running over https I found this thread from > > February > > > https://jena.markmail.org/message/2kqpd2tlinpdzpna?q=ssl+order:date-backward=1 > > > > 1. I can confirm the provided xml works (tested on Fuseki 4.5.0) > > Thanks for confirming that. > > > > > 2. I am having some issues generating the needed pkcs12 certificate file. > > > > a. When trying to generate a password-less pkcs12 file (openssl ... > > -passout pass:) Fuseki doesn't complain when loading it, but I always get > > SSL handshake errors and it doesn't work. > > It is Jetty that is handling the certificate via the JDK. > > Mentions like > > > https://stackoverflow.com/questions/58345405/how-to-use-non-password-protected-p12-ssl-certificate-in-spring-boot > > (which is nearly 3 years old) > > suggest a password was needed at some time in the past. Current jetty > documentation does not mention it one way of the other. > > > b. When trying to generate with a password I get mixed results: > > OpenSSL 1.1.1f 31 Mar 2020 running on WSL2 Ubuntu 20.04 works fine. > Fuseki > > loads the certificate and works like a charm. > > However, if I use OpenSSL 1.1.1o 3 May 2022 (running on > > docker-linuxserver/docker-swag:latest) I get a strange exception > stacktrace: > > > > java.io.IOException: keystore password was incorrect > > at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source) ~[?:?] > > at sun.security.util.KeyStoreDelegator.engineLoad(Unknown Source) ~[?:?] > > at java.security.KeyStore.load(Unknown Source) ~[?:?] > > at > > > org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:49) > > ~[fuseki-server.jar:4.5.0] > > ... > > Caused by: java.security.UnrecoverableKeyException: failed to decrypt > safe > > contents entry: javax.crypto.BadPaddingException: Given final block not > > properly padded. Such issues can arise if a bad key is used during > > decryption. > > ... 28 more > > I'm afraid I don't know what that indicates. > > > > > > > I would appreciate any input to pinpoint and solve any or both issues > above. > > We'd be interested in hearing what you find out. > > > > > Regards, > > Nikolaos Beredimas > > >
Re: Fuseki https certificate problems
Can't you just provide a keystore password? https://stackoverflow.com/questions/12862655/using-an-empty-keystore-password-used-to-be-possible On Thu, Jul 7, 2022 at 11:42 AM Andy Seaborne wrote: > > Hi Nikolaos, > > > On 06/07/2022 11:04, Nikolaos Beredimas wrote: > > While trying to get Fuseki running over https I found this thread from > > February > > https://jena.markmail.org/message/2kqpd2tlinpdzpna?q=ssl+order:date-backward=1 > > > > 1. I can confirm the provided xml works (tested on Fuseki 4.5.0) > > Thanks for confirming that. > > > > > 2. I am having some issues generating the needed pkcs12 certificate file. > > > > a. When trying to generate a password-less pkcs12 file (openssl ... > > -passout pass:) Fuseki doesn't complain when loading it, but I always get > > SSL handshake errors and it doesn't work. > > It is Jetty that is handling the certificate via the JDK. > > Mentions like > > https://stackoverflow.com/questions/58345405/how-to-use-non-password-protected-p12-ssl-certificate-in-spring-boot > > (which is nearly 3 years old) > > suggest a password was needed at some time in the past. Current jetty > documentation does not mention it one way of the other. > > > b. When trying to generate with a password I get mixed results: > > OpenSSL 1.1.1f 31 Mar 2020 running on WSL2 Ubuntu 20.04 works fine. Fuseki > > loads the certificate and works like a charm. > > However, if I use OpenSSL 1.1.1o 3 May 2022 (running on > > docker-linuxserver/docker-swag:latest) I get a strange exception stacktrace: > > > > java.io.IOException: keystore password was incorrect > > at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source) ~[?:?] > > at sun.security.util.KeyStoreDelegator.engineLoad(Unknown Source) ~[?:?] > > at java.security.KeyStore.load(Unknown Source) ~[?:?] > > at > > org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:49) > > ~[fuseki-server.jar:4.5.0] > > ... > > Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe > > contents entry: javax.crypto.BadPaddingException: Given final block not > > properly padded. Such issues can arise if a bad key is used during > > decryption. > > ... 28 more > > I'm afraid I don't know what that indicates. > > > > > > > I would appreciate any input to pinpoint and solve any or both issues above. > > We'd be interested in hearing what you find out. > > > > > Regards, > > Nikolaos Beredimas > >
Re: Fuseki https certificate problems
Hi Nikolaos, On 06/07/2022 11:04, Nikolaos Beredimas wrote: While trying to get Fuseki running over https I found this thread from February https://jena.markmail.org/message/2kqpd2tlinpdzpna?q=ssl+order:date-backward=1 1. I can confirm the provided xml works (tested on Fuseki 4.5.0) Thanks for confirming that. 2. I am having some issues generating the needed pkcs12 certificate file. a. When trying to generate a password-less pkcs12 file (openssl ... -passout pass:) Fuseki doesn't complain when loading it, but I always get SSL handshake errors and it doesn't work. It is Jetty that is handling the certificate via the JDK. Mentions like https://stackoverflow.com/questions/58345405/how-to-use-non-password-protected-p12-ssl-certificate-in-spring-boot (which is nearly 3 years old) suggest a password was needed at some time in the past. Current jetty documentation does not mention it one way of the other. b. When trying to generate with a password I get mixed results: OpenSSL 1.1.1f 31 Mar 2020 running on WSL2 Ubuntu 20.04 works fine. Fuseki loads the certificate and works like a charm. However, if I use OpenSSL 1.1.1o 3 May 2022 (running on docker-linuxserver/docker-swag:latest) I get a strange exception stacktrace: java.io.IOException: keystore password was incorrect at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source) ~[?:?] at sun.security.util.KeyStoreDelegator.engineLoad(Unknown Source) ~[?:?] at java.security.KeyStore.load(Unknown Source) ~[?:?] at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:49) ~[fuseki-server.jar:4.5.0] ... Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. ... 28 more I'm afraid I don't know what that indicates. I would appreciate any input to pinpoint and solve any or both issues above. We'd be interested in hearing what you find out. Regards, Nikolaos Beredimas
Fuseki https certificate problems
While trying to get Fuseki running over https I found this thread from February https://jena.markmail.org/message/2kqpd2tlinpdzpna?q=ssl+order:date-backward=1 1. I can confirm the provided xml works (tested on Fuseki 4.5.0) 2. I am having some issues generating the needed pkcs12 certificate file. a. When trying to generate a password-less pkcs12 file (openssl ... -passout pass:) Fuseki doesn't complain when loading it, but I always get SSL handshake errors and it doesn't work. b. When trying to generate with a password I get mixed results: OpenSSL 1.1.1f 31 Mar 2020 running on WSL2 Ubuntu 20.04 works fine. Fuseki loads the certificate and works like a charm. However, if I use OpenSSL 1.1.1o 3 May 2022 (running on docker-linuxserver/docker-swag:latest) I get a strange exception stacktrace: java.io.IOException: keystore password was incorrect at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source) ~[?:?] at sun.security.util.KeyStoreDelegator.engineLoad(Unknown Source) ~[?:?] at java.security.KeyStore.load(Unknown Source) ~[?:?] at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:49) ~[fuseki-server.jar:4.5.0] ... Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. ... 28 more I would appreciate any input to pinpoint and solve any or both issues above. Regards, Nikolaos Beredimas
