Hi Andy, TL;DR: Password-less PKCS12 passwords just don't work.
After more testing, I couldn't get a password-less PKCS12 certificate to work, no matter what I tried. And after reading around I suspect it's not just Jetty that suffers from this, so there is nothing to be done. As for the other issue I had with a specific OpenSSL version, it turns out it's a non-issue. The culprit was an unrelated certificate generation script that omitted the provided password when calling openssl. In any case the xml provided back in February is good. NB On Thu, Jul 7, 2022 at 12:42 PM Andy Seaborne <a...@apache.org> wrote: > Hi Nikolaos, > > > On 06/07/2022 11:04, Nikolaos Beredimas wrote: > > While trying to get Fuseki running over https I found this thread from > > February > > > https://jena.markmail.org/message/2kqpd2tlinpdzpna?q=ssl+order:date-backward&page=1 > > > > 1. I can confirm the provided xml works (tested on Fuseki 4.5.0) > > Thanks for confirming that. > > > > > 2. I am having some issues generating the needed pkcs12 certificate file. > > > > a. When trying to generate a password-less pkcs12 file (openssl ... > > -passout pass:) Fuseki doesn't complain when loading it, but I always get > > SSL handshake errors and it doesn't work. > > It is Jetty that is handling the certificate via the JDK. > > Mentions like > > > https://stackoverflow.com/questions/58345405/how-to-use-non-password-protected-p12-ssl-certificate-in-spring-boot > > (which is nearly 3 years old) > > suggest a password was needed at some time in the past. Current jetty > documentation does not mention it one way of the other. > > > b. When trying to generate with a password I get mixed results: > > OpenSSL 1.1.1f 31 Mar 2020 running on WSL2 Ubuntu 20.04 works fine. > Fuseki > > loads the certificate and works like a charm. > > However, if I use OpenSSL 1.1.1o 3 May 2022 (running on > > docker-linuxserver/docker-swag:latest) I get a strange exception > stacktrace: > > > > java.io.IOException: keystore password was incorrect > > at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source) ~[?:?] > > at sun.security.util.KeyStoreDelegator.engineLoad(Unknown Source) ~[?:?] > > at java.security.KeyStore.load(Unknown Source) ~[?:?] > > at > > > org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:49) > > ~[fuseki-server.jar:4.5.0] > > ... > > Caused by: java.security.UnrecoverableKeyException: failed to decrypt > safe > > contents entry: javax.crypto.BadPaddingException: Given final block not > > properly padded. Such issues can arise if a bad key is used during > > decryption. > > ... 28 more > > I'm afraid I don't know what that indicates. > > > > > > > I would appreciate any input to pinpoint and solve any or both issues > above. > > We'd be interested in hearing what you find out. > > > > > Regards, > > Nikolaos Beredimas > > >
