0001670: Some SSL certificates not usable

1670

feature

always

04-04-07 13:43

04-05-07 09:12

Reporter:

thintz

Platform:

Assigned To:

ferg

OS:

Priority:

normal

OS Version:

Status:

closed

Product Version:

3.0.23

Product Build:

Resolution:

fixed

Projection:

none

ETA:

none

Fixed in Version:

3.1.1

Summary:

0001670: Some SSL certificates not usable

Description:

Some certificate encodings prevent SSL certificates from being used. OpenSSL reports:

dump the error response produced by the open SSL
> libraries:
>
> OpenSSL support compiled for OpenSSL 0.9.7i 14 Oct 2005
> 23439:error:06074079:digital envelope
> routines:EVP_PBE_CipherInit:unknown pbe
> algorithm:/on10/build-nd/G10U4B0/usr/src/common/openssl/crypto/evp/evp
> _pbe.c:89:TYPE=pbeWithMD5AndDES-CBC
> 23439:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor
> cipherinit
> error:/on10/build-nd/G10U4B0/usr/src/common/openssl/crypto/pkcs12/p12_decr.c:83:
> 23439:error:2306A075:PKCS12 routines:PKCS12_decrypt_d2i:pkcs12 pbe crypt
> error:/on10/build-nd/G10U4B0/usr/src/common/openssl/crypto/pkcs12/p12_decr.c:122:
> 23439:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
> lib:/on10/build-nd/G10U4B0/usr/src/common/openssl/crypto/pem/pem_pkey.c:121:
> 23439:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM
> lib:../../../../common/openssl/ssl/ssl_rsa.c:709:

Steps To Reproduce:

Additional Information:

I modified resin 3.0.23's ssl.c per the open ssl instructions at the following web address and now we can use the certificate supplied. Not sure if the change is appropriate, but it works.

http://www.openssl.org/support/faq.html#PROG8 [^]

The specific code change was this:

JNIEXPORT void JNICALL Java_com_caucho_vfs_OpenSSLFactory_nativeInit(JNIEnv *env,
                                              jobject obj,
                                              jlong p_ss,
                                              jlong p_config)
{
  server_socket_t *ss = (server_socket_t *) (PTR) p_ss;
  ssl_config_t *config = (ssl_config_t *) (PTR) p_config;

  if (! ss || ! config) {
    resin_throw_exception(env, "java/lang/IllegalStateException",
                          "server socket and config must have valid values.");
    return;
  }

  ss->ssl_config = config;

  if (! ss->context) {
        OpenSSL_add_all_algorithms(); // <--- added this line
    ss->context = ssl_create_context(env, config);

    fprintf(stderr, "OpenSSL support compiled for %s\n",
            OPENSSL_VERSION_TEXT);
  }
}

Relationships

Attached Files:

Mantis - Resin
Viewing Issue Advanced Details

ID:	Category:	Severity:	Reproducibility:	Date Submitted:	Last Update:
1670		feature	always	04-04-07 13:43	04-05-07 09:12

Reporter:	thintz	Platform:
Assigned To:	ferg	OS:
Priority:	normal	OS Version:
Status:	closed	Product Version:	3.0.23
Product Build:		Resolution:	fixed
Projection:	none
ETA:	none	Fixed in Version:	3.1.1

Summary:	0001670: Some SSL certificates not usable
Description:	Some certificate encodings prevent SSL certificates from being used. OpenSSL reports: dump the error response produced by the open SSL > libraries: > > OpenSSL support compiled for OpenSSL 0.9.7i 14 Oct 2005 > 23439:error:06074079:digital envelope > routines:EVP_PBE_CipherInit:unknown pbe > algorithm:/on10/build-nd/G10U4B0/usr/src/common/openssl/crypto/evp/evp > _pbe.c:89:TYPE=pbeWithMD5AndDES-CBC > 23439:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor > cipherinit > error:/on10/build-nd/G10U4B0/usr/src/common/openssl/crypto/pkcs12/p12_decr.c:83: > 23439:error:2306A075:PKCS12 routines:PKCS12_decrypt_d2i:pkcs12 pbe crypt > error:/on10/build-nd/G10U4B0/usr/src/common/openssl/crypto/pkcs12/p12_decr.c:122: > 23439:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 > lib:/on10/build-nd/G10U4B0/usr/src/common/openssl/crypto/pem/pem_pkey.c:121: > 23439:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM > lib:../../../../common/openssl/ssl/ssl_rsa.c:709:
Steps To Reproduce:
Additional Information:	I modified resin 3.0.23's ssl.c per the open ssl instructions at the following web address and now we can use the certificate supplied. Not sure if the change is appropriate, but it works. http://www.openssl.org/support/faq.html#PROG8 [^] The specific code change was this: JNIEXPORT void JNICALL Java_com_caucho_vfs_OpenSSLFactory_nativeInit(JNIEnv env, jobject obj, jlong p_ss, jlong p_config) { server_socket_t ss = (server_socket_t ) (PTR) p_ss; ssl_config_t config = (ssl_config_t *) (PTR) p_config; if (! ss \|\| ! config) { resin_throw_exception(env, "java/lang/IllegalStateException", "server socket and config must have valid values."); return; } ss->ssl_config = config; if (! ss->context) { OpenSSL_add_all_algorithms(); // <--- added this line ss->context = ssl_create_context(env, config); fprintf(stderr, "OpenSSL support compiled for %s\n", OPENSSL_VERSION_TEXT); } }
Relationships
Attached Files: