Bug 55673 - httpd fails to start with SSLProxyMachineCertificateFile with openssl 1.0 cert
Summary: httpd fails to start with SSLProxyMachineCertificateFile with openssl 1.0 cert
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.6
Hardware: Other Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-18 21:03 UTC by Fred K
Modified: 2014-08-29 12:22 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Fred K 2013-10-18 21:03:47 UTC
Hi,

We have configured an apache to proxy to a ssl backend.  The configurations for the related ssl are

LoadModule ssl_module modules/mod_ssl.so

<VirtualHost 1.2.3.4:443>
   SSLEngine on
</VirtualHost>

<IfModule ssl_module>
   SSLRandomSeed startup builtin
   SSLRandomSeed connect builtin
   SSLProtocol -all +SSLv3 +TLSv1
   SSLCipherSuite AES256-SHA:DES-CBC3-SHA:AES128-SHA
   SSLCertificateFile ssl/servercert.pem
   SSLProxyEngine on
   SSLProxyMachineCertificateFile ssl/servercert.pem
   SSLProxyMachineCertificateChainFile ssl/cacerts.pem
</IfModule>

Apache fails to start when the servercert.pem  is alike:

-----BEGIN PRIVATE KEY-----
the key
-----END PRIVATE KEY-----

The error logs are:

[Fri Oct 18 17:32:53.837463 2013] [ssl:debug] [pid 463004:tid 139787389822720] ssl_engine_pphrase.c(181): AH02199: SSL not enabled on vhost foo.com:80, skipping SSL setup
[Fri Oct 18 17:32:53.837502 2013] [ssl:info] [pid 463004:tid 139787389822720] AH02200: Loading certificate & private key of SSL-aware server myhost.com:8443'
[Fri Oct 18 17:32:53.837733 2013] [ssl:debug] [pid 463004:tid 139787389822720] ssl_engine_pphrase.c(239): AH02202: Init: Read server certificate from '/opt/apache/ssl/servercert.pem'
[Fri Oct 18 17:32:53.837938 2013] [ssl:debug] [pid 463004:tid 139787389822720] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Fri Oct 18 17:32:53.976865 2013] [ssl:info] [pid 463004:tid 139787389822720] AH01887: Init: Initializing (virtual) servers for SSL
AH02252: incomplete client cert configured for SSL proxy (missing or encrypted private key?)
[Fri Oct 18 17:32:53.977284 2013] [ssl:emerg] [pid 463004:tid 139787389822720] AH02312: Fatal error initialising mod_ssl, exiting.

1/ oddly it appears you can workaround the problem by changing the line from -----BEGIN PRIVATE KEY-----   to -----BEGIN RSA PRIVATE KEY-----

2/ the problem happens only with SSLProxyMachineCertificateFile, the same certificate works fine with SSLCACertificateFile

The problem stems from our CA  generating the certs with openssl 1.0.1e  which changed (comparing to 0.9.8) its default private key format to PKCS#8. 

Since SSLCACertificateFile directive appears to supports either format PKCS#1 and #8 it is strange that SSLProxyMachineCertificateFile does not – is this a bug or am I missing something?

Thank you very much,
Regards - Fred