You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2022/05/25 14:35:42 UTC
[Bug 66089] New: Tomcat 9.0.63 won't start when used with a SSL certificate containing a RSA Private Key
https://bz.apache.org/bugzilla/show_bug.cgi?id=66089
Bug ID: 66089
Summary: Tomcat 9.0.63 won't start when used with a SSL
certificate containing a RSA Private Key
Product: Tomcat 9
Version: 9.0.63
Hardware: All
OS: All
Status: NEW
Severity: blocker
Priority: P2
Component: Util
Assignee: dev@tomcat.apache.org
Reporter: djv@mitre.org
Target Milestone: -----
Our tomcat 9 server has an existing SSL certificate (Entrust CA) which contains
a RSA Private Key. This SSL certificate worked fine when run with Tomcat 9.0.62
but won't work when Tomcat 9.0.63 is installed. I show the stack trace at the
end of this message.
Note that this only happens when starting the service with a SSL certificate
that contains a RSA Private Key. We've tested on other tomcat servers that have
a SSL certificate that contains a Private Key, and in this case tomcat 9.0.63
starts up fine.
I compared Tomcat source 9.0.62 vs. 9.0.63 and it looks there is a bug in
org/apache/tomcat/util/net/jsse/PEMFile.java:
- in tomcat 9.0.62 in PEMFile.java, on line 132 case 'Part.RSA_PRIVATE_KEY',
the private key is constructed with this statement:
privateKey = part.toPrivateKey(null, keyAlgorithm, Format.PKCS1);
- in tomcat 9.0.63 in PEMFile.java, on line 146 case Part.RSA_PRIVATE_KEY',
the private key is constructed with this statement:
privateKey = part.toPrivateKey(password, keyAlgorithm, Format.PKCS1);
Since our RSA private key doesn't have a password, passing password=null is the
correct option.
Tomcat 9.0.63 stack trace when a SSL certificate with a RSA Private Key is
shown here:
16-May-2022 18:52:30.849 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
initialize component [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization
failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1049)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1042)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
Caused by: java.lang.IllegalArgumentException: overrun, bytes = 924
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at
org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:234)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240)
at
org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:603)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1046)
... 13 more
Caused by: java.io.IOException: overrun, bytes = 924
at
javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95)
at
org.apache.tomcat.util.net.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:204)
at
org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:146)
at
org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:98)
at
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:316)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
... 20 more
Tomcat build information is here:
16-May-2022 18:52:30.473 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server version name:
Apache Tomcat/9.0.63
16-May-2022 18:52:30.477 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server built:
May 11 2022 07:52:11 UTC
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66089] Tomcat 9.0.63 won't start when used with a SSL certificate containing a RSA Private Key
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66089
--- Comment #1 from Remy Maucherat <re...@apache.org> ---
This change was part of the PR, and I don't see any reason for it ...
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66089] Tomcat 9.0.63 won't start when used with a SSL certificate containing a RSA Private Key
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66089
--- Comment #2 from jfclere <jf...@gmail.com> ---
I think the logic looks for something like:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,E9F2FB791E9BAAEC7BEE71DA73CA35F3
4LBH2H34b4BW0C2v8VYkp8/MCWPmW7iJnuqvH103DxnFV+PBnXXeEjiUsqVEma1x
but not all the encrypted privated key have it:
----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIgorSE4d41bECAggA
A quick work-around is to encrypt or reencrypt the key. something like:
openssl rsa -aes256 -in newkey.pem -out newkey.aes-256.pem
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66089] Tomcat 9.0.63 won't start when used with a SSL certificate containing a RSA Private Key
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66089
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #4 from Mark Thomas <ma...@apache.org> ---
Thanks for reporting this.
Fixed in:
- 10.1.x for 10.1.0-M16 onwards
- 10.0.x for 10.0.22 onwards
- 9.0.x for 9.0.64 onwards
- 8.5.x for 8.5.80 onwards
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66089] Tomcat 9.0.63 won't start when used with a SSL certificate containing a RSA Private Key
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66089
--- Comment #3 from jfclere <jf...@gmail.com> ---
https://github.com/apache/tomcat/pull/517 should fix the problem.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org