Mailing List Archive

[Bug 66036] New: pkcs#11: parent httpd not issuing C_Login() after graceful reload causing on-going connections to fail SSL/TLS handshake
https://bz.apache.org/bugzilla/show_bug.cgi?id=66036

Bug ID: 66036
Summary: pkcs#11: parent httpd not issuing C_Login() after
graceful reload causing on-going connections to fail
SSL/TLS handshake
Product: Apache httpd-2
Version: 2.4.52
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: alex.ciobotaru@gmail.com
Target Milestone: ---

Given an Apache httpd SSL/TLS configuration with the certificate stored in a
pkcs#11 token, when renewing the certificate on the token, we reload the httpd
(i.e. apachectl -k graceful) in order to avoid killing current connections.

A minimal SSL/TLSv1.2 configuration:

<VirtualHost *:443>
ServerName www.my-server.example
SSLEngine on
SSLProtocol -all +TLSv1.2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateKeyFile
"pkcs11:model=p11ne-token;manufacturer=xyz;token=my-token;id=%01;object=my-key;type=private?pin-value=1234"
SSLCertificateFile "/run/app/httpd-cert.pem"
</VirtualHost>


Test that the server starts and works (should see Apache Hello message):

$ curl -k --tlsv1.2 https://www.my-server.example

Reload the server and check again:

$ curl -k --tlsv1.2 https://www.my-server.example
$ curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal
error

I've checked with the p11-kit with log-calls:yes parameter and
/var/log/httpd/error_log yields:

C_SignInit
IN: hSession = S17
IN: pMechanism = {
mechanism: CKM_RSA_PKCS
pParameter: (0) NULL
}
IN: hKey = H24
C_SignInit = CKR_USER_NOT_LOGGED_IN

This happens because after reload (in comparison to restart), no worker context
shall issue a C_Login() again in order to have access for C_Sign() with the
token private key. The pkcs#11 specification requires a C_Login() per each
application context for accessing the private key for signing requests.

A primitive workaround would be to issue WINCH signal for gracefully stopping
on-going connections and then restarting the sever, but this is still not as
powerful as graceful reloading the configuration as per documentation.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org