Before openssl 3.0 the command `openssl genrsa` used to generate
private keys in PKCS#1 format, since openssl >= 3.0 it now generates
them in PKCS#8 format by default (while passing -traditional at the
command line allows to restore the old behaviour).
This is not an issue as long as httpd and TestSSLCA.pm use the same
openssl version (either < 3 or >= 3), but if e.g. httpd is
compiled/linked/-rpath'ed against an openssl < 3 and TestSSLCA.pm uses
the system's openssl >= 3 then mod_proxy won't be able to load the
PKCS#8 keys. It comes from PEM_X509_INFO_read_bio() which ignores them
with openssl < 3, while (AIUI) it is the easiest/recommended way to
load certificates and keys using the openssl API (without yet more
churn in mod_ssl compat code, probably not worth it).
It seems easier for httpd to document/require running with openssl >=
3 or ProxyMachineCertificateFile to take PKCS#1 keys only, hence
possibly make TestSSLCA.pm always generate "traditional" PKCS#1 keys
too (which can be read by all openssl versions, so far :p).
This patch adds -traditional to the `openssl genrsa` calls when
TestSSLCA.pm is running with openssl >= 3.
Maybe it should be configurable but I'm afraid it's above my
perl/Apache-Test foo..
Index: Apache-Test/lib/Apache/TestSSLCA.pm
===================================================================
--- Apache-Test/lib/Apache/TestSSLCA.pm (revision 1913056)
+++ Apache-Test/lib/Apache/TestSSLCA.pm (working copy)
@@ -332,6 +332,13 @@ sub new_ca {
export_cert('ca'); #useful for importing into IE
}
+#RSA keys are always generated in "traditional" PKCS#1 format
+my $genrsa_traditional = "";
+if (Apache::Test::normalize_vstring($version) >=
+ Apache::Test::normalize_vstring("3.0.0")) {
+ $genrsa_traditional = "-traditional";
+}
+
sub new_key {
my $name = shift;
@@ -348,7 +355,7 @@ sub new_key {
openssl gendsa => "$out dsa-param";
}
else {
- openssl genrsa => "$out 2048";
+ openssl genrsa => "$genrsa_traditional $out 2048";
}
}
--
Regards;
Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
private keys in PKCS#1 format, since openssl >= 3.0 it now generates
them in PKCS#8 format by default (while passing -traditional at the
command line allows to restore the old behaviour).
This is not an issue as long as httpd and TestSSLCA.pm use the same
openssl version (either < 3 or >= 3), but if e.g. httpd is
compiled/linked/-rpath'ed against an openssl < 3 and TestSSLCA.pm uses
the system's openssl >= 3 then mod_proxy won't be able to load the
PKCS#8 keys. It comes from PEM_X509_INFO_read_bio() which ignores them
with openssl < 3, while (AIUI) it is the easiest/recommended way to
load certificates and keys using the openssl API (without yet more
churn in mod_ssl compat code, probably not worth it).
It seems easier for httpd to document/require running with openssl >=
3 or ProxyMachineCertificateFile to take PKCS#1 keys only, hence
possibly make TestSSLCA.pm always generate "traditional" PKCS#1 keys
too (which can be read by all openssl versions, so far :p).
This patch adds -traditional to the `openssl genrsa` calls when
TestSSLCA.pm is running with openssl >= 3.
Maybe it should be configurable but I'm afraid it's above my
perl/Apache-Test foo..
Index: Apache-Test/lib/Apache/TestSSLCA.pm
===================================================================
--- Apache-Test/lib/Apache/TestSSLCA.pm (revision 1913056)
+++ Apache-Test/lib/Apache/TestSSLCA.pm (working copy)
@@ -332,6 +332,13 @@ sub new_ca {
export_cert('ca'); #useful for importing into IE
}
+#RSA keys are always generated in "traditional" PKCS#1 format
+my $genrsa_traditional = "";
+if (Apache::Test::normalize_vstring($version) >=
+ Apache::Test::normalize_vstring("3.0.0")) {
+ $genrsa_traditional = "-traditional";
+}
+
sub new_key {
my $name = shift;
@@ -348,7 +355,7 @@ sub new_key {
openssl gendsa => "$out dsa-param";
}
else {
- openssl genrsa => "$out 2048";
+ openssl genrsa => "$genrsa_traditional $out 2048";
}
}
--
Regards;
Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org