tcnative: Problem with callback reading OpenSSL private key passphrase

Tue, 11 Mar 2008 08:23:16 -0700 

Hi,

I'm experiencing the following Problem with Tomcat 5.5.25 with the tcnative
lib running on Sun JDK 1.5.0_12 on Debian.

In case the private key is not secured by a passphrase, the HTTPS connection
via the APR connector in conjunction with the OpenSSL generated self-signed
certificate and key combination works without any problems.

I used Google, the searchable user mailing list archives, and the Tomcat
FAQ and documentation, but couldn't find a solution for the problem
described below.

When the private key is secured by a passphrase, however, the following
happens:

==========================================================================

[EMAIL PROTECTED]:/usr/local/java/apache-tomcat-5.5.25/bin$ ./startup.sh
Using CATALINA_BASE:   /usr/local/java/apache-tomcat-5.5.25
Using CATALINA_HOME:   /usr/local/java/apache-tomcat-5.5.25
Using CATALINA_TMPDIR: /usr/local/java/apache-tomcat-5.5.25/temp
Using JRE_HOME:       /opt/java/jdk1.5.0_12
[EMAIL PROTECTED]:/usr/local/java/apache-tomcat-5.5.25/bin$ Some of your private
key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Enter password :
<password-appears-in-clear-text-while-being-typed>
-bash: <password-appears-in-clear-text>: command not found

===========================================================================

In the Tomcat logs I see the following exception appear:

============================================================================

FATAL: Error initializing endpoint
java.lang.Exception: Unable to load certificate key
/usr/local/java/apache-tomcat-5.5.25/conf/vmware.e
mpic.er.heitec.net.key (error:0906A068:PEM routines:PEM_do_header:bad
/password read)
        at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method)
        at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:653)
        at
        
org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:116)
        at
        org.apache.catalina.connector.Connector.initialize(Connector.java:1017)
        at
        
org.apache.catalina.core.StandardService.initialize(StandardService.java:578)
        at
        
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
        
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at
        
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:585)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
11.03.2008 15:55:16 org.apache.catalina.startup.Catalina load
FATAL: Catalina.start
LifecycleException:  Protocol handler initialization failed:
java.lang.Exception: Unable to load certificate key
/usr/local/java/apache-tomcat-5.5.25/conf/vmware.empic.er.heitec.net.key
(error:0906A068:PEM routines:PEM_do_header:bad password read)

============================================================================

Within server.xml, the connector is configured like this:

=============================================================================

<Connector port="8443" address="10.64.80.115" protocol="HTTP/1.1"
SSLEnabled="true"
               minSpareThreads="5" maxSpareThreads="75" clientAuth="false"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100"  maxThreads="250" scheme="https"
               secure="true"
               SSLEngine="on" SSLProtocol="all -SSLv2" SSLCipherSuite="HIGH"
               
SSLCertificateFile="${catalina.base}/conf/vmware.empic.er.heitec.net.crt"
               
SSLCertificateKeyFile="${catalina.base}/conf/vmware.empic.er.heitec.net.key" />

================================================================================

To me it *seems*, that the newline that's needed in order to execute
startup.sh is read as the first character of the passphrase. (That's
probably the reason why the cursor does not appear after the "Enter
password:" prompt, but on the next line). Furthermore, the actual
passphrase that's typed appears in clear text, thus giving me the impression
it's not considered a passphrase since the actual passphrase has already
been read implicitly.

(I know that a workaround would be to specify the SSLPassword attribute for
the connector, but I don't want to do that because of security concerns).

Is there any other way to pass a passphrase into Tomcat? Will the following
two attributes work (taken from Apache2 mod_ssl) in order to get a more
reasonable passphrase dialog:

SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512

Thanks in advance for any info!

Kind regards,

        Holger

Attachment: signature.asc
Description: Digital signature

Reply via email to