Hi Everyone,
From what I can tell, Apache 2.4.x supports using both an ECC and an RSA key for SSL communications. I've configured my vhost:
<code>
Listen
0.0.0.0:10943<VirtualHost _default_:10943>
SSLEngine on
SSLCertificateFile ssl.d/chain/full-ecc.crt
SSLCertificateKeyFile ssl.d/keys/esolutions.caspersbox.com-ecc.key
SSLCertificateFile ssl.d/chain/full-rsa.crt
SSLCertificateKeyFile ssl.d/keys/esolutions.caspersbox.com-rsa.key
RewriteEngine on
RewriteOptions Inherit
Include conf.d/esolutions/security.conf
Include conf.d/esolutions/redirects.conf
LogLevel info
ErrorLog "logs/esolutions/error-secure.log"
CustomLog "logs/esolutions/access-secure.log" vhost_combined
</VirtualHost>
</code>
I have the following setup in mod_ssl.conf:
<code>
<snip>
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
<IfModule ssl_module>
SSLPassPhraseDialog exec:/home/websrv/bin/passphrase
</snip>
</code>
I'm getting the following message:
[Mon Apr 24 17:36:14.242037 2023] [ssl:info] [pid 2930:tid 139830742484864] AH01914: Configuring server
esolutions.caspersbox.com:10943 for SSL protocol
[Mon Apr 24 17:36:14.245939 2023] [ssl:info] [pid 2930:tid 139830742484864] AH02576: Attempting to load encrypted (?) private key esolutions.caspersbox.com:10943:0
[Mon Apr 24 17:36:14.245985 2023] [ssl:info] [pid 2930:tid 139830742484864] AH01968: Init: Requesting pass phrase via builtin terminal dialog
[Mon Apr 24 17:36:14.246249 2023] [ssl:error] [pid 2930:tid 139830742484864] AH02578: Init: Unable to read pass phrase [Hint: key introduced or changed before restart?]
[Mon Apr 24 17:36:14.246280 2023] [ssl:error] [pid 2930:tid 139830742484864] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Mon Apr 24 17:36:14.246304 2023] [ssl:error] [pid 2930:tid 139830742484864] SSL Library Error: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
[Mon Apr 24 17:36:14.246401 2023] [ssl:error] [pid 2930:tid 139830742484864] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Mon Apr 24 17:36:14.246440 2023] [ssl:error] [pid 2930:tid 139830742484864] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=RSAPrivateKey)
[Mon Apr 24 17:36:14.246464 2023] [ssl:error] [pid 2930:tid 139830742484864] SSL Library Error: error:04093004:rsa routines:old_rsa_priv_decode:RSA lib
[Mon Apr 24 17:36:14.246484 2023] [ssl:error] [pid 2930:tid 139830742484864] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Mon Apr 24 17:36:14.246507 2023] [ssl:error] [pid 2930:tid 139830742484864] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
[Mon Apr 24 17:36:14.246549 2023] [ssl:emerg] [pid 2930:tid 139830742484864] AH02564: Failed to configure encrypted (?) private key esolutions.caspersbox.com:10943:0, check /opt/Apache/httpd/current/ssl.d/keys/esolutions.caspersbox.com-ecc.key
It looks like it isn't getting a handle on the private key. I created my chain file:
cat leaf.crt inter.crt root.crt > chain.pem
I did this for both the ECC and RSA certificates. The keyfiles and related certificates are readable by the webserver user, and the SSLPassPhraseDialog command works as a standalone resource. Not sure what I'm doing wrong...
________________________________________________
Kevin Huntly
Email:
kmhuntly@xxxxxxxxxCell: 716/424-3311
________________________________________________
-----BEGIN GEEK CODE BLOCK-----
Version: 1.0
GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++
G++ e(+) h--- r+++ y+++*
------END GEEK CODE BLOCK------
