Project

General

Profile

Bug #11585

No check if SSL certificate and private key match

Added by Florian Beier almost 5 years ago. Updated almost 3 years ago.

Status:
Closed: Duplicate
Priority:
Important
Assignee:
Nikola Gigic
Category:
OS
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

When I try to use WebDAV with HTTPS selected as protocol apache24 simply fails to start for no obvious reason.

Sep 19 18:25:08 freenas notifier: Performing sanity check on apache24 configuration:
Sep 19 18:25:08 freenas notifier: Syntax OK
Sep 19 18:25:08 freenas notifier: Starting apache24.
Sep 19 18:25:09 freenas root: /usr/local/etc/rc.d/apache24: WARNING: failed to start apache24
Sep 19 18:25:09 freenas notifier: /usr/local/etc/rc.d/apache24: WARNING: failed to start apache24

When I select HTTP+HTTPS apache24 starts but the connection to the HTTPS port is refused.


Related issues

Has duplicate FreeNAS - Bug #24212: Allow import of encrypted CA keyResolved2017-05-28

History

#1 Updated by Florian Beier almost 5 years ago

I forgot to mention that it did work before once when I first added an SSL Certificate and chose that one to be used by WebDAV. After that I deleted the old certificate and imported a new one but now it doesn't work anymore. I thought that it might have been because I used the same name for the new certificate but that isn't the case. I deleted the certificate and chose a different name for it but apache24 still fails to start.

#2 Updated by Florian Beier almost 5 years ago

  • Seen in changed from 9.3.1-STABLE-201509160044 to 9.3.1-STABLE-201509220011

Still the same in FreeNAS-9.3-STABLE-201509220011.

#3 Updated by Florian Beier almost 5 years ago

  • Subject changed from WebDAV SSL not working to No check if SSL certificate and private key match
  • Category changed from 131 to 81
  • Assignee deleted (Suraj Ravichandran)

I found the issue: The private key wasn't the right one for the provided certificate. But why could I import a certificate with the wrong private key in the first place? I think there should be a test while importing which checks if certificate and private key match. So this isn't really a WebDAV problem but rather an issue with the import of certificates.

#4 Updated by Florian Beier almost 5 years ago

  • Assignee set to Suraj Ravichandran

#5 Updated by Suraj Ravichandran almost 5 years ago

  • Status changed from Unscreened to Screened

#6 Updated by Suraj Ravichandran over 4 years ago

  • Priority changed from No priority to Nice to have
  • Target version set to Unspecified

I have recently added certificate chaining in Certificate Management which does complicate this check a bit.

I shall check if this is still possible or not and report back by around mid next week.

#7 Updated by Suraj Ravichandran over 4 years ago

  • Status changed from Screened to Unscreened
  • Assignee changed from Suraj Ravichandran to Anonymous

Jatinder is already working on a certificate forms validation function and any code that would possibly be needed to solve this issue would probably just go there.

So handing this over to him.

@ Jatinder I will get you some cert verification examples in some time. I will paste them on this ticket in order to get you started.

#8 Updated by Anonymous over 4 years ago

  • Status changed from Unscreened to Screened

#9 Updated by Anonymous over 4 years ago

@Suraj Ravichandran, Could you please send me the cert verification examples so that I can start working on the same.

#10 Updated by Suraj Ravichandran over 4 years ago

Ah sorry I forgot, here are some links:

https://www.v13.gr/blog/?p=325 (for RSA keys)

For non-rsa public and private key pairs I presume you have have to resort to some sort of user public key to encrypt test message and employ provided private key to decode said encrypted message and see if results match.
I say this as I do not think I have yeet come across a proper DSA key pair validation feature in the library.

You could also use the test message encryption decryption for types and no need to only rely on the RSA method for one and the above for the rest.

If you find any other useful or more efficient way please use that.

Lastly, remember to take into consideration that the certificates can be entered in chains so be careful to validate only the actual end certs and not the entire chain when checking across for the public private key pair match.

Please let me know if you have any other questions.

#11 Avatar?id=14398&size=24x24 Updated by Kris Moore about 4 years ago

  • Status changed from Screened to Closed: Not To Be Fixed
  • Target version changed from Unspecified to 49

Timing out

#12 Updated by Suraj Ravichandran about 4 years ago

  • Status changed from Closed: Not To Be Fixed to Unscreened
  • Assignee changed from Anonymous to Anonymous
  • Seen in changed from 9.3.1-STABLE-201509220011 to 9.10-RELEASE

Hey Kris Instead of timing it out lets give it to @neha from calsoft (she is from a different team within calsoft itself).

Please change it if you disagree.

#13 Avatar?id=14398&size=24x24 Updated by Kris Moore about 4 years ago

Works for me! Thanks for suggesting it Suraj.

#14 Updated by Vaibhav Chauhan about 4 years ago

  • Status changed from Unscreened to Fix In Progress
  • Target version changed from 49 to 9.10.1-U1

#15 Avatar?id=14398&size=24x24 Updated by Kris Moore almost 4 years ago

  • Target version changed from 9.10.1-U1 to 9.10.1-U2

#16 Avatar?id=14398&size=24x24 Updated by Kris Moore almost 4 years ago

  • Target version changed from 9.10.1-U2 to 9.10.1-U3

#17 Avatar?id=14398&size=24x24 Updated by Kris Moore almost 4 years ago

  • Assignee changed from Anonymous to Suraj Ravichandran

#18 Avatar?id=14398&size=24x24 Updated by Kris Moore almost 4 years ago

  • Target version changed from 9.10.1-U3 to 9.10.2

#19 Avatar?id=14398&size=24x24 Updated by Kris Moore almost 4 years ago

  • Target version changed from 9.10.2 to 9.10.2-U1

#20 Avatar?id=14398&size=24x24 Updated by Kris Moore over 3 years ago

  • Status changed from Fix In Progress to Unscreened
  • Target version changed from 9.10.2-U1 to 9.10.2-U2

#21 Updated by Suraj Ravichandran over 3 years ago

  • Status changed from Unscreened to Screened

#22 Avatar?id=14398&size=24x24 Updated by Kris Moore over 3 years ago

  • Priority changed from Nice to have to Important
  • Target version changed from 9.10.2-U2 to 9.10.3

#23 Avatar?id=14398&size=24x24 Updated by Kris Moore over 3 years ago

  • Target version changed from 9.10.3 to 9.10.4

#24 Avatar?id=14398&size=24x24 Updated by Kris Moore over 3 years ago

  • Target version changed from 9.10.4 to 11.1

#25 Updated by Dru Lavigne about 3 years ago

  • Assignee changed from Suraj Ravichandran to William Grzybowski

William: please load balance between Vladimir and Nikola.

#26 Updated by William Grzybowski about 3 years ago

  • Status changed from Screened to Unscreened
  • Assignee changed from William Grzybowski to Nikola Gigic

#27 Updated by Nikola Gigic about 3 years ago

  • Status changed from Unscreened to Screened

#28 Updated by Nikola Gigic almost 3 years ago

  • Status changed from Screened to Closed: Duplicate
  • Target version changed from 11.1 to N/A

#29 Updated by Dru Lavigne almost 3 years ago

  • Has duplicate Bug #24212: Allow import of encrypted CA key added

Also available in: Atom PDF