No check if SSL certificate and private key match
When I try to use WebDAV with HTTPS selected as protocol apache24 simply fails to start for no obvious reason.
Sep 19 18:25:08 freenas notifier: Performing sanity check on apache24 configuration:
Sep 19 18:25:08 freenas notifier: Syntax OK
Sep 19 18:25:08 freenas notifier: Starting apache24.
Sep 19 18:25:09 freenas root: /usr/local/etc/rc.d/apache24: WARNING: failed to start apache24
Sep 19 18:25:09 freenas notifier: /usr/local/etc/rc.d/apache24: WARNING: failed to start apache24
When I select HTTP+HTTPS apache24 starts but the connection to the HTTPS port is refused.
#1 Updated by Florian Beier almost 5 years ago
I forgot to mention that it did work before once when I first added an SSL Certificate and chose that one to be used by WebDAV. After that I deleted the old certificate and imported a new one but now it doesn't work anymore. I thought that it might have been because I used the same name for the new certificate but that isn't the case. I deleted the certificate and chose a different name for it but apache24 still fails to start.
#3 Updated by Florian Beier almost 5 years ago
- Subject changed from WebDAV SSL not working to No check if SSL certificate and private key match
- Category changed from 131 to 81
- Assignee deleted (
I found the issue: The private key wasn't the right one for the provided certificate. But why could I import a certificate with the wrong private key in the first place? I think there should be a test while importing which checks if certificate and private key match. So this isn't really a WebDAV problem but rather an issue with the import of certificates.
#6 Updated by Suraj Ravichandran over 4 years ago
- Priority changed from No priority to Nice to have
- Target version set to Unspecified
I have recently added certificate chaining in Certificate Management which does complicate this check a bit.
I shall check if this is still possible or not and report back by around mid next week.
#7 Updated by Suraj Ravichandran over 4 years ago
- Status changed from Screened to Unscreened
- Assignee changed from Suraj Ravichandran to Anonymous
Jatinder is already working on a certificate forms validation function and any code that would possibly be needed to solve this issue would probably just go there.
So handing this over to him.
@ Jatinder I will get you some cert verification examples in some time. I will paste them on this ticket in order to get you started.
#10 Updated by Suraj Ravichandran over 4 years ago
Ah sorry I forgot, here are some links:
https://www.v13.gr/blog/?p=325 (for RSA keys)
For non-rsa public and private key pairs I presume you have have to resort to some sort of user public key to encrypt test message and employ provided private key to decode said encrypted message and see if results match.
I say this as I do not think I have yeet come across a proper DSA key pair validation feature in the library.
You could also use the test message encryption decryption for types and no need to only rely on the RSA method for one and the above for the rest.
If you find any other useful or more efficient way please use that.
Lastly, remember to take into consideration that the certificates can be entered in chains so be careful to validate only the actual end certs and not the entire chain when checking across for the public private key pair match.
Please let me know if you have any other questions.
#12 Updated by Suraj Ravichandran about 4 years ago
- Status changed from Closed: Not To Be Fixed to Unscreened
- Assignee changed from Anonymous to Anonymous
- Seen in changed from 9.3.1-STABLE-201509220011 to 9.10-RELEASE
Hey Kris Instead of timing it out lets give it to @neha from calsoft (she is from a different team within calsoft itself).
Please change it if you disagree.