Before openssl 3.0 the command `openssl genrsa` used to generate private keys in PKCS#1 format, since openssl >= 3.0 it now generates them in PKCS#8 format by default (while passing -traditional at the command line allows to restore the old behaviour).
This is not an issue as long as httpd and TestSSLCA.pm use the same openssl version (either < 3 or >= 3), but if e.g. httpd is compiled/linked/-rpath'ed against an openssl < 3 and TestSSLCA.pm uses the system's openssl >= 3 then mod_proxy won't be able to load the PKCS#8 keys. It comes from PEM_X509_INFO_read_bio() which ignores them with openssl < 3, while (AIUI) it is the easiest/recommended way to load certificates and keys using the openssl API (without yet more churn in mod_ssl compat code, probably not worth it). It seems easier for httpd to document/require running with openssl >= 3 or ProxyMachineCertificateFile to take PKCS#1 keys only, hence possibly make TestSSLCA.pm always generate "traditional" PKCS#1 keys too (which can be read by all openssl versions, so far :p). This patch adds -traditional to the `openssl genrsa` calls when TestSSLCA.pm is running with openssl >= 3. Maybe it should be configurable but I'm afraid it's above my perl/Apache-Test foo.. Index: Apache-Test/lib/Apache/TestSSLCA.pm =================================================================== --- Apache-Test/lib/Apache/TestSSLCA.pm (revision 1913056) +++ Apache-Test/lib/Apache/TestSSLCA.pm (working copy) @@ -332,6 +332,13 @@ sub new_ca { export_cert('ca'); #useful for importing into IE } +#RSA keys are always generated in "traditional" PKCS#1 format +my $genrsa_traditional = ""; +if (Apache::Test::normalize_vstring($version) >= + Apache::Test::normalize_vstring("3.0.0")) { + $genrsa_traditional = "-traditional"; +} + sub new_key { my $name = shift; @@ -348,7 +355,7 @@ sub new_key { openssl gendsa => "$out dsa-param"; } else { - openssl genrsa => "$out 2048"; + openssl genrsa => "$genrsa_traditional $out 2048"; } } -- Regards; Yann. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@perl.apache.org For additional commands, e-mail: dev-h...@perl.apache.org