Re: [naviserver-devel] Warning: private key load error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt

Wed, 28 Jul 2021 12:00:49 -0700 

Hi Thorpe,

On 27.07.21 14:42, THORPE MAYES via naviserver-devel wrote:
This issue surfaced when I was creating a new ssl certificate. The old certificate expires at the end of the month. The old certificate continued to work after I updated naviserver (with openssl 1.1k). The new certificate did not work. 
The old certificate has the Diffie-Hellmand key exchange applied.
I applied the DH key exchange via openssl: openssl dhparam 2048 >> server.pem The version of openssl installed at the time predated 1.1k. I believe that it was 1.1.i; it may have been an earlier version. 


I decided to not apply the DH Param to the new certificate. The new 
certificate now works.


Short answer: glad it works now.


Specifying DH Params in the .pem file should not be needed in newer 
versions of OpenSSL.



The DH parameters should not hurt in general either. I checked the 
(letsencrypt) certificate used on openacs.org. The pemfile contains DH 
parameters and has the following structure:


-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
...
-----END DH PARAMETERS-----

and everything works fine there.


Handling of DH parameter is a moving target in OpenSSL (and clones). In 
newer versions, OpenSSL defines SSL_CTX_set_dh_auto(), such that DH 
PARAMETERS are not needed anymore in the PEM file. Some of the this code 
was backported to earlier version of OpenSSL. When NaviServer is 
compiled with OpenSSL 1.1.* or newer, it uses this function. So, i am 
not completely sure, what the problem is you had, but version-wise, DH 
PARAMETERS should not be necessary in your setup.



I've also updated the log message of the server when certificate loading 
fails, ... since these messages were also confusing for me.


all the best

-g

_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel






















					Reply via email to