[Bug 2050017] Re: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider
The deadlock in pkcs11-provider was fixed by upstream via https://github.com/latchset/pkcs11-provider/pull/356/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2050017 Title: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2050017] Re: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider
** Tags removed: server-todo -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2050017 Title: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2050017] Re: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider
Sure. For any package in ubuntu, the git repository is in: https://code.launchpad.net/ubuntu/+source/ So, for apache2 for example, it would be: https://code.launchpad.net/ubuntu/+source/apache2 Then, the branches. Quick intro: ubuntu/devel: TIP. Currently this points at 24.04 noble ubuntu/-devel: is the TIP for that release. For example, ubuntu/jammy-devel would be TIP for 22.04 jammy. This includes packages currently in the -proposed repositories. applied/: same as above, but with all patches from debian/patches/* applied to the source tree. In the case of unreleased packages, like my apache2 PPA packages, then it's in my own namespace. In the https://code.launchpad.net/ubuntu/+source/apache2 page, scroll down until "Other repositories", and there will be https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2, and you can usually locate the correct branch name in there. So for pkcs11-provider, the repo is https://code.launchpad.net/ubuntu/+source/pkcs11-provider And for openssl-pkcs11-sign-provider, the repo is https://code.launchpad.net/ubuntu/+source/openssl-pkcs11-sign-provider -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2050017 Title: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2050017] Re: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider
> Regarding the pkcs11-sign-provider: Did you upgrade it to the 1.0.1 release? Yes, I was using 1.0.1 from noble: openssl-pkcs11-sign-provider 1.0.1-0ubuntu1 And pkcs11-provider 0.3-1. > Note: I would NOT recommend to use 'openssl -provider ', but configure > the provider in the OpenSSL > config file It's what I did. openssl list -providers works without further options, indicating the system-wide openssl config file is loading the module: $ openssl list -providers Providers: default name: OpenSSL Default Provider version: 3.0.10 status: active pkcs11sign name: PKCS11 signing key provider version: 1.0.1 status: active I think apache is not even trying, or not able, to load the private key from softhsm2. When I start it in the foreground with -X, it doesn't prompt for the pin. And it doesn't change if I give the pin-value in the pkcs11 URI or not. More investigation/testing is needed. This setup is somewhat complex, involving multiple libraries from different source packages, it's quite possible I did something wrong. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2050017 Title: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2050017] Re: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider
Just a side note, we should have the right package versions in 24.04 as of today: $ rmadison --suite=noble,noble-proposed openssl-pkcs11-sign-provider opencryptoki openssl-pkcs11-sign-provider | 1.0.1-0ubuntu1 | noble/universe | source, amd64, arm64, armhf, ppc64el, s390x openssl-pkcs11-sign-provider | 1.0.1-0ubuntu2 | noble-proposed/universe | source, amd64, arm64, ppc64el, s390x opencryptoki | 3.23.0+dfsg-0ubuntu1 | noble/universe | source, amd64, arm64, armhf, ppc64el, s390x opencryptoki | 3.23.0+dfsg-0ubuntu2 | noble-proposed/universe | source, amd64, arm64, ppc64el, s390x (Notice that the "0ubuntu2" versions of these packages that are currently in -proposed are not urgently needed in this case, since they are 'no-change rebuilds' against libssl3t64, which is only relevant for arm.) And it looks like the patches apache packages are installable on 23.10 as well - easiest is probably: Quickly wget them: wget https://launchpad.net/~ahasenack/+archive/ubuntu/apache2-modssl-provider-support/+files/apache2-bin_2.4.58-1ubuntu4~ppa1_s390x.deb https://launchpad.net/~ahasenack/+archive/ubuntu/apache2-modssl-provider-support/+files/apache2-data_2.4.58-1ubuntu4~ppa1_all.deb https://launchpad.net/~ahasenack/+archive/ubuntu/apache2-modssl-provider-support/+files/apache2-dev_2.4.58-1ubuntu4~ppa1_s390x.deb https://launchpad.net/~ahasenack/+archive/ubuntu/apache2-modssl-provider-support/+files/apache2-doc_2.4.58-1ubuntu4~ppa1_all.deb https://launchpad.net/~ahasenack/+archive/ubuntu/apache2-modssl-provider-support/+files/apache2-ssl-dev_2.4.58-1ubuntu4~ppa1_s390x.deb https://launchpad.net/~ahasenack/+archive/ubuntu/apache2-modssl-provider-support/+files/apache2-suexec-custom_2.4.58-1ubuntu4~ppa1_s390x.deb https://launchpad.net/~ahasenack/+archive/ubuntu/apache2-modssl-provider-support/+files/apache2-suexec-pristine_2.4.58-1ubuntu4~ppa1_s390x.deb https://launchpad.net/~ahasenack/+archive/ubuntu/apache2-modssl-provider-support/+files/apache2-utils_2.4.58-1ubuntu4~ppa1_s390x.deb https://launchpad.net/~ahasenack/+archive/ubuntu/apache2-modssl-provider-support/+files/apache2_2.4.58-1ubuntu4~ppa1_s390x.deb https://launchpad.net/~ahasenack/+archive/ubuntu/apache2-modssl-provider-support/+files/libapache2-mod-md_2.4.58-1ubuntu4~ppa1_s390x.deb https://launchpad.net/~ahasenack/+archive/ubuntu/apache2-modssl-provider-support/+files/libapache2-mod-proxy-uwsgi_2.4.58-1ubuntu4~ppa1_s390x.deb And install from local: $ sudo apt install ./apache2_2.4.58-1ubuntu4~ppa1_s390x.deb ./apache2-bin_2.4.58-1ubuntu4~ppa1_s390x.deb ./apache2-data_2.4.58-1ubuntu4~ppa1_all.deb ./apache2-utils_2.4.58-1ubuntu4~ppa1_s390x.deb ./libapache2-mod-md_2.4.58-1ubuntu4~ppa1_s390x.deb ssl-cert However, you can also quickly upgrade your 23.10 system to 24.04, which is probably recommended in this case, to get real 24.04 test results (of course only if your system is test/dev system and not a production system). These are the steps: 1) ensure you have all the latest updates installed on your 23.10 system: sudo apt -q -y update && sudo apt -q -y full-upgrade (and in case you got a new kernel, you may reboot your system) 2) then run do-release-upgrade, maybe non-interactive like this: sudo do-release-upgrade --quiet --devel-release --frontend=DistUpgradeViewNonInteractive (caution with the non-interactive cmd-line, since you will not be asked all safety questions anymore, like opening a fall back ssh session etc.) 3) and if everything was fine you can reboot into a 24.04 system: sudo reboot -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2050017 Title: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2050017] Re: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider
And signing the request file now also works without a segfault (still using the pkcs11-provider, not pkcs11sign): # openssl x509 -provider pkcs11 -signkey "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test- token;id=%96%7F%20%F2%98%18%D7%15%3D%AF%87%AB%EC%09%25%C5%14%51%2E%E1;object=test- key;type=private;pin-value=1234" -in test-key.req -out test-key.crt I'll try with apache again next, tomorrow. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2050017 Title: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2050017] Re: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider
This comment[1] suggested a quirk, and after I added it, it got rid of the segfault with the pkcs11-provider. 1. https://github.com/latchset/pkcs11-provider/issues/310#issuecomment-1821547394 ** Bug watch added: github.com/latchset/pkcs11-provider/issues #310 https://github.com/latchset/pkcs11-provider/issues/310 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2050017 Title: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2050017] Re: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider
It's really trying to open the pkcs11 URI as a file... :/ newfstatat(AT_FDCWD, "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test- token;id=%96%7F%20%F2%98%18%D7%15%3D%AF%87%AB%EC%09%25%C5%14%51%2E%E1;object=test- key;type=private;pin-value=1234", 0x7ffca135a450, 0) = -1 ENOENT (No such file or directory) I think something in my setup broke, because it's also failing with the pkcs11 module which worked before(tm). UPDATE: hm, having only one pkcs11 provider loaded at once seems better. It kind of worked when I commented out (removed) pkcs11sign from ssl.cnf. I still get a core dump, but the request file is generated: # openssl req -provider pkcs11 -new -key "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token;id=%96%7F%20%F2%98%18%D7%15%3D%AF%87%AB%EC%09%25%C5%14%51%2E%E1;object=test-key;type=private;pin-value=1234" -out test-key.req -text -x509 -subj "/CN=n-hsm.lxd" Segmentation fault (core dumped) # l test-key.req -rw-r--r-- 1 root root 4.3K Mar 6 20:18 test-key.req Still, with just pkcs11sign, and no pkcs11, it still didn't work. UPDATE2: the stat on the pkcs11 URI as a file also happens with the pkcs11 provider, so it's probably unrelated (like an attempt: is it a file? No? Ok, is it something else? And so on) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2050017 Title: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2050017] Re: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider
I'm having difficulties with openssl-pkcs11-sign-provider. I'm getting a sequence of errors, a segfault, and it looks like it's trying to load the rdrand.so *engine*, which we are not shipping (might not even exist anymore?) # openssl req -provider pkcs11sign -new -key "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token;id=%96%7F%20%F2%98%18%D7%15%3D%AF%87%AB%EC%09%25%C5%14%51%2E%E1;object=test-key;type=private" -out test-key.req -text -x509 -subj "/CN=n-hsm.lxd" Could not open file or uri for loading private key from pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token;id=%96%7F%20%F2%98%18%D7%15%3D%AF%87%AB%EC%09%25%C5%14%51%2E%E1;object=test-key;type=private 4067AC93797F:error:1669:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=file 4067AC93797F:error:8002:system library:file_open:No such file or directory:../providers/implementations/storemgmt/file_store.c:267:calling stat(pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token;id=%96%7F%20%F2%98%18%D7%15%3D%AF%87%AB%EC%09%25%C5%14%51%2E%E1;object=test-key;type=private) 4067AC93797F:error:1669:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=pkcs11 4067AC93797F:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:../crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/x86_64-linux-gnu/engines-3/rdrand.so): /usr/lib/x86_64-linux-gnu/engines-3/rdrand.so: cannot open shared object file: No such file or directory 4067AC93797F:error:12800067:DSO support routines:DSO_load:could not load the shared library:../crypto/dso/dso_lib.c:152: 4067AC93797F:error:1384:engine routines:dynamic_load:dso not found:../crypto/engine/eng_dyn.c:442: 4067AC93797F:error:1374:engine routines:ENGINE_by_id:no such engine:../crypto/engine/eng_list.c:430:id=rdrand Segmentation fault (core dumped) The openssl config is (abbreviated, and note I have disabled the pcks11 provider for this test): [openssl_init] providers = provider_sect alg_section = evp_properties [evp_properties] default_properties = ?provider=pkcs11sign [provider_sect] default = default_sect #pkcs11 = pkcs11_sect pkcs11sign = pkcs11sign_sect [pkcs11sign_sect] module = /usr/lib/x86_64-linux-gnu/ossl-modules/pkcs11sign.so identity = pkcs11sign pkcs11sign-forward = provider=default pkcs11sign-module-path = /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so activate = 1 [pkcs11_sect] module = /usr/lib/x86_64-linux-gnu/ossl-modules/pkcs11.so pkcs11-module-path = /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so #pkcs11-module-token-pin = file:/etc/apache2/pin.txt activate = 0 [default_sect] activate = 1 The pkcs11sign provider is recognized: root@n-hsm:~# openssl list -providers Providers: default name: OpenSSL Default Provider version: 3.0.10 status: active pkcs11sign name: PKCS11 signing key provider version: 1.0.1 status: active softhsm has the private key: root@n-hsm:~# p11tool --list-privkeys --login Token 'test-token' with URL 'pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token' requires user PIN Enter PIN: Object 0: URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token;id=%96%7F%20%F2%98%18%D7%15%3D%AF%87%AB%EC%09%25%C5%14%51%2E%E1;object=test-key;type=private Type: Private key (RSA-2048) Label: test-key Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE; ID: 96:7f:20:f2:98:18:d7:15:3d:af:87:ab:ec:09:25:c5:14:51:2e:e1 And I'm running as root, to avoid permissions problems in /var/lib/softhsm2/tokens strace confirms /var/lib/softhsm/tokens/* is being accessed by the openssl command. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2050017 Title: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2050017] Re: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider
let me also try with openssl-pkcs11-sign-provider -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2050017 Title: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2050017] Re: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider
> (I'm curious about the autopkgtest results.) They passed for amd64 already: Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-noble-ahasenack-apache2-modssl-provider-support/?format=plain) apache2 @ amd64: 06.03.24 17:05:50Log 🗒️ ✅ Triggers: apache2/2.4.58-1ubuntu4~ppa1 log: https://autopkgtest.ubuntu.com/results/autopkgtest-noble-ahasenack- apache2-modssl-provider- support/noble/amd64/a/apache2/20240306_170550_0cb4e@/log.gz but failed for s390x all over the place: apache2 @ s390x: 06.03.24 17:54:30Log 🗒️ ❌ Triggers: apache2/2.4.58-1ubuntu4~ppa1 1617s run-test-suite FAIL🟥 1617s duplicate-module-load FAIL 🟥 1617s default-mods FAIL🟥 1617s htcacheclean FAIL🟥 1617s ssl-passphrase FAIL🟥 1617s check-http2 FAIL🟥 1617s check-ubuntu-branding FAIL 🟥 1617s chroot FAIL🟥 Log: https://autopkgtest.ubuntu.com/results/autopkgtest-noble-ahasenack- apache2-modssl-provider- support/noble/s390x/a/apache2/20240306_175430_7cb94@/log.gz It's a dependency problem while installing packages. The archive is still in a lot of flux due to the time_t 64bit changes, which mean a lot of rebuilds. I'll retry later. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2050017 Title: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2050017] Re: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider
I may have hit a bug elsewhere first, though. I'm following what I did for a pkcs11 engine test[1], but with the pkcs11-provider package. I'm able to create the RSA key in the softhsm2 token, and even generate a certificate request with it using openssl -provider pkcs11. But when I sign the request with the same key (nonsense, but technically valid), it does sign it, but core dumps at the end: # openssl x509 -provider pkcs11 -signkey "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=f4561bbe1b739173;token=apache2-hsm-token;id=%BD%06%9A%2E%16%D0%03%85%AE%AF%12%DE%81%0C%DA%3A%56%F2%51%42;object=apache2-hsm-key;type=private" -in apache2-hsm-key.req -out foo Enter pass phrase for PKCS#11 Token (Slot 460558707 - SoftHSM slot ID 0x1b739173): Segmentation fault (core dumped) # cat foo -BEGIN CERTIFICATE- MIICrzCCAZcCFHRHl/ehMDanzecCjxubJu2fKX5KMA0GCSqGSIb3DQEBCwUAMBQx EjAQBgNVBAMMCW4taHNtLmx4ZDAeFw0yNDAzMDYxOTAxNDVaFw0yNDA0MDUxOTAx NDVaMBQxEjAQBgNVBAMMCW4taHNtLmx4ZDCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAMCkFhFN9NtpzchsT1SlrTDHANe9d5L1NR7FNpXJjCZAkEEkDmP9 4CE5dWp7X2RlGeZ9Ge+EMC84ud2Kx6O5MFoEBi/h8fmy6FPtRBlLyx+wExGLAeRR puyBE6GpYWDmUlYG1XvwiUmESVZ4U8QJiQgF/0euu8ldbIyqa8zi20dqI+T9HiuL TDcFnD+95xUbQ6Lsz8F5zbEps5BQZmV7MjsAHNnG24CCwjRpQr244tVeYLDhtVE8 /m7y8HGK29eto9cBypedUxAzzwofLTN3UShb2PX5ffOmT/n0ifxbBC7LpmbbEWT6 47mWvtru/9eME3y3UBs5d928cSxL8d+kGisCAwEAATANBgkqhkiG9w0BAQsFAAOC AQEACgeFvFFyugMKJtfT5Jgpfk4aBFtcYhJonQ/woqmEi50KU4bbZMQeFXWnNdVx ktdWRzbxJgIITllUVnSaP7Iyef+6qI35FgrIefqWLr98tT6X2kMuZn1mJU5HuMco HL4ibOcNNb2PKCJkTVXhJkIQSiEYQoGgevKrxOyjOUIg6OxibWvqATQgWG/9THHF VnAnaSSkCRO9D5FD4RvLlwTiUS5g/TZJwcbj5bxtuNjTBXY5NdqMATlTdVSbmS1E SRX06Fsk8mwD1I26/eIRxoD7iGdrvGjA2YXb1OehLTc/rI8eaHEqbfyNliwiJCOA wuSORq/F24ydDjVYsvbtDV5VkQ== -END CERTIFICATE- The certificate looks ok, and a quick gdb on the core dump shows it was at shutdown time. But I'm also getting a core dump in apache now when configured to use this cert and hsm key. But also at shutdown. And while running, apache ssl isn't working. Still, it could be because softhsm2 usually requires root access, but I straced it and didn't see any EACCESS errors, and I also added the www-data user to the softhsm group. Still, the segfault isn't good, and seems to be in either softhsm2 or pkcs11-provider, not apache itself. 1. https://git.launchpad.net/ubuntu/+source/libp11/tree/debian/tests/engine -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2050017 Title: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2050017] Re: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider
Hi Andreas, thanks for your patched Apache 2.4 build, great! (I'm curious about the autopkgtest results.) Regarding the provider, there are different implementations out there. This one - available in noble - is supposed to work with this Apache2 modification: https://launchpad.net/ubuntu/+source/openssl-pkcs11-sign-provider (we picked the most promising and future-oriented one, backed and maintained by IBM) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2050017 Title: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2050017] Re: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider
> the pkcs11-provider from https://github.com/latchset/pkcs11-provider (must be > built from source I guess > since not available in Ubuntu distribution) That package is available in noble, btw: https://launchpad.net/ubuntu/+source/pkcs11-provider -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2050017 Title: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2050017] Re: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider
I have builds going on in this ppa for amd64, arm64, and s390x: https://launchpad.net/~ahasenack/+archive/ubuntu/apache2-modssl- provider-support/ Completely untested. Once the builds are published, I'll trigger the autopkgtests. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2050017 Title: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2050017] Re: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider
I will also note that the main patch[1] has not yet been proposed for 2.4, according to the STATUS[2] file in the 2.4.x branch. 1. https://github.com/apache/httpd/commit/cc796e269d7c4f8d105fa46b590c9301c2a55329 2. https://github.com/apache/httpd/blob/2.4.x/STATUS -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2050017 Title: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2050017] Re: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider
The main patch[1] depends on these other two: - improve compatibility with openssl 3[2] - fix typo[3] With all three, the main[1] one appplies with some offset: Applying patch mod_ssl_support_pkcs11_provider_for_ossl3.patch patching file modules/ssl/ssl_engine_init.c Hunk #1 succeeded at 1411 (offset -65 lines). Hunk #2 succeeded at 1425 (offset -65 lines). patching file modules/ssl/ssl_engine_pphrase.c Hunk #2 succeeded at 611 (offset 32 lines). Hunk #3 succeeded at 829 (offset 33 lines). Hunk #4 succeeded at 910 (offset 33 lines). patching file modules/ssl/ssl_private.h patching file modules/ssl/ssl_util.c Hunk #1 succeeded at 476 (offset -24 lines). Now at patch mod_ssl_support_pkcs11_provider_for_ossl3.patch Testing a build... 1. https://github.com/apache/httpd/commit/cc796e269d7c4f8d105fa46b590c9301c2a55329 2. https://github.com/apache/httpd/commit/28f6fc01c379282b647758c68ab59074dc4533df 3. https://github.com/apache/httpd/commit/43f7bc4508cc3750ee3a0c01a73d21f23fa2eee2 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2050017 Title: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2050017] Re: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider
Working on this today. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2050017 Title: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2050017] Re: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider
** Description changed: Feature Freeze Exception (FFe): --- - Since this may take a little longer now and noble's FF is coming up soon, - I'm pro-actively transferring this request into a feature freeze exception (FFe). + Since the work on this request may take a little longer and noble's FF is + today, this request got transferred into a feature freeze exception (FFe). - The main reason for this request is a new functionality and the use case that one wants to protect the private key of a httpd server by using a PKCS#11 based (HSM based) private key for the server instead of using a clear key. - Which would subsequently open business opportunity esp. on the s390x platform. + The driver for this is the need to update mod_ssl in Apache2 to support + openssl 3.x providers, since engines are deprecated in openssl 3.x. + + This new functionality (openssl provider support) is required for the + use case that one wants to protect the private key of a httpd server + by using a PKCS#11 based (HSM based) private key for the server + instead of using a clear key. + + This would subsequently open business opportunity esp. on the s390x + platform. The diff/delta in the 2.5.x/trunk CHANGES file (https://github.com/apache/httpd/blob/trunk/CHANGES) is: " - *) mod_ssl: Support loading certificates and private keys from the - PKCS#11 OpenSSL engine. [Anderson Sasaki , - Joe Orton] + *) mod_ssl: Support loading certificates and private keys from the + PKCS#11 OpenSSL engine. [Anderson Sasaki , + Joe Orton] " - In addition a reference to Revision 1914365 seems to be useful, that provides further details: + In addition the reference to Revision 1914365 seems to be useful reference, + that provides further details: https://svn.apache.org/viewvc?view=revision&revision=1914365 Once backports for 2.4.x are available: - a test build in PPA will be done (and a build log can be provided) - install and upgrade tests will be done (and an install log can be provided) The new package should not break any other packages that depend on it, since there are no changes in the dependencies (or package meta data in general) expected. A description of a sample setup, incl. all affected components, can be taken from here: https://www.ibm.com/docs/en/linux-on-z?topic=linuxone-libp11-engine (The sample is based on RHEL, but except the patches discussed here, - this generally applies to other distributions as well). + this generally applies to other distributions as well). 'Figure - 1' provides a graphical representation of the overall use case setup. The above sample setup does incl. test steps; look for 'Testing' --> 'Test with Apache web server' (Test uses "httpd -X" and "openssl s_client".) Once an Ubuntu based Apache 2.4.x test build for noble is available, and the logs (see above are available) the 'ubuntu-release' team can finally be subscribed. __ Enable an E2E use case that allows to configure an Apache webserver to protect its private keys with an HSM that is addressable via an PKCS #11 (signing) provider configured for an openSSL 3.0 library. Accepted for httpd > 2.4.58, see https://svn.apache.org/viewvc?view=revision&revision=1914365 ** Tags added: noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2050017 Title: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2050017] Re: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider
@ahasenack Yes, that is the main driver for this. Let me pick this and put it also into the bug description. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2050017 Title: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2050017] Re: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider
Ok, so in essence this is about updating mod_ssl to support openssl 3 providers, since engines are deprecated in openssl 3. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2050017 Title: [FFe] [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2050017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
