Hi Nikolaos,
Thanks for the information.
And I've put in a PR to update the Fuseki Jetty HTTPS example using the
the one you tested.
Andy
On 07/07/2022 16:38, Nikolaos Beredimas wrote:
Hi Andy,
TL;DR: Password-less PKCS12 passwords just don't work.
After more testing, I couldn't get a password-less PKCS12 certificate to
work, no matter what I tried.
And after reading around I suspect it's not just Jetty that suffers from
this, so there is nothing to be done.
As for the other issue I had with a specific OpenSSL version, it turns out
it's a non-issue.
The culprit was an unrelated certificate generation script that omitted the
provided password when calling openssl.
In any case the xml provided back in February is good.
NB
On Thu, Jul 7, 2022 at 12:42 PM Andy Seaborne <a...@apache.org> wrote:
Hi Nikolaos,
On 06/07/2022 11:04, Nikolaos Beredimas wrote:
While trying to get Fuseki running over https I found this thread from
February
https://jena.markmail.org/message/2kqpd2tlinpdzpna?q=ssl+order:date-backward&page=1
1. I can confirm the provided xml works (tested on Fuseki 4.5.0)
Thanks for confirming that.
2. I am having some issues generating the needed pkcs12 certificate file.
a. When trying to generate a password-less pkcs12 file (openssl ...
-passout pass:) Fuseki doesn't complain when loading it, but I always get
SSL handshake errors and it doesn't work.
It is Jetty that is handling the certificate via the JDK.
Mentions like
https://stackoverflow.com/questions/58345405/how-to-use-non-password-protected-p12-ssl-certificate-in-spring-boot
(which is nearly 3 years old)
suggest a password was needed at some time in the past. Current jetty
documentation does not mention it one way of the other.
b. When trying to generate with a password I get mixed results:
OpenSSL 1.1.1f 31 Mar 2020 running on WSL2 Ubuntu 20.04 works fine.
Fuseki
loads the certificate and works like a charm.
However, if I use OpenSSL 1.1.1o 3 May 2022 (running on
docker-linuxserver/docker-swag:latest) I get a strange exception
stacktrace:
java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source) ~[?:?]
at sun.security.util.KeyStoreDelegator.engineLoad(Unknown Source) ~[?:?]
at java.security.KeyStore.load(Unknown Source) ~[?:?]
at
org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:49)
~[fuseki-server.jar:4.5.0]
...
Caused by: java.security.UnrecoverableKeyException: failed to decrypt
safe
contents entry: javax.crypto.BadPaddingException: Given final block not
properly padded. Such issues can arise if a bad key is used during
decryption.
... 28 more
I'm afraid I don't know what that indicates.
I would appreciate any input to pinpoint and solve any or both issues
above.
We'd be interested in hearing what you find out.
Regards,
Nikolaos Beredimas
