-
Bug
-
Resolution: Done
-
Major
-
7.3.0.Beta
When enabling SSL/TLS via OpenSSL provider using the Elytron subsystem, we've ran into following issue:
10:04:39,169 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service org.wildfly.security.ssl-context.sslSSC: org.jboss.msc.service.StartException in service org.wildfly.security.ssl-context.sslSSC: Failed to start service at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1729) at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1557) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: Error setting certificate (%s) at org.wildfly.openssl.OpenSSLContextSPI.init(OpenSSLContextSPI.java:278) at org.wildfly.openssl.OpenSSLContextSPI.engineInit(OpenSSLContextSPI.java:358) at javax.net.ssl.SSLContext.init(SSLContext.java:282) at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:371) at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53) at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:1043) at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1737) at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1699) ... 6 more Caused by: java.lang.IllegalStateException: Error setting certificate (%s) at org.wildfly.openssl.SSLImpl.setCertificate0(Native Method) at org.wildfly.openssl.SSLImpl.setCertificate(SSLImpl.java:598) at org.wildfly.openssl.OpenSSLContextSPI.init(OpenSSLContextSPI.java:225) ... 14 more
This error occured only on RHEL8 system. It turned out that root cause is a certificate we create like this:
keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore ../standalone/configuration/server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret
Although, system OpenSSL on RHEL8 is much stricter and key length 1024 is not strong enough. One needs to use longer keysize obviously since when we used 2048 keylength, all started to work.
This issue is about making this problem more visible to user from the log message in server.log file that is shown before. Also notice that there is a '%s' placeholder, which looks like it should be replaced by some actual error message but it was not.
- is cloned by
-
WFSSL-15 Enabling one-way ssl using elytron with key length < 2048 returns non user friendly error message
- Resolved