Bug 38217 - mention that private key password and keystore password need to be the same (avoid "IOException: Cannot recover key")
mention that private key password and keystore password need to be the same (...
Status: CLOSED FIXED
Product: Tomcat 5
Classification: Unclassified
Component: Connector:Coyote
5.5.14
Other All
: P2 enhancement (vote)
: ---
Assigned To: Tomcat Developers Mailing List
http://tomcat.apache.org/tomcat-5.5-d...
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2006-01-10 20:01 UTC by Ralf Hauser
Modified: 2011-01-12 07:16 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ralf Hauser 2006-01-10 20:01:37 UTC
As per org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystorePassword()
"keypass" and "keystorePass" are the same.

If e.g. with using http://sf.net/projects/portecle, some people are tempted to
set a different key on the private key.

Then, they get
<<Error initializing endpoint
java.io.IOException: Cannot recover key
 at
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:125)
 at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:88)
 at
org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:292)
 at org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:137)
 at org.apache.catalina.connector.Connector.initialize(Connector.java:1016)
...>>

It would be great if there were a cautionary note in the ssl-howto.html

see also http://www.ponton-consulting.de/en/faq/faq_advanced.html

I guess the test at the bottom of
http://marc.theaimsgroup.com/?l=tomcat-user&m=109363993616257&w=2 would succeed
despite what is claimed...
Comment 1 Yoav Shapira 2006-04-13 19:00:15 UTC
Good point, added cautionary note and reference to your comment above to the SSL
HowTo.  Thanks.
Comment 2 Ralf Hauser 2008-05-11 22:08:49 UTC
see also Bug 38774
	

Comment 3 jfclere 2011-01-12 07:16:13 UTC
Note that adding one key with a different passphrase will break the whole keystore for TC.