PKCS12 keystores fail with openssl 3

Question

PKCS12 keystores fail with openssl 3

ramonskie opened this issue 3 years ago · 2 comments

when testing with jammy bassed stemcell which has openssl 3 lib by default
ran in to the following issue

bosh/0:/var/vcap# cat sys/log/credhub/pre-start.stderr.log
[2022-03-21T15:27:22.052532911Z] ________________________________________________________________________________
[2022-03-21T15:27:22.596048116Z] Importing keystore cert.p12 to /var/vcap/jobs/credhub/config/cacerts.jks...
bosh/0:/var/vcap# cat sys/log/credhub/pre-start.stdout.log
[2022-03-21T15:27:22.053129911Z] ________________________________________________________________________________
[2022-03-21T15:27:23.442677021Z] keytool error: java.io.IOException: keystore password was incorrect

this is related to the currently used java version
see https://bugs.openjdk.java.net/browse/JDK-8278989

we are using the bellsoft jre but is currently also affectd as it is build based of the openjdk 322 version
oracle 311 would solve this issue. until a fix is provided for openjdk

Answer 1 · 2022-03-22T13:20:52.000Z

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/181638934

The labels on this github issue will be updated when the story is started.

Answer 2 · 2022-04-14T19:29:26.000Z

by adding the -legacy option to openssl 3 it works
see https://stackoverflow.com/questions/69170537/is-openssl-v3-0-0-compatible-with-v1-1-1
openssl/openssl#14034
pr will follow soon