nitro-enclaves-acm not working for httpd on Amazon Linux 2 #74
Description
After installing / configuring nitro-enclaves-acm for Apache httpd as described on https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-refapp.html I noticed it wasn't working. I couldn't setup a working TLS connection to the site in question. The instances in questions is a fully patched / up to date AL2 instance
$ openssl s_client -connect host.domain.com:443 -servername host.domain.com
CONNECTED(00000003)
depth=4 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
verify return:1
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M02
verify return:1
depth=0 CN = host.domain.com
verify return:1
139686793054096:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:s3_pkt.c:1493:SSL alert number 80
139686793054096:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
0 s:/CN=host.domain.com
i:/C=US/O=Amazon/CN=Amazon RSA 2048 M02
1 s:/C=US/O=Amazon/CN=Amazon RSA 2048 M02
i:/C=US/O=Amazon/CN=Amazon Root CA 1
2 s:/C=US/O=Amazon/CN=Amazon Root CA 1
i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
3 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
REMOVED
-----END CERTIFICATE-----
subject=/CN=host.domain.com
issuer=/C=US/O=Amazon/CN=Amazon RSA 2048 M02
---
No client certificate CA names sent
---
SSL handshake has read 5046 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1679867431
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
I verified the setup by launching an https://aws.amazon.com/marketplace/pp/prodview-f4gcl7narsmle instance (to be referenced as test instance) which seems to work correctly. I used the same certificate and the same IAM role as on the original instance. And it worked out of the box. So I was confident the configuration on the original instance should also work. Checking around on the system I noticed my instance contains openssl-pkcs11-0.4.10-3.amzn2.0.1.x86_64 this packages doesn't seem to be present on the test instance. However on the test instance /usr/lib64/openssl/engines/pkcs11.so which is normally be provided by this package is nonetheless precent. When I copy this file from the test instance over to my original instance things suddenly start to work. And the last part of the openssl s_client command now looks like
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5660 bytes and written 445 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: B9F53FE8D44F25898514C9D719F22BDC80C9889756D99B5E4057581E0211D1CB
Session-ID-ctx:
Master-Key: 5FDD21EB7152B175A17BC5460E18231925F5A40D7065B88F3501166B9A9007F018FF89622C6857EBE0A61B03A55C97C6
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - f3 d0 2d a1 e6 3a 2c 36-3c 0f 96 e8 78 f5 c4 a5 ..-..:,6<...x...
0010 - 7d 1f ce d6 e2 64 47 75-59 f4 6d 10 cf 01 ea 7d }....dGuY.m....}
0020 - aa f5 df d0 f9 22 b6 57-dc 83 f4 e1 f9 fc 4d 75 .....".W......Mu
0030 - f0 81 1d 41 96 56 93 78-9e 56 7a 1d 31 02 1b b7 ...A.V.x.Vz.1...
0040 - a8 c5 66 bd 3a a0 6e 1b-86 34 ef 66 f4 56 2b 15 ..f.:.n..4.f.V+.
0050 - ee 04 d1 7b f9 bd 52 a4-70 1b 1c 31 8f 59 38 62 ...{..R.p..1.Y8b
0060 - 02 32 e4 fa 4d d6 1d 38-ae f2 2e da d2 be fa b2 .2..M..8........
0070 - 6c ab cf e3 85 7b e8 cf-c1 21 df eb 28 4c a0 d6 l....{...!..(L..
0080 - 63 ae 1d 60 bf 38 35 67-b3 76 22 f0 17 72 65 b5 c..`.85g.v"..re.
0090 - 38 c9 07 9b 84 0c 53 27-05 54 ac eb 71 95 8b 72 8.....S'.T..q..r
00a0 - 30 0b 81 68 3f fc 14 c8-3c 30 b5 0b 1b 2f 64 4a 0..h?...<0.../dJ
00b0 - 33 29 4f ef 47 23 e6 11-1a a8 40 db 24 61 35 1d 3)O.G#....@.$a5.
00c0 - c8 00 1e 75 c1 ff f5 e5-bb 45 ff 85 fd c2 19 8c ...u.....E......
Start Time: 1679870499
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Does this mean we need and updated openssl-pkcs11 to appear in the AL2 package repository that will allow nitro-enclaves-acm to work?