Request execution error: PKCS8 routines:OPENSSL_internal:UNKNOWN_ALGORITHM

[bloubloed84]

Describe the bug Openssl error when trying to call secure service

To Reproduce Steps to reproduce the behavior:

1. Setup certificate and key under certificates.
2. SSL verification disabled
3. Call to secure service

Expected behavior Service call returns a 200 with data. This worked under previous versions of postman but since the latest upgrade it started failing with below

Screenshots

App information (please complete the following information):

Additional context Client talks to server via a mutual tls router created in openshift cluster. Have tried both with PEM and non but both give the same error. Certificate setup has both a cert and private key along with a passphrase.

[bloubloed84]

Reinstalled below version and https working again -

[codenirvana]

@bloubloed84 With Postman v7.25.3, we upgraded our underlying SSL library which might be the cause of this. To help us debug this issue, can you confirm the following:

1. The request is working fine with v7.25.0?, Download from: Win32: https://dl.pstmn.io/download/version/7.25.0/win32 Win64: https://dl.pstmn.io/download/version/7.25.0/win64

2. Are you using a PFX certificate or CRT + KEY combination? a. If PFX, is it of type pkcs8 or pkcs12? b. Does the setup require Passphrase?

3. Can you send the following request via curl and share the verbose logs? (hide sensitive details)

   curl -v https://localhost --cert ./client-crt.pem --key ./client-key.pem

   Replace https://localhost with your endpoint. and update the respective certificate path.

[bloubloed84]

1. Works with 7.25.0
2. crt + key combo with passphrase

3. 

[codenirvana]

@bloubloed84 we are not able to figure out the root cause of this issue. At first glance, this looks like a client certificate issue, primarily how they are generated.

Can you share the steps which we can use to produce this issue internally?

If possible, you can share the endpoint and the required certificate with us at help@getpostman.com.

[codenirvana]

@bloubloed84 To help us debug this issue better could you share the verbose log (remove the sensitive details) for the public certificate details using the following command:

openssl x509 -inform der -in fv_prod.cer -noout -text

The above command will list down the X509v3 extensions and the Signature Algorithm used.

Also, similar to the curl log you shared before, can you try connecting using the openssl command and share the resultant logs (remove the sensitive details) for the following command:

openssl s_client -state -connect localhost:443 -cert client-crt.pem -key client-key.pem  | openssl x509 -text

Replace localhost with your endpoint, and update the respective certificate path.

[bloubloed84]

Hi, Below are the extensions and signature algorithm.

X509v3 extensions: X509v3 Subject Alternative Name: X509v3 Subject Key Identifier: X509v3 Authority Key Identifier: X509v3 CRL Distribution Points: X509v3 Key Usage: critical X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication

Signature Algorithm: sha256WithRSAEncryption

Unfortunately I cant get the 2nd command to work. Getting the below 'unable to load certificate 34359738384:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE'

I can however run both -

• For the cert - openssl x509 -in fv_prod.cer -noout -text
• For the key - openssl rsa -in fv_prod.key -modulus -noout without error so think the certs are fine

But based on the error in the app is it not maybe because it doesnt support 'sha256WithRSAEncryption'

[bloubloed84]

Got it working now -

[jagatheeshkumara]

@bloubloed84 got the same issue. what was the fix please? or just install prior version?

[numaanashraf]

@jagatheeshkumara Could you share the endpoint and the required certificate with us at help@getpostman.com?

[bloubloed84]

@bloubloed84 got the same issue. what was the fix please? or just install prior version?

Not resolved yet. I installed 7.25 mentioned above and working again but need to disable auto upgrade. I suspect the problem is postman not catering for sha256WithRSAEncryption. I think this issue might be similar as its using the same algorithm. https://github.com/postmanlabs/postman-app-support/issues/8612

[thetreythomas]

@bloubloed84 - Unchecking the auto-update won't keep Postman from taking you from 7.25 to 7.26. Reading through the open issues, that is for disabling major version changes, like 7.x to 8.x. This should work for both minor and major updates, as this is a PITA installing 7.25.0, and then it updating in the background to 7.26.0 again.

I found that you have rename the squirrel.exe file in the C:\Users\\AppData\Local\Postman\app-7.25.0, This keeps Postman from grabbing new builds.

[bloubloed84]

Hi. Yes I just updated the shortcut to not have update flag in it which then resolved the update problem. Can also temporarily rename the update.exe file until the ssl library is resolved

[jagatheeshkumara]

After downgrading from 7.26.0 to 7.25.0, I lost all my collections. Is there a way to get those collections back?

update: Postman regularly took back-up of my collection in this path "C:\Users\xxx\AppData\Roaming\Postman" file name backup-2020-06-16T07-46-34.796Z.json. imported the backup file and all good now.

[birnbuazn]

Any news on this? This issue renders Postman almost useless for endpoints requiring a client certificate...

[thetreythomas]

@birnbuazn - See the latest batch of comments on this one: https://github.com/postmanlabs/postman-app-support/issues/8612

[mccannt]

@birnbuazn We are still digging into this to determine the underlying issue that is causing this. We will keep you informed on a resolution.

[varun-dc]

I came across this issue while trying to determine this error in another application and completely different context (not postman).

If it's of use to anyone else or helps anyone else out, in my case the issue came down to MacOS's openssl/libressl (I think?) not supporting the cipher algorithm. To solve the issue I generated my private key using the -v2 aes-256-cbc and I not longer ran into this error in my use case. There's other supported ciphers as well, please see https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs#keypair-authentication-passhrase