22.3 server fails to merge config when SSL configuration contains server key with a passphrase #35950
Description
Describe what's wrong
Server fails to merge config when SSL configuration contains <privateKeyPassphraseHandler> section.
10ms [clickhouse1] > <privateKeyPassphraseHandler>
11ms [clickhouse1] > <name>KeyFileHandler</name>
11ms [clickhouse1] > <options>
12ms [clickhouse1] > <password>hello</password>
12ms [clickhouse1] > </options>
13ms [clickhouse1] > </privateKeyPassphraseHandler>Does it reproduce on recent release?
Reproduced on: clickhouse/clickhouse-server:22.3.2.2-alpine
How to reproduce
Run tests in #35949.
tests/testflows/ssl_server$ ./regression.py --local --clickhouse-binary-path docker://clickhouse/clickhouse-server:22.3.2.2-alpine -l test.log --only "/ssl server/ssl context/enable ssl with server key passphrase/*"Expected behavior
It should work.
Error message and/or stacktrace
2022.04.05 03:06:19.117504 [ 4608 ] {} <Error> ConfigReloader: Error updating configuration from '/etc/clickhouse-server/config.xml' config.: Poco::Exception. Code: 1000, e.code() = 0, OpenSSLException: EVPKey::loadKey(string): error:09000068:PEM routines:OPENSSL_internal:BAD_PASSWORD_READ, Stack trace (when copying this message, always include the lines below):
0. Poco::Crypto::OpenSSLException::OpenSSLException(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, int) @ 0x164b83ec in /usr/bin/clickhouse
1. bool Poco::Crypto::EVPPKey::loadKey<evp_pkey_st, void* (*)(evp_pkey_st*)>(evp_pkey_st**, evp_pkey_st* (*)(_IO_FILE*, evp_pkey_st**, int (*)(char*, int, int, void*), void*), void* (*)(evp_pkey_st*), std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) @ 0x164b63b9 in /usr/bin/clickhouse
2. Poco::Crypto::EVPPKey::EVPPKey(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) @ 0x164b6047 in /usr/bin/clickhouse
3. DB::CertificateReloader::Data::Data(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >) @ 0x151917a1 in /usr/bin/clickhouse
4. DB::CertificateReloader::tryLoad(Poco::Util::AbstractConfiguration const&) @ 0x15190139 in /usr/bin/clickhouse
5. ? @ 0xa577187 in /usr/bin/clickhouse
6. ? @ 0xa575507 in /usr/bin/clickhouse
7. DB::ConfigReloader::reloadIfNewer(bool, bool, bool, bool) @ 0x1585dc46 in /usr/bin/clickhouse
8. DB::ConfigReloader::run() @ 0x1585fe5f in /usr/bin/clickhouse
9. ThreadFromGlobalPool::ThreadFromGlobalPool<void (DB::ConfigReloader::*)(), DB::ConfigReloader*>(void (DB::ConfigReloader::*&&)(), DB::ConfigReloader*&&)::'lambda'()::operator()() @ 0x15860e37 in /usr/bin/clickhouse
10. ThreadPoolImpl<std::__1::thread>::worker(std::__1::__list_iterator<std::__1::thread, void*>) @ 0xa584c97 in /usr/bin/clickhouse
11. ? @ 0xa58881d in /usr/bin/clickhouse
12. ? @ 0x7f8e16fde609 in ?
13. __clone @ 0x7f8e16f05293 in ?
(version 22.3.2.1)