You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2014/12/17 06:20:26 UTC
[Bug 57360] New: Fail gracefully on certificate/key mismatch
https://issues.apache.org/bugzilla/show_bug.cgi?id=57360
Bug ID: 57360
Summary: Fail gracefully on certificate/key mismatch
Product: Apache httpd-2
Version: 2.4.10
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: michael@orlitzky.com
>From the mod_ssl docs:
> SSLCertificateChainFile is deprecated
>
> SSLCertificateChainFile became obsolete with version 2.4.8, when
> SSLCertificateFile was extended to also load intermediate CA certificates from
> the server certificate file.
Now that this is the case, there's a very easy mistake one can make that will
crash the server. When combining the CA chain and site certficate files, if one
does,
$ cat chain.crt site.crt > combined.crt
instead of,
$ cat site.crt chain.crt > combined.crt
then the server will crash on the next graceful reload. It will also refuse to
start; the only thing logged is a cryptic "AH00016: Configuration Failed" which
is misleading at best.
I don't know whether it's a good idea to proceed with one dead vhost -- the
site in question obviously won't work with a mismatched key/cert -- but if not
a better error message would be nice. I spent rather a long time searching for
other problems while all of our sites were down because it never occurred to me
that a key/cert mismatch could crash the whole server.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org