[Bug 57360] New: Fail gracefully on certificate/key mismatch

[bu...@apache.org]

https://issues.apache.org/bugzilla/show_bug.cgi?id=57360

            Bug ID: 57360
           Summary: Fail gracefully on certificate/key mismatch
           Product: Apache httpd-2
           Version: 2.4.10
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: michael@orlitzky.com

>From the mod_ssl docs:

> SSLCertificateChainFile is deprecated
>
> SSLCertificateChainFile became obsolete with version 2.4.8, when 
> SSLCertificateFile was extended to also load intermediate CA certificates from 
> the server certificate file.

Now that this is the case, there's a very easy mistake one can make that will
crash the server. When combining the CA chain and site certficate files, if one
does,

  $ cat chain.crt site.crt > combined.crt

instead of,

  $ cat site.crt chain.crt > combined.crt

then the server will crash on the next graceful reload. It will also refuse to
start; the only thing logged is a cryptic "AH00016: Configuration Failed" which
is misleading at best.

I don't know whether it's a good idea to proceed with one dead vhost -- the
site in question obviously won't work with a mismatched key/cert -- but if not
a better error message would be nice. I spent rather a long time searching for
other problems while all of our sites were down because it never occurred to me
that a key/cert mismatch could crash the whole server.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org