You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2018/08/08 21:16:11 UTC
[Bug 62609] New: ERR_SSL_PROTOCOL_ERROR with SSLVerifyClient in
2.4.34 when using custom CA
https://bz.apache.org/bugzilla/show_bug.cgi?id=62609
Bug ID: 62609
Summary: ERR_SSL_PROTOCOL_ERROR with SSLVerifyClient in 2.4.34
when using custom CA
Product: Apache httpd-2
Version: 2.4.34
Hardware: PC
OS: Linux
Status: NEW
Severity: critical
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: michiel@hazelhof.nl
Target Milestone: ---
Created attachment 36079
--> https://bz.apache.org/bugzilla/attachment.cgi?id=36079&action=edit
apache config
Version 2.4.33 works fine, reverting fixes the issue for now.
We use our own "CA" with client certificate's in order to identify clients.
When using "SSLVerifyClient" with any setting other than none results in all
browsers being unable to contact the server. ("The FetchEvent for
"https://kiosk.fyn.nl/" resulted in a network error response: the promise was
rejected." and ERR_SSL_PROTOCOL_ERROR).
No access or error log is written at any given point when using 2.4.34 for this
vhost, but it doe's write the following to the first available vhost with the
same portnumber and the same IPv[4|6] protocol: "AH02039: Certificate
Verification: Error (50): application verification failure"
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62609] ERR_SSL_PROTOCOL_ERROR with SSLVerifyClient in 2.4.34
when using custom CA
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62609
Joe Orton <jo...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
--- Comment #4 from Joe Orton <jo...@redhat.com> ---
There is a known regression in the merging of SSLOCSPOverrideResponder but if
you don't have OCSP enabled at all I'm not sure that's the same bug, so I think
it's something different, might be wrong again here.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62609] ERR_SSL_PROTOCOL_ERROR with SSLVerifyClient in 2.4.34
when using custom CA
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62609
--- Comment #1 from Michiel Hazelhof <mi...@hazelhof.nl> ---
Extra information, this is not the first vhost, so this bug could also be
interpretedas the ServerName/ServerAlias not being respected when
SSLVerifyClient is specified.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62609] ERR_SSL_PROTOCOL_ERROR with SSLVerifyClient in 2.4.34
when using custom CA
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62609
--- Comment #3 from Michiel Hazelhof <mi...@hazelhof.nl> ---
Adding "SSLOCSPEnable Off" fixes the problem indeed, it was working with all
previous versions (doesn't seem relevant anymore with the information about the
regression).
Should there be an extra investigation into the ServerName/ServerAlias not
being respected or can we just close the issue?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62609] ERR_SSL_PROTOCOL_ERROR with SSLVerifyClient in 2.4.34
when using custom CA
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62609
Michiel Hazelhof <mi...@hazelhof.nl> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #5 from Michiel Hazelhof <mi...@hazelhof.nl> ---
OCSP was enabled globaly, so the regression would explain that part.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62609] ERR_SSL_PROTOCOL_ERROR with SSLVerifyClient in 2.4.34
when using custom CA
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62609
Michiel Hazelhof <mi...@hazelhof.nl> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |michiel@hazelhof.nl
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62609] ERR_SSL_PROTOCOL_ERROR with SSLVerifyClient in 2.4.34
when using custom CA
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62609
Joe Orton <jo...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #2 from Joe Orton <jo...@redhat.com> ---
Do you have OCSP enabled at a higher level? I think the specific string
"application verification failure" should only appear with OCSP enabled, but I
might be wrong. There was a merging regression in 2.4.34 with
SSLOCSPOverrideResponder which could cause an OCSP config to fail upgrading
from .33 to 34.
If you don't have any OCSP enabled I'm at a loss... was this config working
with a version OLDER than 2.4.33 as well?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org