You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2009/01/14 20:27:23 UTC
DO NOT REPLY [Bug 46531] New: Erroneously repots Server Certificate
as Revoked if same serial No. in CRL
https://issues.apache.org/bugzilla/show_bug.cgi?id=46531
Summary: Erroneously repots Server Certificate as Revoked if same
serial No. in CRL
Product: Apache httpd-2
Version: 2.2.9
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: Parvan.Parvanov@gmail.com
Server Certificate is self-signed and has a Serial No. 00
If the same Serial No. (00) is present in the CRL (Certificate Revocation
List),
upon log-in Internet Explorer issues a message, similar to the following:
"This Site's Security Certificate is revoked. Do not trust this site!"
and prohibits log-in.
Installed on Windows Server 2003 and Windows XP Pro SP1 (both installations
display the same behaviour).
Installed from:
apache_2.2.9-win32-x86-openssl-0.9.8h-r2 ( https://svn.apache.org/viewcvs.cgi?view=rev&rev=2 )msi
The Server Certificate is self-signed.
The CA Certificate is self-signed, too.
All certificates and CRLs are created using command-line OpenSSL 0.9.8b.
No errors are reported in the course of Certificate Generation or the Normal
Apache run.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 46531] Erroneously repots Server Certificate as
Revoked if same serial No. in CRL
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46531
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #1 from Eric Covener <co...@gmail.com> 2009-01-14 12:01:41 PST ---
Apache isn't checking the CRL in this case, marking invalid. Elaborate if
there's an alleged bug in Apache.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 46531] Erroneously repots Server Certificate as
Revoked if same serial No. in CRL
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46531
--- Comment #3 from Eric Covener <co...@gmail.com> 2009-01-16 10:33:41 PST ---
(In reply to comment #2)
> Certificate, which is Not revoked and Not expired.
>
> When I remove the line with the revoked User certificate with Serial
> No.00 from openssl's index.txt and generate a new CRL,
> put it on the Apache and restart Apache,
> the situation is normal again, the Apache behaves well, granting (or
> denying) access to the site as appropriate.
>
> It seems to me improper Apache to deny access to the site on the
> grounds of revoked User certificate with Serial No.00, just because
> the Server certificate has the same SerialNo. 00.
>
> Both the Server certificate and the CA Certificate (used to create the
> User Certificates and put on the Apache to check them) are
> self-signed.
>
Is your IE consulting the same CRL? I'm a little confused as to how your
symptom is a popup in IE.
Provide logs, config, cert details, and the verbatim message you see in IE.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 46531] Erroneously repots Server Certificate as
Revoked if same serial No. in CRL
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46531
ParvanParvanov <Pa...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |
--- Comment #2 from ParvanParvanov <Pa...@gmail.com> 2009-01-16 10:23:59 PST ---
Certificate, which is Not revoked and Not expired.
When I remove the line with the revoked User certificate with Serial
No.00 from openssl's index.txt and generate a new CRL,
put it on the Apache and restart Apache,
the situation is normal again, the Apache behaves well, granting (or
denying) access to the site as appropriate.
It seems to me improper Apache to deny access to the site on the
grounds of revoked User certificate with Serial No.00, just because
the Server certificate has the same SerialNo. 00.
Both the Server certificate and the CA Certificate (used to create the
User Certificates and put on the Apache to check them) are
self-signed.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 46531] Erroneously repots Server Certificate as
Revoked if same serial No. in CRL
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46531
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |INVALID
--- Comment #4 from Eric Covener <co...@gmail.com> 2011-08-07 00:24:45 UTC ---
unclear report, no follouwp.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org