You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2003/07/01 00:17:53 UTC
DO NOT REPLY [Bug 21160] -
SSL certificate chain handling suddenly fails to work properly
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21160>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21160
SSL certificate chain handling suddenly fails to work properly
------- Additional Comments From d.tonhofer@m-plify.com 2003-06-30 22:17 -------
As promised, more information (I am actually keeping my word for once, wow!):
I finally got it to work, though why it *does* work is a mystery.
First, some info on what does not work:
I tried the three SSL virtual servers pairwise. On each occasion, Apache startup
failed. I got the ide of setting the verbosity level to debug ('LogLevel Debug'),
thus we find the following in the logfile, in case all three SSL virtual servers
are configured:
[Mon Jun 30 23:03:31 2003] [info] Init: Initializing OpenSSL library
[Mon Jun 30 23:03:31 2003] [info] Init: Seeding PRNG with 648 bytes of entropy
[Mon Jun 30 23:03:31 2003] [info] Loading certificate & private key of SSL-aware
server
[Mon Jun 30 23:03:31 2003] [info] Init: Requesting pass phrase via builtin
terminal dialog
[Mon Jun 30 23:03:38 2003] [debug] ssl_engine_pphrase.c(499): encrypted RSA
private key - pass phrase requested
[Mon Jun 30 23:03:38 2003] [info] Loading certificate & private key of SSL-aware
server
[Mon Jun 30 23:03:38 2003] [info] Init: Requesting pass phrase via builtin
terminal dialog
[Mon Jun 30 23:03:47 2003] [debug] ssl_engine_pphrase.c(499): encrypted RSA
private key - pass phrase requested
[Mon Jun 30 23:03:47 2003] [info] Loading certificate & private key of SSL-aware
server
[Mon Jun 30 23:03:47 2003] [info] Init: Requesting pass phrase via builtin
terminal dialog
[Mon Jun 30 23:03:54 2003] [debug] ssl_engine_pphrase.c(499): encrypted RSA
private key - pass phrase requested
[Mon Jun 30 23:03:54 2003] [info] Init: Wiped out the queried pass phrases from
memory
[Mon Jun 30 23:03:54 2003] [info] Init: Generating temporary RSA private keys
(512/1024 bits)
[Mon Jun 30 23:03:54 2003] [info] Init: Generating temporary DH parameters
(512/1024 bits)
[Mon Jun 30 23:03:54 2003] [debug] ssl_scache_dbm.c(422): Inter-Process Session
Cache (DBM) Expiry: old: 0, new: 0, removed: 0
[Mon Jun 30 23:03:54 2003] [info] Init: Initializing (virtual) servers for SSL
[Mon Jun 30 23:03:54 2003] [info] Configuring server for SSL protocol
[Mon Jun 30 23:03:54 2003] [debug] ssl_engine_init.c(436): Creating new SSL
context (protocols: SSLv2, SSLv3, TLSv1)
[Mon Jun 30 23:03:54 2003] [debug] ssl_engine_init.c(611): Configuring permitted
SSL ciphers [ALL:!IDEA:!ADH:EXPORT56:EXPORT40:!NULL:+HIGH:+MEDIUM:+LOW]
[Mon Jun 30 23:03:54 2003] [error] Failed to configure CA certificate chain!
I will spare you the pairs, it's the same...
I then tried each of the SSL virtual servers alone. In each case,
startup was a success:
[Mon Jun 30 23:03:31 2003] [info] Init: Initializing OpenSSL library
[Mon Jun 30 23:03:31 2003] [info] Init: Seeding PRNG with 648 bytes of entropy
[Mon Jun 30 23:03:31 2003] [info] Loading certificate & private key of SSL-aware
server
[Mon Jun 30 23:03:31 2003] [info] Init: Requesting pass phrase via builtin
terminal dialog
[Mon Jun 30 23:03:38 2003] [debug] ssl_engine_pphrase.c(499): encrypted RSA
private key - pass phrase requested
[Mon Jun 30 23:03:38 2003] [info] Loading certificate & private key of SSL-aware
server
[Mon Jun 30 23:03:38 2003] [info] Init: Requesting pass phrase via builtin
terminal dialog
[Mon Jun 30 23:03:47 2003] [debug] ssl_engine_pphrase.c(499): encrypted RSA
private key - pass phrase requested
[Mon Jun 30 23:03:47 2003] [info] Loading certificate & private key of SSL-aware
server
[Mon Jun 30 23:03:47 2003] [info] Init: Requesting pass phrase via builtin
terminal dialog
[Mon Jun 30 23:03:54 2003] [debug] ssl_engine_pphrase.c(499): encrypted RSA
private key - pass phrase requested
[Mon Jun 30 23:03:54 2003] [info] Init: Wiped out the queried pass phrases from
memory
[Mon Jun 30 23:03:54 2003] [info] Init: Generating temporary RSA private keys
(512/1024 bits)
[Mon Jun 30 23:03:54 2003] [info] Init: Generating temporary DH parameters
(512/1024 bits)
[Mon Jun 30 23:03:54 2003] [debug] ssl_scache_dbm.c(422): Inter-Process Session
Cache (DBM) Expiry: old: 0, new: 0, removed: 0
[Mon Jun 30 23:03:54 2003] [info] Init: Initializing (virtual) servers for SSL
[Mon Jun 30 23:03:54 2003] [info] Configuring server for SSL protocol
[Mon Jun 30 23:03:54 2003] [debug] ssl_engine_init.c(436): Creating new SSL
context (protocols: SSLv2, SSLv3, TLSv1)
[Mon Jun 30 23:03:54 2003] [debug] ssl_engine_init.c(611): Configuring permitted
SSL ciphers [ALL:!IDEA:!ADH:EXPORT56:EXPORT40:!NULL:+HIGH:+MEDIUM:+LOW]
[Mon Jun 30 23:03:54 2003] [error] Failed to configure CA certificate chain!
I figured I would continue with a pair of servers and whittle down the
SSL config file until things began to work. This actually paid off!
It turns that the presence of this block seems to be confusing:
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache2/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
I had this block in each of the three SSL virtual servers, taken from the
original file coming with Apache. I commented it out in one (1) of the three.
Lo and behold! It works! Now the passphrase dialog spits out an error after
having asked for the 2nd passphrase. This however, does not prevent it from
reading the third passpharse. It is also a Good Sign, because whenever this
error shows up, the webserver will be able to configure itself:
Server www.m-plify.com:443 (RSA)
Enter pass phrase:
Server rei1.m-plify.net:443 (RSA)
Enter pass phrase:1024:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
tag:a_set.c:179:
1024:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:939:
1024:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:304:Type=RSA
1024:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c:96:
I'm completely at a loss to explain a relationship between the configuration
instructions above and SSL certificate chain configuration, sorry....but that's
what happened.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org