You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rainer Jung <ra...@kippdata.de> on 2018/10/20 06:08:57 UTC

OCSP with TLS 1.3 in 2.4.37 false positive?

After Yann's mail I double checked and fixed my setup to actually use 
TLS 1.3 in the test suite when OpenSSL 1.1.1 is available.

I now see a new OCSP test failure, namely test 3 (revoked certificate). 
The revocation is correctly detected

[Sat Oct 20 06:14:46.492343 2018] [ssl:error] [pid 13631:tid 
140131235235584] [client 127.0.0.1:43881] AH03239: OCSP validation 
completed, certificate status: revoked (1, -1) [subject: 
emailAddress=test-dev@httpd.apache.org,CN=client_revoked,OU=httpd-test,O=ASF,L=San 
Francisco,ST=California,C=US / issuer: 
emailAddress=test-dev@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San 
Francisco,ST=California,C=US / serial: 09 / notbefore: Oct 20 04:04:52 
2018 GMT / notafter: Oct 20 04:04:52 2019 GMT]
[Sat Oct 20 06:14:46.492452 2018] [ssl:info] [pid 13631:tid 
140131235235584] [client 127.0.0.1:43881] AH02276: Certificate 
Verification: Error (23): certificate revoked [subject: 
emailAddress=test-dev@httpd.apache.org,CN=client_revoked,OU=httpd-test,O=ASF,L=San 
Francisco,ST=California,C=US / issuer: 
emailAddress=test-dev@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San 
Francisco,ST=California,C=US / serial: 09 / notbefore: Oct 20 04:04:52 
2018 GMT / notafter: Oct 20 04:04:52 2019 GMT]

and the signaling looks OK:

[Sat Oct 20 06:14:46.492666 2018] [ssl:trace3] [pid 13631:tid 
140131235235584] ssl_engine_kernel.c(2210): [client 127.0.0.1:43881] 
OpenSSL: Write: error
[Sat Oct 20 06:14:46.492691 2018] [ssl:trace3] [pid 13631:tid 
140131235235584] ssl_engine_kernel.c(2229): [client 127.0.0.1:43881] 
OpenSSL: Exit: error in error
[Sat Oct 20 06:14:46.492708 2018] [ssl:info] [pid 13631:tid 
140131235235584] [client 127.0.0.1:43881] AH02008: SSL library error 1 
in handshake (server localhost:8535)
[Sat Oct 20 06:14:46.492873 2018] [ssl:info] [pid 13631:tid 
140131235235584] SSL Library Error: error:1417C086:SSL 
routines:tls_process_client_certificate:certificate verify failed
[Sat Oct 20 06:14:46.492903 2018] [ssl:info] [pid 13631:tid 
140131235235584] [client 127.0.0.1:43881] AH01998: Connection closed to 
child 136 with abortive shutdown (server localhost:8535)

That looks very similar to what gets logged for TLSv1.2.

But the client shows:


500 Status read failed:
Content-Type: text/plain
Client-Date: Sat, 20 Oct 2018 04:33:39 GMT
Client-Warning: Internal response

Status read failed:  at .../lib/perl5/Net/HTTP/Methods.pm line 282.
not ok 3


instead of


/500 Can't connect to localhost:8535 (SSL connect attempt failed 
error:14094414:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked)
Content-Type: text/plain
Client-Date: Sat, 20 Oct 2018 04:32:14 GMT
Client-Warning: Internal response

Can't connect to localhost:8535 (SSL connect attempt failed 
error:14094414:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked)

SSL connect attempt failed error:14094414:SSL 
routines:ssl3_read_bytes:sslv3 alert certificate revoked at 
.../lib/perl5/LWP/Protocol/http.pm line 50.
ok 3


That looks to me as a change in behavior of the underlying client side 
TLS layer in how it signals the alert to the HTTP layer.

Regards,

Rainer