You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rainer Jung <ra...@kippdata.de> on 2018/10/18 12:27:12 UTC
OCSP in 2.4 with OpenSSL 0.9.8(zh)
I get test suite failures for t/ssl/ocsp.t when the server is build
against OpenSSL 0.9.8zh. I can't judge on whether that is expected for
OpenSSL 0.9.8.
Example error log:
...
18 14:15:11.833126 [ssl:debug] ssl_util_ocsp.c(406): Configuring Trusted
OCSP certificates
...
18 14:15:12.238943 [ssl:info] AH01876: mod_ssl/2.4.36 compiled against
Server: Apache/2.4.36, Library: OpenSSL/0.9.8zh
...
18 14:15:14.015398 [ssl:info] AH01964: Connection to child 0 established
(server localhost:8535)
18 14:15:14.015949 [ssl:debug] ssl_engine_kernel.c(2328): AH02043: SSL
virtual host for servername localhost found
18 14:15:14.143610 [ssl:info] AH02008: SSL library error 1 in handshake
(server localhost:8535)
18 14:15:14.143662 [ssl:info] SSL Library Error: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
-- No CAs known to server for verification?
18 14:15:14.143670 [ssl:info] AH01998: Connection closed to child 0 with
abortive shutdown (server localhost:8535)
18 14:15:14.166594 [ssl:info] AH01964: Connection to child 1 established
(server localhost:8535)
18 14:15:14.166901 [ssl:debug] ssl_engine_kernel.c(2328): AH02043: SSL
virtual host for servername localhost found
18 14:15:14.208760 [ssl:debug] ssl_engine_kernel.c(1749): AH02275:
Certificate Verification, depth 1, CRL checking mode: none (0) [subject:
emailAddress=test-dev@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / issuer:
emailAddress=test-dev@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / serial: B959B377BC9B01EE / notbefore: Oct
18 01:35:05 2018 GMT / notafter: Oct 18 01:35:05 2019 GMT]
18 14:15:14.208953 [ssl:debug] ssl_engine_kernel.c(1749): AH02275:
Certificate Verification, depth 0, CRL checking mode: none (0) [subject:
emailAddress=test-dev@httpd.apache.org,CN=client_ok,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / issuer:
emailAddress=test-dev@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / serial: 09 / notbefore: Oct 18 01:35:08
2018 GMT / notafter: Oct 18 01:35:08 2019 GMT]
18 14:15:14.209355 [ssl:debug] ssl_util_ocsp.c(99): AH01973: connecting
to OCSP responder 'localhost:8529'
18 14:15:14.209449 [ssl:debug] ssl_util_ocsp.c(125): AH01975: sending
request to OCSP responder
18 14:15:14.270405 [ssl:debug] ssl_util_ocsp.c(235): AH01981: OCSP
response header: Date: Thu, 18 Oct 2018 12:15:14 GMT
18 14:15:14.270423 [ssl:debug] ssl_util_ocsp.c(235): AH01981: OCSP
response header: Server: Apache/2.4.36 (Unix) OpenSSL/0.9.8zh
18 14:15:14.270428 [ssl:debug] ssl_util_ocsp.c(235): AH01981: OCSP
response header: Vary: In-If1
18 14:15:14.270432 [ssl:debug] ssl_util_ocsp.c(235): AH01981: OCSP
response header: DMMATCH1: 1
18 14:15:14.270436 [ssl:debug] ssl_util_ocsp.c(235): AH01981: OCSP
response header: Connection: close
18 14:15:14.270440 [ssl:debug] ssl_util_ocsp.c(235): AH01981: OCSP
response header: Content-Type: application/ocsp-response
18 14:15:14.276787 [ssl:error] AH01988: failed to decode OCSP response data
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
18 14:15:14.276823 [ssl:error] SSL Library Error: error:0D06B08E:asn1
encoding routines:ASN1_D2I_READ_BIO:not enough data
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
18 14:15:14.276950 [ssl:info] AH02276: Certificate Verification: Error
(50): application verification failure [subject:
emailAddress=test-dev@httpd.apache.org,CN=client_ok,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / issuer:
emailAddress=test-dev@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / serial: 09 / notbefore: Oct 18 01:35:08
2018 GMT / notafter: Oct 18 01:35:08 2019 GMT]
18 14:15:14.277136 [ssl:info] AH02008: SSL library error 1 in handshake
(server localhost:8535)
18 14:15:14.277156 [ssl:info] SSL Library Error: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
18 14:15:14.277162 [ssl:info] AH01998: Connection closed to child 1 with
abortive shutdown (server localhost:8535)
18 14:15:14.284803 [ssl:info] AH01964: Connection to child 0 established
(server localhost:8535)
18 14:15:14.285098 [ssl:debug] ssl_engine_kernel.c(2328): AH02043: SSL
virtual host for servername localhost found
18 14:15:14.326054 [ssl:debug] ssl_engine_kernel.c(1749): AH02275:
Certificate Verification, depth 1, CRL checking mode: none (0) [subject:
emailAddress=test-dev@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / issuer:
emailAddress=test-dev@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / serial: B959B377BC9B01EE / notbefore: Oct
18 01:35:05 2018 GMT / notafter: Oct 18 01:35:05 2019 GMT]
18 14:15:14.326248 [ssl:debug] ssl_engine_kernel.c(1749): AH02275:
Certificate Verification, depth 0, CRL checking mode: none (0) [subject:
emailAddress=test-dev@httpd.apache.org,CN=client_revoked,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / issuer:
emailAddress=test-dev@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / serial: 01 / notbefore: Oct 18 01:35:05
2018 GMT / notafter: Oct 18 01:35:05 2019 GMT]
18 14:15:14.326491 [ssl:debug] ssl_util_ocsp.c(99): AH01973: connecting
to OCSP responder 'localhost:8529'
18 14:15:14.326574 [ssl:debug] ssl_util_ocsp.c(125): AH01975: sending
request to OCSP responder
18 14:15:14.371043 [ssl:debug] ssl_util_ocsp.c(235): AH01981: OCSP
response header: Date: Thu, 18 Oct 2018 12:15:14 GMT
18 14:15:14.371060 [ssl:debug] ssl_util_ocsp.c(235): AH01981: OCSP
response header: Server: Apache/2.4.36 (Unix) OpenSSL/0.9.8zh
18 14:15:14.371065 [ssl:debug] ssl_util_ocsp.c(235): AH01981: OCSP
response header: Vary: In-If1
18 14:15:14.371070 [ssl:debug] ssl_util_ocsp.c(235): AH01981: OCSP
response header: DMMATCH1: 1
18 14:15:14.371073 [ssl:debug] ssl_util_ocsp.c(235): AH01981: OCSP
response header: Connection: close
18 14:15:14.371077 [ssl:debug] ssl_util_ocsp.c(235): AH01981: OCSP
response header: Content-Type: application/ocsp-response
18 14:15:14.375883 [ssl:error] AH01988: failed to decode OCSP response data
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
18 14:15:14.375914 [ssl:error] SSL Library Error: error:0D06B08E:asn1
encoding routines:ASN1_D2I_READ_BIO:not enough data
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
18 14:15:14.376043 [ssl:info] AH02276: Certificate Verification: Error
(50): application verification failure [subject:
emailAddress=test-dev@httpd.apache.org,CN=client_revoked,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / issuer:
emailAddress=test-dev@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / serial: 01 / notbefore: Oct 18 01:35:05
2018 GMT / notafter: Oct 18 01:35:05 2019 GMT]
18 14:15:14.376227 [ssl:info] AH02008: SSL library error 1 in handshake
(server localhost:8535)
18 14:15:14.376243 [ssl:info] SSL Library Error: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
18 14:15:14.376248 [ssl:info] AH01998: Connection closed to child 0 with
abortive shutdown (server localhost:8535)
Regards,
Rainer
Re: OCSP in 2.4 with OpenSSL 0.9.8(zh)
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Thu, Oct 18, 2018 at 8:01 AM William A Rowe Jr <wr...@rowe-clan.net>
wrote:
> On Thu, Oct 18, 2018 at 7:27 AM Rainer Jung <ra...@kippdata.de>
> wrote:
>
>> I get test suite failures for t/ssl/ocsp.t when the server is build
>> against OpenSSL 0.9.8zh. I can't judge on whether that is expected for
>> OpenSSL 0.9.8.
>
>
> A very good question, and I can't either. Can you confirm your openssl
> command line tool has the `openssl ocsp` mini-responder by posting the
> results of an `openssl ocsp -help` invocation?
>
> It might be that we never handled ocsp here.
>
> It might also be that your $openssl resolves to a system tool which is not
> in sync with the openssl tested in httpd. You may want to override that
> value.
>
To override, it seems you need to use an envvar;
./Apache-Test/lib/Apache/TestSSLCA.pm:
my $openssl = $ENV{APACHE_TEST_OPENSSL_CMD} || 'openssl';
We offer no t/TEST -openssl= option.
Re: OCSP in 2.4 with OpenSSL 0.9.8(zh)
Posted by Rainer Jung <ra...@kippdata.de>.
Some answers inline and the solution at the end ...
Am 18.10.2018 um 15:01 schrieb William A Rowe Jr:
> On Thu, Oct 18, 2018 at 7:27 AM Rainer Jung <rainer.jung@kippdata.de
> <ma...@kippdata.de>> wrote:
>
> I get test suite failures for t/ssl/ocsp.t when the server is build
> against OpenSSL 0.9.8zh. I can't judge on whether that is expected for
> OpenSSL 0.9.8.
>
>
> A very good question, and I can't either. Can you confirm your openssl
> command line tool has the `openssl ocsp` mini-responder by posting the
> results of an `openssl ocsp -help` invocation?
$ openssl ocsp -help
OCSP utility
Usage ocsp [options]
...
$ openssl version -a
OpenSSL 0.9.8zh 3 Dec 2015
built on: Tue Sep 11 11:20:47 CEST 2018
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(1x,char) des(idx,cisc,16,int) idea(int)
blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -fPIC -g -Wall -fno-strict-aliasing
-Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int
-DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
-DAES_ASM
OPENSSLDIR: "..."
> It might be that we never handled ocsp here.
>
> It might also be that your $openssl resolves to a system tool which is not
> in sync with the openssl tested in httpd. You may want to override that
> value.
Should not. I'm handling so many OpenSSL versions on the client and
server side, so I'm typicaly really careful to set up the PATH etc. so
the right tools are found. But even the platform openssl supports ocsp.
> And may be httpd never supported the ocsp directives with 0.9.8, so our
> tests for the micro responder and the version of httpd alone are not
> sufficient.
Found it: OpenSSL 0.9.8 doesn't allow "ocsp -reqin -" which is used by
the ocsp.pl script in the test suite. Reading from stdin works in 1.0.2
but throws the following error in 0.9.8:
Error Opening OCSP request file
3487:error:02001002:system library:fopen:No such file or
directory:bss_file.c:124:fopen('-','rb')
3487:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:127:
It also does not work in 1.0.1, so our OCSP tests should not run for
OpenSSL < 1.0.2 (or we must fix the perl script by using a tmp file).
Regards,
Rainer
Re: OCSP in 2.4 with OpenSSL 0.9.8(zh)
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Thu, Oct 18, 2018 at 7:27 AM Rainer Jung <ra...@kippdata.de> wrote:
> I get test suite failures for t/ssl/ocsp.t when the server is build
> against OpenSSL 0.9.8zh. I can't judge on whether that is expected for
> OpenSSL 0.9.8.
A very good question, and I can't either. Can you confirm your openssl
command line tool has the `openssl ocsp` mini-responder by posting the
results of an `openssl ocsp -help` invocation?
It might be that we never handled ocsp here.
It might also be that your $openssl resolves to a system tool which is not
in sync with the openssl tested in httpd. You may want to override that
value.
And may be httpd never supported the ocsp directives with 0.9.8, so our
tests for the micro responder and the version of httpd alone are not
sufficient.