You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2016/05/23 08:50:14 UTC
[Bug 59615] New: SSLCertificateChainFile fails to load valid pem
blob
https://bz.apache.org/bugzilla/show_bug.cgi?id=59615
Bug ID: 59615
Summary: SSLCertificateChainFile fails to load valid pem blob
Product: Apache httpd-2
Version: 2.4.20
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: petr.sumbera@oracle.com
Created attachment 33864
--> https://bz.apache.org/bugzilla/attachment.cgi?id=33864&action=edit
possible fix
This used to work in version <= 2.4.16. From 2.4.17 it gives following error:
[Mon May 09 13:48:16.851313 2016] [ssl:emerg] [pid 26389:tid 1] AH01903: Failed
to configure CA certificate chain!
[Mon May 09 13:48:16.851430 2016] [ssl:emerg] [pid 26389:tid 1] AH02312: Fatal
error initialising mod_ssl, exiting.
--
To reproduce the issue add:
SSLCertificateChainFile "/path/to/attached/file"
--
where the file looks like:
-----BEGIN CERTIFICATE-----
[some data..]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[some data..]
-----END CERTIFICATE-----
--
The error is spotted in code here:
httpd-2.4.20/modules/ssl/ssl_engine_init.c:static int use_certificate_chain
888 /* Make sure that only the error is just an EOF */
889 if ((err = ERR_peek_error()) > 0) {
890 if (!( ERR_GET_LIB(err) == ERR_LIB_PEM
891 && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
892 BIO_free(bio);
893 return -1;
894 }
But it was actually generated long time ago:
httpd-2.4.20/modules/ssl/mod_ssl.c:static int ssl_hook_pre_config
355 if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) {
It sets:
ERR_GET_LIB = ERR_LIB_ASN1
ERR_GET_REASON = PEM_R_KEYBLOB_HEADER_PARSE_ERROR
(the error is generated from a2d_ASN1_OBJECT which is called from OBJ_txt2nid)
This can fixed by calling ERR_clear_error (see attached patch).
The problem was probably introduced with:
http://svn.apache.org/viewvc?view=revision&revision=1706006
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 59615] SSLCertificateChainFile fails to load valid pem blob
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59615
Joe Orton <jo...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #1 from Joe Orton <jo...@redhat.com> ---
This was fixed in 2.4.26-ish, r1788442
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org