[Bug 59615] New: SSLCertificateChainFile fails to load valid pem blob

Mon, 23 May 2016 01:50:28 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=59615

            Bug ID: 59615
           Summary: SSLCertificateChainFile fails to load valid pem blob
           Product: Apache httpd-2
           Version: 2.4.20
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: petr.sumb...@oracle.com

Created attachment 33864
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=33864&action=edit
possible fix

This used to work in version <= 2.4.16. From 2.4.17 it gives following error:

[Mon May 09 13:48:16.851313 2016] [ssl:emerg] [pid 26389:tid 1] AH01903: Failed
to configure CA certificate chain!
[Mon May 09 13:48:16.851430 2016] [ssl:emerg] [pid 26389:tid 1] AH02312: Fatal
error initialising mod_ssl, exiting. 

--

To reproduce the issue add:

SSLCertificateChainFile "/path/to/attached/file" 

--

where the file looks like:

-----BEGIN CERTIFICATE-----
[some data..]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[some data..]
-----END CERTIFICATE-----

--

The error is spotted in code here:

httpd-2.4.20/modules/ssl/ssl_engine_init.c:static int use_certificate_chain

888    /* Make sure that only the error is just an EOF */
889    if ((err = ERR_peek_error()) > 0) {
890        if (!(   ERR_GET_LIB(err) == ERR_LIB_PEM
891              && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
892            BIO_free(bio);
893            return -1;
894        }

But it was actually generated long time ago:

httpd-2.4.20/modules/ssl/mod_ssl.c:static int ssl_hook_pre_config

355    if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) {

It sets:

ERR_GET_LIB = ERR_LIB_ASN1
ERR_GET_REASON = PEM_R_KEYBLOB_HEADER_PARSE_ERROR  

(the error is generated from a2d_ASN1_OBJECT which is called from OBJ_txt2nid)

This can fixed by calling ERR_clear_error (see attached patch).

The problem was probably introduced with:
http://svn.apache.org/viewvc?view=revision&revision=1706006

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

Reply via email to