https://bz.apache.org/bugzilla/show_bug.cgi?id=65025
Bug ID: 65025
Summary: SSL error "ca key too small" is reported at info level
instead of error level
Product: Apache httpd-2
Version: 2.4.38
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
A problem with a CA chain is being reported at ssl:info level, which is
normally suppressed, resulting in no logging whatsoever for CA-cert-related
connection issues.
For example, a 1024-bit CA-cert is blocked by OpenSSL SECLEVEL=2.
There is currently NO logging about it on the server side.
On the client it manifests itself as "ssl3_read_bytes:tlsv1 alert internal
error:ssl/record/rec_layer_s3.c:1399:SSL alert number 80", so not really
helpful.
The actual error, ssl_add_cert_chain:ca key too small, is visible in the server
log only after bumping LogLevel to debug:
[Tue Dec 22 16:09:14.686357 2020] [ssl:info] [pid 12257:tid 139992554424064]
[client ::1:58060] AH02008: SSL library error 1 in handshake (server
localhost:443)
[Tue Dec 22 16:09:14.686391 2020] [ssl:info] [pid 12257:tid 139992554424064]
SSL Library Error: error:1413C18D:SSL routines:ssl_add_cert_chain:ca key too
small
[Tue Dec 22 16:09:14.686414 2020] [ssl:info] [pid 12257:tid 139992554424064]
[client ::1:58060] AH01998: Connection closed to child 0 with abortive shutdown
(server localhost:443)
Thus hereby a request to change ssl_add_cert_chain error reporting to error
level.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
