On Monday 09 November 2009, Sander Temme wrote: > Hi Stefan, > > On Nov 9, 2009, at 2:25 AM, Stefan Fritsch wrote: > > Hi, > > > > with openssl 0.9.8k, I currently get a large number of test > > failures: > > These tests do not fail for me. Can you run a subset in verbose > and see how they fail? Like: > > t/TEST ... -verbose t/ssl/basicauth.t > > should get you some more insight. Also, which platform?
This is Debian unstable with the Debian openssl. It seems to complain about an expired CRL. AFAICS with tcpdump, it doesn't try to connect anywhere to get the CRL. Any ideas? If not I will dig deeper later, no time ATM. t/ssl/basicauth.t .. 1..3 # Running under perl version 5.010001 for linux # Current time local: Mon Nov 9 16:36:42 2009 # Current time GMT: Mon Nov 9 15:36:42 2009 # Using Test.pm version 1.25_02 # Using Apache/Test.pm version 1.31 # testing : Getting /ssl-fakebasicauth/index.html with no cert # expected: 500 # received: 500 ok 1 # testing : Getting /ssl-fakebasicauth/index.html with client_snakeoil cert # expected: 200 # received: 500 not ok 2 # Failed test 2 in t/ssl/basicauth.t at line 25 # testing : Getting /ssl-fakebasicauth/index.html with client_ok cert # expected: 401 # received: 500 not ok 3 # Failed test 3 in t/ssl/basicauth.t at line 30 Failed 2/3 subtests From the error log: [Mon Nov 09 16:38:53 2009] [info] Initial (No.1) HTTPS request received for child 1 (server localhost:8532) [Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(552): [client 127.0.0.1] Changed client verification type will force renegotiation [Mon Nov 09 16:38:53 2009] [info] [client 127.0.0.1] Requesting connection re-negotiation [Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(728): [client 127.0.0.1] Performing full renegotiation: complete handshake protocol [Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1831): OpenSSL: Handshake: start [Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1839): OpenSSL: Loop: SSL renegotiate ciphers [Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1839): OpenSSL: Loop: SSLv3 write hello request A [Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1839): OpenSSL: Loop: SSLv3 flush data [Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1839): OpenSSL: Loop: SSLv3 write hello request C [Mon Nov 09 16:38:53 2009] [info] [client 127.0.0.1] Awaiting re-negotiation handshake [Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1831): OpenSSL: Handshake: start [Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1839): OpenSSL: Loop: before accept initialization [Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1839): OpenSSL: Loop: SSLv3 read client hello A [Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1839): OpenSSL: Loop: SSLv3 write server hello A [Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1839): OpenSSL: Loop: SSLv3 write certificate A [Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1231): [client 127.0.0.1] handing out temporary 1024 bit DH key [Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1839): OpenSSL: Loop: SSLv3 write key exchange A [Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1839): OpenSSL: Loop: SSLv3 write certificate request A [Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1839): OpenSSL: Loop: SSLv3 flush data [Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1273): [client 127.0.0.1] Certificate Verification, depth 1 [subject: /C=US/ST=California/L=San Francisco/O=ASF/OU=httpd-test/CN=ca/[email protected], issuer: /C=US/ST=California/L=San Francisco/O=ASF/OU=httpd-test/CN=ca/emailAddress=test- [email protected], serial: D11C47D1766CFD0D] [Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1480): CA CRL: Issuer: C=US, ST=California, L=San Francisco, O=ASF, OU=httpd-test, CN=ca/emailAddress=test- [email protected], lastUpdate: Oct 3 12:01:39 2009 GMT, nextUpdate: Nov 2 12:01:39 2009 GMT [Mon Nov 09 16:38:53 2009] [warn] Found CRL is expired - revoking all certificates until you get updated CRL [Mon Nov 09 16:38:53 2009] [error] [client 127.0.0.1] Certificate Verification: Error (12): CRL has expired [Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1849): OpenSSL: Write: SSLv3 read client certificate B [Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1868): OpenSSL: Exit: error in SSLv3 read client certificate B [Mon Nov 09 16:38:53 2009] [error] [client 127.0.0.1] Re-negotiation handshake failed: Not accepted by client!? [Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1273): [client 127.0.0.1] Certificate Verification, depth 1 [subject: /C=US/ST=California/L=San Francisco/O=ASF/OU=httpd-test/CN=ca/[email protected], issuer: /C=US/ST=California/L=San Francisco/O=ASF/OU=httpd-test/CN=ca/emailAddress=test- [email protected], serial: D11C47D1766CFD0D] [Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1480): CA CRL: Issuer: C=US, ST=California, L=San Francisco, O=ASF, OU=httpd-test, CN=ca/emailAddress=test- [email protected], lastUpdate: Oct 3 12:01:39 2009 GMT, nextUpdate: Nov 2 12:01:39 2009 GMT [Mon Nov 09 16:38:53 2009] [warn] Found CRL is expired - revoking all certificates until you get updated CRL [Mon Nov 09 16:38:53 2009] [error] [client 127.0.0.1] Certificate Verification: Error (12): CRL has expired [Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1849): OpenSSL: Write: SSLv3 read client certificate B [Mon Nov 09 16:38:53 2009] [debug] ssl_engine_kernel.c(1868): OpenSSL: Exit: error in SSLv3 read client certificate B [Mon Nov 09 16:38:53 2009] [info] [client 127.0.0.1] SSL library error 1 in handshake (server localhost:8532) [Mon Nov 09 16:38:53 2009] [info] SSL Library Error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [Mon Nov 09 16:38:53 2009] [info] [client 127.0.0.1] Connection closed to child 1 with abortive shutdown (server localhost:8532)
