On 16.01.2012 18:50, Jim Jagielski wrote:
The 2.4.0 (prerelease) tarballs are available for download and test:
http://httpd.apache.org/dev/dist/
I'm calling a VOTE on releasing these as Apache httpd 2.4.0 GA.
Vote will last the normal 72 hours... Can I get a w00t w00t!
Intermediate result: On Linux I get a strange error running the test
suite: tests 114-172 in t/ssl/proxy.t fail, because of a CRL
verification error:
[Thu Jan 19 02:34:27.430492 2012] [ssl:debug] [pid 5213]
ssl_engine_kernel.c(1436): [remote 127.0.0.1:8532] AH02275: Certificate
Verification, depth 0, CRL checking mode: chain [subject:
emailAddress=test-...@httpd.apache.org,CN=localhost,OU=httpd-test/rsa-test,O=ASF,L=San
Francisco,ST=California,C=US / issuer:
emailAddress=test-...@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / serial: 0C / notbefore: Jan 19 01:28:10
2012 GMT / notafter: Jan 18 01:28:10 2013 GMT]
[Thu Jan 19 02:34:27.430591 2012] [ssl:info] [pid 5213] [remote
127.0.0.1:8532] AH02276: Certificate Verification: Error (3): unable to
get certificate CRL [subject:
emailAddress=test-...@httpd.apache.org,CN=localhost,OU=httpd-test/rsa-test,O=ASF,L=San
Francisco,ST=California,C=US / issuer:
emailAddress=test-...@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / serial: 0C / notbefore: Jan 19 01:28:10
2012 GMT / notafter: Jan 18 01:28:10 2013 GMT]
OpenSSL should be 1.0.0f and the strange thing is, that the same tests
succeed on Solaris 10 using the same OpenSSL version. Something must be
different between my Linux systems, which all fail, and the Solaris box.
Could be details of the perl modules required by the test framework,
could be that the system OpenSSL on Linux interferes.
Anyone has an idea, why those CRL checks could fail?
On Solaris, the same request shows:
[Thu Jan 19 02:36:57.641990 2012] [ssl:debug] [pid 12598]
ssl_engine_kernel.c(1436): [remote 127.0.0.1:8532] AH02275: Certificate
Verification, depth 1, CRL checking mode: chain [subject:
emailAddress=test-...@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / issuer:
emailAddress=test-...@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / serial: 8CF2D94339557004 / notbefore: Jan
19 01:30:26 2012 GMT / notafter: Jan 18 01:30:26 2013 GMT]
[Thu Jan 19 02:36:57.642525 2012] [ssl:debug] [pid 12598]
ssl_engine_kernel.c(1436): [remote 127.0.0.1:8532] AH02275: Certificate
Verification, depth 0, CRL checking mode: chain [subject:
emailAddress=test-...@httpd.apache.org,CN=localhost,OU=httpd-test/rsa-test,O=ASF,L=San
Francisco,ST=California,C=US / issuer:
emailAddress=test-...@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / serial: 0C / notbefore: Jan 19 01:30:36
2012 GMT / notafter: Jan 18 01:30:36 2013 GMT]
so it seems there is a CRL on depth 0 and 1.
Additional info: even on the failing systems, CRL checks done for other
tests in the suite do succeed. Example:
[Thu Jan 19 02:33:50.878506 2012] [ssl:debug] [pid 5240]
ssl_engine_kernel.c(1436): [client 127.0.0.1:62803] AH02275: Certificate
Verification, depth 1, CRL checking mode: chain [subject:
emailAddress=test-...@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / issuer:
emailAddress=test-...@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / serial: C4C8AB4BFBA4FCA8 / notbefore: Jan
19 01:28:00 2012 GMT / notafter: Jan 18 01:28:00 2013 GMT]
[Thu Jan 19 02:33:50.878757 2012] [ssl:debug] [pid 5240]
ssl_engine_kernel.c(1436): [client 127.0.0.1:62803] AH02275: Certificate
Verification, depth 0, CRL checking mode: chain [subject:
emailAddress=test-...@httpd.apache.org,CN=client_ok,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / issuer:
emailAddress=test-...@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / serial: 09 / notbefore: Jan 19 01:28:07
2012 GMT / notafter: Jan 18 01:28:07 2013 GMT]
I'm confused.
Rainer