On 19.01.2012 14:49, Rainer Jung wrote: > On 19.01.2012 07:14, Kaspar Brand wrote: >> On 19.01.2012 03:28, Rainer Jung wrote: >>> Additional info: even on the failing systems, CRL checks done for other >>> tests in the suite do succeed. Example: >>> >>> [Thu Jan 19 02:33:50.878506 2012] [ssl:debug] [pid 5240] >>> ssl_engine_kernel.c(1436): [client 127.0.0.1:62803] AH02275: Certificate >>> Verification, depth 1, CRL checking mode: chain [subject: >>> emailAddress=test-...@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San >>> Francisco,ST=California,C=US / issuer: >>> emailAddress=test-...@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San >>> Francisco,ST=California,C=US / serial: C4C8AB4BFBA4FCA8 / notbefore: Jan >>> 19 01:28:00 2012 GMT / notafter: Jan 18 01:28:00 2013 GMT] >> >> I think you're misinterpreting this message - here, "CRL checking mode" >> only states what kind of checking is set... whether it passes or fails >> can only be seen from the succeeding message (either there isn't any, >> or you will see "Certificate Verification: Error (3): unable to get >> certificate CRL" and the like). > > I had checked that. No other errors were following the cited line.
Ah, sorry... there's a simple explanation for this (I didn't remember that previously): t/conf/ssl/ssl.conf uses SSLCARevocationFile, while t/conf/ssl/proxyssl.conf uses SSLProxyCARevocationFile and SSLProxyCARevocationPath. Only the tests where the VirtualHost config with SSLProxyCARevocationPath is involved will fail when there's no matching .r0 symlink in the crl dir. Kaspar