httpd 2.4.x TLS proxy and OpenSSL 3.0.0alpha15: CRL problem

Mon, 26 Apr 2021 04:27:59 -0700

When building 2.4.47 using OpenSSL 3.0.0alpha15 and running the test suite, the proxy TLS connection fails with "Certificate Verification: Error (3): unable to get certificate CRL":
[Mon Apr 26 10:00:50.352111 2021] [ssl:trace3] [pid 16699:tid 140438686086912] ssl_engine_kernel.c(2213): [remote 127.0.0.1:8532] OpenSSL: Loop: TLSv1.3 read encrypted extensions [Mon Apr 26 10:00:50.352449 2021] [ssl:debug] [pid 16699:tid 140438686086912] ssl_engine_kernel.c(1762): [remote 127.0.0.1:8532] AH02275: Certificate Verification, depth 0, CRL checking mode: chain (2) [subject: [email protected],CN=localhost,OU=httpd-test/rsa-test,O=ASF,L=San Francisco,ST=California,C=US / issuer: [email protected],CN=ca,OU=httpd-test,O=ASF,L=San Francisco,ST=California,C=US / serial: 09 / notbefore: Apr 26 07:56:58 2021 GMT / notafter: Apr 26 07:56:58 2022 GMT] [Mon Apr 26 10:00:50.352487 2021] [ssl:info] [pid 16699:tid 140438686086912] [remote 127.0.0.1:8532] AH02276: Certificate Verification: Error (3): unable to get certificate CRL [subject: [email protected],CN=localhost,OU=httpd-test/rsa-test,O=ASF,L=San Francisco,ST=California,C=US / issuer: [email protected],CN=ca,OU=httpd-test,O=ASF,L=San Francisco,ST=California,C=US / serial: 09 / notbefore: Apr 26 07:56:58 2021 GMT / notafter: Apr 26 07:56:58 2022 GMT] [Mon Apr 26 10:00:50.352563 2021] [ssl:trace3] [pid 16699:tid 140438686086912] ssl_engine_kernel.c(2223): [remote 127.0.0.1:8532] OpenSSL: Write: error [Mon Apr 26 10:00:50.352567 2021] [ssl:trace3] [pid 16699:tid 140438686086912] ssl_engine_kernel.c(2242): [remote 127.0.0.1:8532] OpenSSL: Exit: error in error [Mon Apr 26 10:00:50.352570 2021] [ssl:info] [pid 16699:tid 140438686086912] [remote 127.0.0.1:8532] AH02003: SSL Proxy connect failed [Mon Apr 26 10:00:50.352597 2021] [ssl:info] [pid 16699:tid 140438686086912] SSL Library Error: error:0A000086:SSL routines::certificate verify failed 


More complete log output:


[Mon Apr 26 10:00:50.344676 2021] [proxy:trace2] [pid 16699:tid 
140438686086912] proxy_util.c(3153): https: fam 2 socket created to 
connect to localhost
[Mon Apr 26 10:00:50.344710 2021] [proxy:debug] [pid 16699:tid 
140438686086912] proxy_util.c(3187): AH02824: https: connection 
established with 127.0.0.1:8532 (localhost)
[Mon Apr 26 10:00:50.344719 2021] [example_hooks:notice] [pid 16699:tid 
140438686086912] x_create_connection()
[Mon Apr 26 10:00:50.344726 2021] [proxy:trace1] [pid 16699:tid 
140438686086912] proxy_util.c(3359): [remote 127.0.0.1:8532] https: set 
SNI to localhost for (localhost)
[Mon Apr 26 10:00:50.344729 2021] [proxy:debug] [pid 16699:tid 
140438686086912] proxy_util.c(3371): AH00962: https: connection complete 
to [::1]:8532 (localhost)
[Mon Apr 26 10:00:50.344738 2021] [ssl:info] [pid 16699:tid 
140438686086912] [remote 127.0.0.1:8532] AH01964: Connection to child 0 
established (server localhost:8561)
[Mon Apr 26 10:00:50.344822 2021] [ssl:trace2] [pid 16699:tid 
140438686086912] ssl_engine_rand.c(126): Proxy: Seeding PRNG with 144 
bytes of entropy
[Mon Apr 26 10:00:50.344875 2021] [ssl:trace3] [pid 16699:tid 
140438686086912] ssl_engine_io.c(1242): [remote 127.0.0.1:8532] SNI 
extension for SSL Proxy request set to 'localhost'
[Mon Apr 26 10:00:50.344882 2021] [ssl:trace3] [pid 16699:tid 
140438686086912] ssl_engine_kernel.c(2204): [remote 127.0.0.1:8532] 
OpenSSL: Handshake: start
[Mon Apr 26 10:00:50.344921 2021] [ssl:trace3] [pid 16699:tid 
140438686086912] ssl_engine_kernel.c(2213): [remote 127.0.0.1:8532] 
OpenSSL: Loop: before SSL initialization
[Mon Apr 26 10:00:50.345273 2021] [example_hooks:notice] [pid 16699:tid 
140438669301504] x_create_connection()
[Mon Apr 26 10:00:50.345308 2021] [ssl:info] [pid 16699:tid 
140438669301504] [client 127.0.0.1:50940] AH01964: Connection to child 
210 established (server localhost:8532)
[Mon Apr 26 10:00:50.345356 2021] [ssl:trace3] [pid 16699:tid 
140438686086912] ssl_engine_kernel.c(2213): [remote 127.0.0.1:8532] 
OpenSSL: Loop: SSLv3/TLS write client hello
[Mon Apr 26 10:00:50.345400 2021] [ssl:trace2] [pid 16699:tid 
140438669301504] ssl_engine_rand.c(126): Server: Seeding PRNG with 144 
bytes of entropy
[Mon Apr 26 10:00:50.345459 2021] [ssl:trace3] [pid 16699:tid 
140438669301504] ssl_engine_kernel.c(2204): [client 127.0.0.1:50940] 
OpenSSL: Handshake: start
[Mon Apr 26 10:00:50.345479 2021] [ssl:trace3] [pid 16699:tid 
140438669301504] ssl_engine_kernel.c(2213): [client 127.0.0.1:50940] 
OpenSSL: Loop: before SSL initialization
[Mon Apr 26 10:00:50.345680 2021] [ssl:trace3] [pid 16699:tid 
140438669301504] ssl_engine_kernel.c(2213): [client 127.0.0.1:50940] 
OpenSSL: Loop: before SSL initialization
[Mon Apr 26 10:00:50.345702 2021] [ssl:debug] [pid 16699:tid 
140438669301504] ssl_engine_kernel.c(2374): [client 127.0.0.1:50940] 
AH02043: SSL virtual host for servername localhost found
[Mon Apr 26 10:00:50.345833 2021] [ssl:trace3] [pid 16699:tid 
140438669301504] ssl_engine_kernel.c(2213): [client 127.0.0.1:50940] 
OpenSSL: Loop: SSLv3/TLS read client hello
[Mon Apr 26 10:00:50.346255 2021] [ssl:trace3] [pid 16699:tid 
140438669301504] ssl_engine_kernel.c(2213): [client 127.0.0.1:50940] 
OpenSSL: Loop: SSLv3/TLS write server hello
[Mon Apr 26 10:00:50.346400 2021] [ssl:trace3] [pid 16699:tid 
140438669301504] ssl_engine_kernel.c(2213): [client 127.0.0.1:50940] 
OpenSSL: Loop: SSLv3/TLS write change cipher spec
[Mon Apr 26 10:00:50.346422 2021] [ssl:trace3] [pid 16699:tid 
140438669301504] ssl_engine_kernel.c(2213): [client 127.0.0.1:50940] 
OpenSSL: Loop: TLSv1.3 write encrypted extensions
[Mon Apr 26 10:00:50.346939 2021] [ssl:trace3] [pid 16699:tid 
140438669301504] ssl_engine_kernel.c(2213): [client 127.0.0.1:50940] 
OpenSSL: Loop: SSLv3/TLS write certificate
[Mon Apr 26 10:00:50.349543 2021] [ssl:trace3] [pid 16699:tid 
140438669301504] ssl_engine_kernel.c(2213): [client 127.0.0.1:50940] 
OpenSSL: Loop: TLSv1.3 write server certificate verify
[Mon Apr 26 10:00:50.350801 2021] [ssl:trace3] [pid 16699:tid 
140438669301504] ssl_engine_kernel.c(2213): [client 127.0.0.1:50940] 
OpenSSL: Loop: SSLv3/TLS write finished
[Mon Apr 26 10:00:50.350809 2021] [ssl:trace3] [pid 16699:tid 
140438669301504] ssl_engine_kernel.c(2213): [client 127.0.0.1:50940] 
OpenSSL: Loop: TLSv1.3 early data
[Mon Apr 26 10:00:50.350921 2021] [ssl:trace3] [pid 16699:tid 
140438686086912] ssl_engine_kernel.c(2213): [remote 127.0.0.1:8532] 
OpenSSL: Loop: SSLv3/TLS write client hello
[Mon Apr 26 10:00:50.351326 2021] [ssl:trace3] [pid 16699:tid 
140438686086912] ssl_engine_kernel.c(2213): [remote 127.0.0.1:8532] 
OpenSSL: Loop: SSLv3/TLS read server hello
[Mon Apr 26 10:00:50.352111 2021] [ssl:trace3] [pid 16699:tid 
140438686086912] ssl_engine_kernel.c(2213): [remote 127.0.0.1:8532] 
OpenSSL: Loop: TLSv1.3 read encrypted extensions
[Mon Apr 26 10:00:50.352449 2021] [ssl:debug] [pid 16699:tid 
140438686086912] ssl_engine_kernel.c(1762): [remote 127.0.0.1:8532] 
AH02275: Certificate Verification, depth 0, CRL checking mode: chain (2) 
[subject: 
[email protected],CN=localhost,OU=httpd-test/rsa-test,O=ASF,L=San 
Francisco,ST=California,C=US / issuer: 
[email protected],CN=ca,OU=httpd-test,O=ASF,L=San 
Francisco,ST=California,C=US / serial: 09 / notbefore: Apr 26 07:56:58 
2021 GMT / notafter: Apr 26 07:56:58 2022 GMT]
[Mon Apr 26 10:00:50.352487 2021] [ssl:info] [pid 16699:tid 
140438686086912] [remote 127.0.0.1:8532] AH02276: Certificate 
Verification: Error (3): unable to get certificate CRL [subject: 
[email protected],CN=localhost,OU=httpd-test/rsa-test,O=ASF,L=San 
Francisco,ST=California,C=US / issuer: 
[email protected],CN=ca,OU=httpd-test,O=ASF,L=San 
Francisco,ST=California,C=US / serial: 09 / notbefore: Apr 26 07:56:58 
2021 GMT / notafter: Apr 26 07:56:58 2022 GMT]
[Mon Apr 26 10:00:50.352563 2021] [ssl:trace3] [pid 16699:tid 
140438686086912] ssl_engine_kernel.c(2223): [remote 127.0.0.1:8532] 
OpenSSL: Write: error
[Mon Apr 26 10:00:50.352567 2021] [ssl:trace3] [pid 16699:tid 
140438686086912] ssl_engine_kernel.c(2242): [remote 127.0.0.1:8532] 
OpenSSL: Exit: error in error
[Mon Apr 26 10:00:50.352570 2021] [ssl:info] [pid 16699:tid 
140438686086912] [remote 127.0.0.1:8532] AH02003: SSL Proxy connect failed
[Mon Apr 26 10:00:50.352597 2021] [ssl:info] [pid 16699:tid 
140438686086912] SSL Library Error: error:0A000086:SSL 
routines::certificate verify failed
[Mon Apr 26 10:00:50.352608 2021] [ssl:info] [pid 16699:tid 
140438686086912] [remote 127.0.0.1:8532] AH01998: Connection closed to 
child 0 with abortive shutdown (server localhost:8561)
[Mon Apr 26 10:00:50.352671 2021] [ssl:info] [pid 16699:tid 
140438686086912] [remote 127.0.0.1:8532] AH01997: SSL handshake failed: 
sending 502
[Mon Apr 26 10:00:50.352698 2021] [proxy:error] [pid 16699:tid 
140438686086912] (20014)Internal error (specific information not 
available): [client 127.0.0.1:45235] AH01084: pass request body failed 
to [::1]:8532 (localhost)
[Mon Apr 26 10:00:50.352708 2021] [proxy:error] [pid 16699:tid 
140438686086912] [client 127.0.0.1:45235] AH00898: Error during SSL 
Handshake with remote server returned by /eat_post
[Mon Apr 26 10:00:50.352711 2021] [proxy_http:error] [pid 16699:tid 
140438686086912] [client 127.0.0.1:45235] AH01097: pass request body 
failed to [::1]:8532 (localhost) from 127.0.0.1 ()
[Mon Apr 26 10:00:50.352715 2021] [proxy:debug] [pid 16699:tid 
140438686086912] proxy_util.c(2455): AH00943: https: has released 
connection for (localhost)
[Mon Apr 26 10:00:50.352773 2021] [http:trace3] [pid 16699:tid 
140438686086912] http_filters.c(1129): [client 127.0.0.1:45235] Response 
sent with status 500, headers:




I verified, that the config for SSLCARevocationFile looks correct and 
using the same setup but with OpenSSL 1.1.1 or earlier does not fail in 
that way.


Regards,

Rainer






















					Reply via email to