After Yann's mail I double checked and fixed my setup to actually use
TLS 1.3 in the test suite when OpenSSL 1.1.1 is available.
I now see a new OCSP test failure, namely test 3 (revoked certificate).
The revocation is correctly detected
[Sat Oct 20 06:14:46.492343 2018] [ssl:error] [pid 13631:tid
140131235235584] [client 127.0.0.1:43881] AH03239: OCSP validation
completed, certificate status: revoked (1, -1) [subject:
emailAddress=test-...@httpd.apache.org,CN=client_revoked,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / issuer:
emailAddress=test-...@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / serial: 09 / notbefore: Oct 20 04:04:52
2018 GMT / notafter: Oct 20 04:04:52 2019 GMT]
[Sat Oct 20 06:14:46.492452 2018] [ssl:info] [pid 13631:tid
140131235235584] [client 127.0.0.1:43881] AH02276: Certificate
Verification: Error (23): certificate revoked [subject:
emailAddress=test-...@httpd.apache.org,CN=client_revoked,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / issuer:
emailAddress=test-...@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / serial: 09 / notbefore: Oct 20 04:04:52
2018 GMT / notafter: Oct 20 04:04:52 2019 GMT]
and the signaling looks OK:
[Sat Oct 20 06:14:46.492666 2018] [ssl:trace3] [pid 13631:tid
140131235235584] ssl_engine_kernel.c(2210): [client 127.0.0.1:43881]
OpenSSL: Write: error
[Sat Oct 20 06:14:46.492691 2018] [ssl:trace3] [pid 13631:tid
140131235235584] ssl_engine_kernel.c(2229): [client 127.0.0.1:43881]
OpenSSL: Exit: error in error
[Sat Oct 20 06:14:46.492708 2018] [ssl:info] [pid 13631:tid
140131235235584] [client 127.0.0.1:43881] AH02008: SSL library error 1
in handshake (server localhost:8535)
[Sat Oct 20 06:14:46.492873 2018] [ssl:info] [pid 13631:tid
140131235235584] SSL Library Error: error:1417C086:SSL
routines:tls_process_client_certificate:certificate verify failed
[Sat Oct 20 06:14:46.492903 2018] [ssl:info] [pid 13631:tid
140131235235584] [client 127.0.0.1:43881] AH01998: Connection closed to
child 136 with abortive shutdown (server localhost:8535)
That looks very similar to what gets logged for TLSv1.2.
But the client shows:
500 Status read failed:
Content-Type: text/plain
Client-Date: Sat, 20 Oct 2018 04:33:39 GMT
Client-Warning: Internal response
Status read failed: at .../lib/perl5/Net/HTTP/Methods.pm line 282.
not ok 3
instead of
/500 Can't connect to localhost:8535 (SSL connect attempt failed
error:14094414:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked)
Content-Type: text/plain
Client-Date: Sat, 20 Oct 2018 04:32:14 GMT
Client-Warning: Internal response
Can't connect to localhost:8535 (SSL connect attempt failed
error:14094414:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked)
SSL connect attempt failed error:14094414:SSL
routines:ssl3_read_bytes:sslv3 alert certificate revoked at
.../lib/perl5/LWP/Protocol/http.pm line 50.
ok 3
That looks to me as a change in behavior of the underlying client side
TLS layer in how it signals the alert to the HTTP layer.
Regards,
Rainer