httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 52630] Firefox can't access SSL websites with client authentication and when using a symlink to a directory of CA certs
Date Sun, 19 Feb 2012 09:42:05 GMT

--- Comment #10 from Kaspar Brand <> 2012-02-19 09:42:05 UTC ---
(In reply to comment #9)
> The same here, I can offer you my config.
> Furhter, I'm not 100% sure this is a apache bug,... it's just the logical
> starting point in the search.

The "Apache httpd-2" product on is for reporting bugs (or
filing enhancement requests), not for help with troubleshooting and debugging a
particular setup. See also and

> What's weird is, that ALL FILEs are read...
> Not only the .0 and .r0 files (and their symlink targets) but also .info,
> .crl_url, .namespaces, etc.)

Not really a surprise, and nothing weird. This happens at startup/reload time
when ssl_engine_init.c:ssl_init_ctx_verify() calls ssl_init_FindCAList() to
determine the list of acceptable DNs. mod_ssl then simply calls
SSL_load_client_CA_file() for every file it finds, that's the reason for all
these open() calls.

> I also did the same strace, when specifying the absolute path
> (/etc/grid-security/certificates/ ...
> Basically the same seems to happen there,... same files read,.. same sizes...
> just that the SSL handshake works.

The output of the open() calls provided in comment 9 has nothing to do with
what happens when OpenSSL tries to verify the client cert if
SSLCACertificatePath (but no SSLCACertificateFile) is configured. As I wrote in
comment 8, it's the stat64() calls which will highlight the issue.

If you still maintain that this is not an issue with your particular
configuration, then do this:

1) shut down httpd

2) close Firefox

3) as root, execute

. /etc/apache2/envvars && strace -fte stat64 /usr/sbin/apache2 -X 2>&1 |
grep "stat64.*\.0"

4) start Firefox, open the client-auth protected URL

5) if "Firefox can't access the SSL site":

   a) provide the output from the above shell command

   b) provide the log messages from httpd's error log, but *only* for the
      time shown in the above shell output

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message