httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 56410] New: Apache 2.4.9 breaks existing installation after upgrading from 2.4.7 when using self-signed SSL certificates using OpenSSL 0.9.8e (CentOS 5.10)
Date Mon, 14 Apr 2014 20:22:10 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=56410

            Bug ID: 56410
           Summary: Apache 2.4.9 breaks existing installation after
                    upgrading from 2.4.7 when using self-signed SSL
                    certificates using OpenSSL 0.9.8e (CentOS 5.10)
           Product: Apache httpd-2
           Version: 2.4.9
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: kurt.newman@cpanel.net

Self-signed certificates cause an unpatched Apache 2.4.9 to fail to start when
SSLCACertificateFile is left unspecified.

This worked correctly under Apache 2.4.7.

--------------------------------------------
The following error is emitted to error_log:
--------------------------------------------

[Mon Apr 14 15:06:11.486441 2014] [suexec:notice] [pid 27131] AH01232: suEXEC
mechanism enabled (wrapper: /usr/local/apache/bin/suexec)
[Mon Apr 14 15:06:11.491588 2014] [ssl:emerg] [pid 27132] AH02562: Failed to
configure certificate cent5ssl.loc:443:0 (with chain), check
/tmp/ssl-keys/server.crt
[Mon Apr 14 15:06:11.491635 2014] [ssl:emerg] [pid 27132] SSL Library Error:
error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH
PARAMETERS) -- Bad file contents or format - or even just a forgotten
SSLCertificateKeyFile?
[Mon Apr 14 15:06:11.491647 2014] [:emerg] [pid 27132] AH00020: Configuration
Failed, exiting

--------------------------------------------
To duplicate, I did the following:
--------------------------------------------

1. Downloaded Apache 2.4.9
2. Downloaded APR 1.5.0
3. Downloaded APR-util 1.5.3
4. Extracted Apache tarball
5. Extracted both APR libraries into srclib directory
6. Ran the following configure line:

./configure --disable-v4-mapped --enable-access-compat=static
--enable-actions=static --enable-alias=static --enable-auth_basic=static
--enable-authn_core=static --enable-authn_file=static
--enable-authz_core=static --enable-authz_groupfile=static
--enable-authz_host=static --enable-authz_user=static --enable-autoindex=static
--enable-cgi=static --enable-deflate=static --enable-dir=static
--enable-expires=static --enable-filter=static --enable-headers=static
--enable-include=static --enable-info=static --enable-log_config=static
--enable-logio=static --enable-mime=static --enable-modules=none
--enable-negotiation=static --enable-proxy=static --enable-proxy-connect=static
--enable-proxy-http=static --enable-rewrite=static --enable-setenvif=static
--enable-slotmem_shm=static --enable-socache_dbm=static
--enable-socache_shmcb=static --enable-ssl=static --enable-status=static
--enable-suexec=static --enable-unixd=static --enable-userdir=static
--prefix=/usr/local/apache --with-included-apr --with-mpm=prefork
--with-pcre=/opt/pcre --with-ssl=/usr --with-suexec-caller=nobody
--with-suexec-docroot=/ --with-suexec-gidmin=100
--with-suexec-logfile=/usr/local/apache/logs/suexec_log
--with-suexec-uidmin=100 --with-suexec-userdir=public_html

7. Generated self-signed certificate and key:

mkdir /tmp/ssl-keys
cd /tmp/ssl-keys
openssl req -new -x509 -nodes -out server.crt -keyout server.key -extensions
usr_cert

8. Created a virtual host in Apache, then added the following SSL options:

    SSLEngine on
    SSLCertificateFile /tmp/ssl-keys/server.crt
    SSLCertificateKeyFile /tmp/ssl-keys/server.key

9. Validated that this _works_ with Apache 2.4.7 using OpenSSL
0.9.8e-fips-rhel5 (CentOS 5.10)
10. Validated that this _breaks_ with Apache 2.4.9 using OpenSSL
0.9.8e-fips-rhel5 (CentOS 5.10)
11. Validated that this _works_ with Apache 2.4.9 using OpenSSL 1.0.1e-fips
(CentOS 6.5)

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message