httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: [VOTE] Release Apache httpd 2.4.0
Date Thu, 19 Jan 2012 02:28:11 GMT
On 16.01.2012 18:50, Jim Jagielski wrote:
> The 2.4.0 (prerelease) tarballs are available for download and test:
>
> 	http://httpd.apache.org/dev/dist/
>
> I'm calling a VOTE on releasing these as Apache httpd 2.4.0 GA.
>
> Vote will last the normal 72 hours... Can I get a w00t w00t!

Intermediate result: On Linux I get a strange error running the test 
suite: tests 114-172 in t/ssl/proxy.t fail, because of a CRL 
verification error:

[Thu Jan 19 02:34:27.430492 2012] [ssl:debug] [pid 5213] 
ssl_engine_kernel.c(1436): [remote 127.0.0.1:8532] AH02275: Certificate 
Verification, depth 0, CRL checking mode: chain [subject: 
emailAddress=test-dev@httpd.apache.org,CN=localhost,OU=httpd-test/rsa-test,O=ASF,L=San 
Francisco,ST=California,C=US / issuer: 
emailAddress=test-dev@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San 
Francisco,ST=California,C=US / serial: 0C / notbefore: Jan 19 01:28:10 
2012 GMT / notafter: Jan 18 01:28:10 2013 GMT]

[Thu Jan 19 02:34:27.430591 2012] [ssl:info] [pid 5213] [remote 
127.0.0.1:8532] AH02276: Certificate Verification: Error (3): unable to 
get certificate CRL [subject: 
emailAddress=test-dev@httpd.apache.org,CN=localhost,OU=httpd-test/rsa-test,O=ASF,L=San 
Francisco,ST=California,C=US / issuer: 
emailAddress=test-dev@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San 
Francisco,ST=California,C=US / serial: 0C / notbefore: Jan 19 01:28:10 
2012 GMT / notafter: Jan 18 01:28:10 2013 GMT]

OpenSSL should be 1.0.0f and the strange thing is, that the same tests 
succeed on Solaris 10 using the same OpenSSL version. Something must be 
different between my Linux systems, which all fail, and the Solaris box. 
Could be details of the perl modules required by the test framework, 
could be that the system OpenSSL on Linux interferes.

Anyone has an idea, why those CRL checks could fail?

On Solaris, the same request shows:

[Thu Jan 19 02:36:57.641990 2012] [ssl:debug] [pid 12598] 
ssl_engine_kernel.c(1436): [remote 127.0.0.1:8532] AH02275: Certificate 
Verification, depth 1, CRL checking mode: chain [subject: 
emailAddress=test-dev@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San 
Francisco,ST=California,C=US / issuer: 
emailAddress=test-dev@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San 
Francisco,ST=California,C=US / serial: 8CF2D94339557004 / notbefore: Jan 
19 01:30:26 2012 GMT / notafter: Jan 18 01:30:26 2013 GMT]

[Thu Jan 19 02:36:57.642525 2012] [ssl:debug] [pid 12598] 
ssl_engine_kernel.c(1436): [remote 127.0.0.1:8532] AH02275: Certificate 
Verification, depth 0, CRL checking mode: chain [subject: 
emailAddress=test-dev@httpd.apache.org,CN=localhost,OU=httpd-test/rsa-test,O=ASF,L=San 
Francisco,ST=California,C=US / issuer: 
emailAddress=test-dev@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San 
Francisco,ST=California,C=US / serial: 0C / notbefore: Jan 19 01:30:36 
2012 GMT / notafter: Jan 18 01:30:36 2013 GMT]

so it seems there is a CRL on depth 0 and 1.

Additional info: even on the failing systems, CRL checks done for other 
tests in the suite do succeed. Example:

[Thu Jan 19 02:33:50.878506 2012] [ssl:debug] [pid 5240] 
ssl_engine_kernel.c(1436): [client 127.0.0.1:62803] AH02275: Certificate 
Verification, depth 1, CRL checking mode: chain [subject: 
emailAddress=test-dev@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San 
Francisco,ST=California,C=US / issuer: 
emailAddress=test-dev@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San 
Francisco,ST=California,C=US / serial: C4C8AB4BFBA4FCA8 / notbefore: Jan 
19 01:28:00 2012 GMT / notafter: Jan 18 01:28:00 2013 GMT]

[Thu Jan 19 02:33:50.878757 2012] [ssl:debug] [pid 5240] 
ssl_engine_kernel.c(1436): [client 127.0.0.1:62803] AH02275: Certificate 
Verification, depth 0, CRL checking mode: chain [subject: 
emailAddress=test-dev@httpd.apache.org,CN=client_ok,OU=httpd-test,O=ASF,L=San 
Francisco,ST=California,C=US / issuer: 
emailAddress=test-dev@httpd.apache.org,CN=ca,OU=httpd-test,O=ASF,L=San 
Francisco,ST=California,C=US / serial: 09 / notbefore: Jan 19 01:28:07 
2012 GMT / notafter: Jan 18 01:28:07 2013 GMT]

I'm confused.

Rainer

Mime
View raw message