httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: svn commit: r1347980 - in /httpd/httpd/trunk: ./ docs/conf/extra/ docs/log-message-tags/ docs/manual/mod/ docs/manual/ssl/ modules/ssl/
Date Thu, 14 Jun 2012 20:31:41 GMT
On Monday 11 June 2012, Kaspar Brand wrote:
> On 10.06.2012 21:58, Stefan Fritsch wrote:
> > On Sunday 10 June 2012, Kaspar Brand wrote:
> >> As a matter of style / documentation "policy", I would prefer if
> >> the setup instructions in the reference documentation
> >> (mod_ssl.xml) are self-contained, i.e. people should not have to
> >> look at the FAQ to get this kind of information.
> >> 
> >> Maybe we should also add a notice about SRP support only being
> >> available if compiled against OpenSSL 1.0.1 or later?
> > 
> > done in r1348653
> 
> Comment in httpd-ssl.conf.in looks good, thanks. It was more the
> separation into mod_ssl.xml and ssl_faq.xml which I found a bit
> strange... or at least the fact that mod_ssl.xml doesn't say
> anything about using "openssl srp" to create the
> SSLSRPVerifierFile.

True. Added that as well.

> > Unfortunately, ssl_log_ssl_error() doesn't log any error. Instead
> > openssl logs to stderr (newlines doubled by me for clarity):
> > 
> > Sun Jun 10 21:21:46.051674 2012] [ssl:info] [pid 6734:tid
> > 4148467456] AH01914: Configuring server localhost:443 for SSL
> > protocol
> > 
> > wrong number of fields on line 1 (looking for field 6, got 1, ''
> > left)
> > 
> > [Sun Jun 10 21:21:46.051806 2012] [ssl:emerg] [pid 6734:tid
> > 4148467456] AH02308: Unable to load SRP verifier file [error 1]
> 
> Ugh, the "wrong number of field" message is coming from an
> fprintf(stderr,...) in OpenSSL's crypto/txt_db/txt_db.c -
> apparently another piece which doesn't make use of the error
> queue.
> 
> "[error 1]" on the other hand is mostly useless in its current
> form, I think. It's not mod_ssl's fault, but it should definitely
> be fixed in OpenSSL (whose SRP code should use some form of
> ERR_put_error() to return the SRP_ERR_* codes to the application).

Well, at least one can look up the error code in the include file. I 
would rather leave it like that until openssl has fixed the error 
reporting.

Mime
View raw message