Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7394E9B3C for ; Thu, 14 Jun 2012 20:32:09 +0000 (UTC) Received: (qmail 17576 invoked by uid 500); 14 Jun 2012 20:32:08 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 17501 invoked by uid 500); 14 Jun 2012 20:32:08 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 17493 invoked by uid 99); 14 Jun 2012 20:32:08 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Jun 2012 20:32:08 +0000 X-ASF-Spam-Status: No, hits=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [188.40.99.202] (HELO eru.sfritsch.de) (188.40.99.202) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Jun 2012 20:32:02 +0000 Received: from [10.1.1.6] (helo=k.localnet) by eru.sfritsch.de with esmtp (Exim 4.72) (envelope-from ) id 1SfGhi-0004dA-4S for dev@httpd.apache.org; Thu, 14 Jun 2012 22:31:42 +0200 From: Stefan Fritsch To: dev@httpd.apache.org Subject: Re: svn commit: r1347980 - in /httpd/httpd/trunk: ./ docs/conf/extra/ docs/log-message-tags/ docs/manual/mod/ docs/manual/ssl/ modules/ssl/ Date: Thu, 14 Jun 2012 22:31:41 +0200 User-Agent: KMail/1.13.7 (Linux/3.2.0-2-amd64; KDE/4.8.3; x86_64; ; ) References: <20120608093846.88C1B23889E0@eris.apache.org> <201206102158.55069.sf@sfritsch.de> <4FD62909.5000909@velox.ch> In-Reply-To: <4FD62909.5000909@velox.ch> MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <201206142231.41899.sf@sfritsch.de> On Monday 11 June 2012, Kaspar Brand wrote: > On 10.06.2012 21:58, Stefan Fritsch wrote: > > On Sunday 10 June 2012, Kaspar Brand wrote: > >> As a matter of style / documentation "policy", I would prefer if > >> the setup instructions in the reference documentation > >> (mod_ssl.xml) are self-contained, i.e. people should not have to > >> look at the FAQ to get this kind of information. > >> > >> Maybe we should also add a notice about SRP support only being > >> available if compiled against OpenSSL 1.0.1 or later? > > > > done in r1348653 > > Comment in httpd-ssl.conf.in looks good, thanks. It was more the > separation into mod_ssl.xml and ssl_faq.xml which I found a bit > strange... or at least the fact that mod_ssl.xml doesn't say > anything about using "openssl srp" to create the > SSLSRPVerifierFile. True. Added that as well. > > Unfortunately, ssl_log_ssl_error() doesn't log any error. Instead > > openssl logs to stderr (newlines doubled by me for clarity): > > > > Sun Jun 10 21:21:46.051674 2012] [ssl:info] [pid 6734:tid > > 4148467456] AH01914: Configuring server localhost:443 for SSL > > protocol > > > > wrong number of fields on line 1 (looking for field 6, got 1, '' > > left) > > > > [Sun Jun 10 21:21:46.051806 2012] [ssl:emerg] [pid 6734:tid > > 4148467456] AH02308: Unable to load SRP verifier file [error 1] > > Ugh, the "wrong number of field" message is coming from an > fprintf(stderr,...) in OpenSSL's crypto/txt_db/txt_db.c - > apparently another piece which doesn't make use of the error > queue. > > "[error 1]" on the other hand is mostly useless in its current > form, I think. It's not mod_ssl's fault, but it should definitely > be fixed in OpenSSL (whose SRP code should use some form of > ERR_put_error() to return the SRP_ERR_* codes to the application). Well, at least one can look up the error code in the include file. I would rather leave it like that until openssl has fixed the error reporting.