Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6EAE3182CD for ; Thu, 3 Dec 2015 17:49:15 +0000 (UTC) Received: (qmail 44587 invoked by uid 500); 3 Dec 2015 17:49:15 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 44525 invoked by uid 500); 3 Dec 2015 17:49:14 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 44515 invoked by uid 99); 3 Dec 2015 17:49:14 -0000 Received: from Unknown (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Dec 2015 17:49:14 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 88BC71A20D0 for ; Thu, 3 Dec 2015 17:49:14 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.555 X-Spam-Level: X-Spam-Status: No, score=-0.555 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.554, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id XZY40Mqafrtk for ; Thu, 3 Dec 2015 17:49:13 +0000 (UTC) Received: from mailserver.kippdata.de (capsella.kippdata.de [195.227.30.149]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTP id CE0B42059B for ; Thu, 3 Dec 2015 17:49:12 +0000 (UTC) Received: from [10.0.110.6] ([192.168.2.104]) by mailserver.kippdata.de (8.13.5/8.13.5) with ESMTP id tB3Hn5kP011603 for ; Thu, 3 Dec 2015 18:49:05 +0100 (CET) To: "dev@httpd.apache.org" From: Rainer Jung Subject: DER encoded cert no longer supported in 2.4 since 2.4.8 Message-ID: <5660808D.4070508@kippdata.de> Date: Thu, 3 Dec 2015 18:49:01 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit I did a 2.2 to 2.4 migration today. The old 2.2 server was using a certificate file, which was DER encoded and the new 2.4 one didn't like it. It seems support for DER encoded certs was removed in 2.4.8 as a side effect of r1573360 (bckport of r1553824). The certificate in 2.2 is read using SSL_read_X509() which tries PEM but also DER. After the change, the OpenSSL API SSL_read_X509() is used, which only accepts PEM. Is that problem analysis right? If so we'd need to decide, whether we keep it as is (no one complained, so DER seems to be rare) and simply document the change in the changelog and migration guide, or whether we still need to support DER encoded certs. IMHO documenting the change would be enough. Regards, Rainer