httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Johnson <...@indietorrent.org>
Subject [users@httpd] Apache fails to start, without explanation, when certain SSL-related directives are misconfigured
Date Wed, 22 Aug 2012 12:35:16 GMT
Hello,

I find it extremely troubling that when Apache fails to start due to an
SSL-related misconfiguration nothing is logged to that effect.

For example, if a certificate and private key do not match, Apache will
fail to start and, from what I can tell, fails to log anything at all.

Maybe there is some alternate log file location of which I'm not aware,
but tailing /var/log/apache2/error.log (on Debian), or the site-specific
log at /var/www/example.com/log/error.log, reveals absolutely nothing
about the issue's cause.

How can the world's "most mature", "most advanced" Web-server be brought
to its knees due to an SSL misconfiguration with one site?

I find this to be inexcusable. Even if Apache did log every detail
regarding the cause for the failed service start-up, the fact that
Apache has no mechanism for handling such a misconfiguration gracefully
is disappointing.

To the contrary, Dovecot, for example, failed gracefully in the same
instance; it reported a very specific message in its logs (key/cert.
mismatch) and still started-up. Due to the fact that the certificate was
malformed, Dovecot dropped its TLS capabilities, but it still started
the server and bound to the non-secure port.

The "apache2ctl configtest" command seems to be ineffective when the
required files exist and are not empty. This utility seems not to check
for a match between the private key and the certificate. Perhaps this
utility could be modified to use the `openssl` executable (if it can be
found) to check these items, too.

Am I missing something here?

Thank you for any insight,

-Ben

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message