httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Johnson <...@indietorrent.org>
Subject Re: [users@httpd] Apache fails to start, without explanation, when certain SSL-related directives are misconfigured
Date Wed, 22 Aug 2012 14:55:38 GMT


On 8/22/2012 9:36 AM, Eric Covener wrote:
> On Wed, Aug 22, 2012 at 9:24 AM, Ben Johnson <ben@indietorrent.org> wrote:
>>
>>
>> On 8/22/2012 8:56 AM, Eric Covener wrote:
>>>> Dovecot dropped its TLS capabilities, but it still started
>>>> the server and bound to the non-secure port.
>>>
>>> I'd personally prefer the server fail startup rather than operate w/o SSL.
>>
>> While that may be, this preference should not be assumed. Even if the
>> current behavior (failing to start under said circumstances) is made the
>> default, I would prefer this to be a configurable behavior.
> 
> I'd suggest opening a bug/bugs if there's not already one.  mod_ssl
> doesn't load keys during config test.

Thanks for your helpful responses, Eric; much appreciated.

Indeed; I will open a bug report or feature request, as appropriate, and
recommend that mod_ssl be made to load the various certificate
components during validation.

>>
>> My post's primary purpose was to underscore the fact that Apache fails
>> *silently* under the key/cert mismatch scenario.
>>
>> Perhaps with a sufficiently high log-level this error would be revealed.
>> But even if that is so, such a critical failure should be logged
>> regardless of the setting.
> 
> I get this in 2.2:
> 
> [Wed Aug 22 09:32:44 2012] [error] Unable to configure RSA server private key
> [Wed Aug 22 09:32:44 2012] [error] SSL Library Error: 185073780
> error:0B080074:x509 certificate routines:X509_check_private_key:key
> values mismatch
> 
> In 2.4 it's even higher severity (emerg) and has a few more messages.
> But maybe your scenario is different.

Very interesting. This is exactly the type of message I had hoped and
expected to see.

Thank you for taking the time to recreate the scenario and report your
findings.

I wonder why this message was not present in my logs.

For the sake of thoroughness, in which log does this message appear on
your system?

> What was your LogLevel?

LogLevel warn

Apache version is Apache/2.2.14 (Ubuntu), so, we should expect to see
the same output on this system.

Unfortunately, the system in question is a production system, so I
cannot test different scenarios without consequences.

I will try to reproduce the problem on a development system.

Thanks again,

-Ben

> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message