httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From o haya <oh...@yahoo.com.INVALID>
Subject Re: [users@httpd] SSL/CRL Problem - Error 12 (Expired)
Date Tue, 08 Mar 2016 13:16:43 GMT
Hi,

BTW, one other piece of possible information:  We found that if we put all the PEMs for the
CRLs into one big file and then used the SSLCACertificateRevocationFile directive instead
of the SSLCACertificateRevocationPath directive and the hashes in the directory, then we don't
get the Error 12/Expired CRL errors.

Jim


--------------------------------------------
On Mon, 3/7/16, o haya <ohaya@yahoo.com.INVALID> wrote:

 Subject: [users@httpd] SSL/CRL Problem - Error 12 (Expired)
 To: users@httpd.apache.org
 Cc: ohaya@yahoo.com
 Date: Monday, March 7, 2016, 8:43 PM
 
 Hi,
 
 I'm not sure if I should post this to the openssl mailing
 list or here, but thought that it'd make sense to start
 here.  If that is not appropriate, please let me know?
 
 
 Anyway, we are upgrading some of our Apache instance to
 2.4.16 (on Redhat), and we are encountering a strange
 problem with SSL and CRLs.
 
 
 Our websites are configured for SSL client authentication
 with CRLs in a directory pointed to by
 SSLCACertificateRevocationPath and SSLCARevocationCheck set
 to "chain".  We then place our CRLs in the directory
 and create the hashes for them.
 
 However, when we tried to upgrade one of our production
 instances the requests are failing and, in the error logs,
 we are seeing the following messages:
 
 [ssl.debug] [pid 4866] ssl_engine_kernel.c: [client
 10.10.10.10-xxxx] Certificate Verification, depth 1, CRL
 checking mode: chain [subject: CN=CA4,OU=branch,.... /
 issuer: CN=Root 3,OU=branch,... / serial: 86 / notbefore:
 Aug 1 00:00:00 2013 GMT / notafter: Aug 1 00:00:00 2021 GMT]
 
 
 [ssl.info] [pid 4866] [client 10.10.10.10-xxxx] Certificate
 Verification: Error (12): CRL has expired [subject:
 CN=CA4,OU=branch,... / issuer: CN=Root 3,... / serial: 86 /
 notbefore: Aug 1 00:00:00 2013 GMT / notafter: Aug 1
 00:00:00 2021 GMT] 
 
 We checked all of the CRL files and they are all within
 their validity periods.
 
 
 The thing is that we have not been able to replicate this
 problem in our test environment, when we try to re-create a
 similar PKI heirarchy, so we (or I) suspect that there may
 be something going on with either the CRLs or cert files
 that we are getting from the CAs (but recall that these same
 CRLs worked with older Apache.  So I was wondering: If
 there is any known situations where that "Error 12" would be
 logged, but where the problem was being cause by something
 other than the CRL files actually being expired?
 
 As I said, this might be more of an openssl question?
 
 Thanks in advance,
 Jim
 
 ---------------------------------------------------------------------
 To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
 For additional commands, e-mail: users-help@httpd.apache.org
 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message