Hi, setup: *Sunblade100, Solaris 8 Apache 1.3.22 mod_ssl 2.8.5 OpenSSL 0.9.6c (other box with same problem Intel, RH linux 6.2) *an offline, standalone root CA running iPlanet certificate management system 4.22 on Windows NT 4.0
problem: Clients have to provide a valid certificate in order to get access. When a certificate gets revoked on the CA the CRL has to get transferred manually to the webserver by floppy (OCSP is not an option). After copying the new CRL in place and really stopping & starting Apache, clients can't connect to the webserver anymore. The dos CRLF was removed from the CRL and the headers are valid. Even when I change the headers of the original CRL (the working one) to another valid format, the same error occurs, so it's not because of the new CRL that the error occurs but any change in the current CRL. I changed -----BEGIN CERTIFICATE REVOCATION LIST----- to -----BEGIN X509 CRL------ and the same for the END tag of course. Symbolic links shouldn't have anything to with it since I'm using the SSLCARevocationFile directive. My guess is that mod_ssl keeps a hash / checksum somewhere and detects changes in the CRL, but I wouldn't know where to look for it. Does anybody know how I can replace the CRL? The server works perfectly when SSLVerification require. I didn't find any info on this in the faq of mod_ssl or OpenSSL. Best regards, Koen B. ssl_error_log shows this: [20/Mar/2002 09:32:44] [notice] child pid 1199 exit Segmentation Fault (11) ssl_engine_log: [20/Mar/2002 09:32:44 01199] [trace] Certificate Verification: depth: 1, subject: /C=fr/O=xxx/CN=Certificate Manager, issuer: /C=fr/O=xxx/CN=Certificate Manager[20/Mar/2002 09:32:44 01202] [info] Connection to child 4 established (server fake.domainname.com:443, client 192.168.0.10) [20/Mar/2002 09:32:44 01202] [info] Seeding PRNG with 512 bytes of entropy [20/Mar/2002 09:32:44 01202] [trace] OpenSSL: Handshake: start [20/Mar/2002 09:32:44 01202] [trace] OpenSSL: Loop: before/accept initialization[20/Mar/2002 09:32:44 01202] [debug] OpenSSL: read 0/11 bytes from BIO#00208B10 [mem: 0021EC58] (BIO dump follows) +-------------------------------------------------------------------------+ +-------------------------------------------------------------------------+ [20/Mar/2002 09:32:44 01202] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] relevant snippet from httpd.conf: ... <IfModule mod_ssl.c> SSLPassPhraseDialog builtin SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/usr/local/apache/logs/ssl_mutex SSLRandomSeed startup file:/usr/local/apache/randfile.rnd 512 SSLRandomSeed connect file:/usr/local/apache/randfile.rnd 512 SSLLog /usr/local/apache/logs/ssl_engine_log SSLLogLevel debug ErrorLog logs/ssl_error_log </IfModule> ... <IfDefine SSL> <VirtualHost _default_:443> DocumentRoot "/usr/local/apache/htdocs" ServerName fake.domainname.com ServerAdmin [EMAIL PROTECTED] ErrorLog /usr/local/apache/logs/error_log TransferLog /usr/local/apache/logs/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/apache/conf/ssl.crt/fake.domainname.com.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/fake.domainname.com.key SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca.testdomain.com.crt SSLCARevocationFile /usr/local/apache/conf/ssl.crl/ca.testdomain.com.crl SSLVerifyClient require SSLVerifyDepth 5 ... ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
