I found the solution to the problem. Since the CRL won't get changed
often or on a regular basis I configured the CRL to not expire. The
iPlanet CA completely strips the NextUpdate field completely from the CRL
when configured like this, making it not conform to RFC1422. Apparently
that's why Apache only accepts the initial CRL and considers all CRL
updates invalid. I don't know why Apache acts like this because it's also
possible to update the CRL before the end of the validity period.
A clear error message (instead of a child segmentation fault or a spurious
SSL handshake) would have saved me a lot of work.
I just set the validity date of the CRL to a long period.
All the best,
Koen
[EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
03/20/02 10:12 AM
Please respond to modssl-users
To: [EMAIL PROTECTED]
cc:
Subject: SSL server malfunctioning after updating a CRL
Hi,
setup:
*Sunblade100, Solaris 8
Apache 1.3.22
mod_ssl 2.8.5
OpenSSL 0.9.6c
(other box with same problem Intel, RH linux 6.2)
*an offline, standalone root CA running iPlanet certificate management
system 4.22 on Windows NT 4.0
problem: Clients have to provide a valid certificate in order to get
access. When a certificate gets revoked on the CA the CRL has to get
transferred manually to the webserver by floppy (OCSP is not an option).
After copying the new CRL in place and really stopping & starting Apache,
clients can't connect to the webserver anymore. The dos CRLF was removed
from the CRL and the headers are valid.
Even when I change the headers of the original CRL (the working one) to
another valid format, the same error occurs, so it's not because of the
new CRL that the error occurs but any change in the current CRL. I
changed -----BEGIN CERTIFICATE REVOCATION LIST----- to -----BEGIN X509
CRL------ and the same for the END tag of course. Symbolic links
shouldn't have anything to with it since I'm using the SSLCARevocationFile
directive.
My guess is that mod_ssl keeps a hash / checksum somewhere and detects
changes in the CRL, but I wouldn't know where to look for it. Does
anybody know how I can replace the CRL? The server works perfectly when
SSLVerification require. I didn't find any info on this in the faq of
mod_ssl or OpenSSL.
Best regards,
Koen B.
ssl_error_log shows this:
[20/Mar/2002 09:32:44] [notice] child pid 1199 exit Segmentation Fault
(11)
ssl_engine_log:
[20/Mar/2002 09:32:44 01199] [trace] Certificate Verification: depth: 1,
subject: /C=fr/O=xxx/CN=Certificate Manager, issuer:
/C=fr/O=xxx/CN=Certificate Manager[20/Mar/2002 09:32:44 01202] [info]
Connection to child 4 established (server fake.domainname.com:443, client
192.168.0.10)
[20/Mar/2002 09:32:44 01202] [info] Seeding PRNG with 512 bytes of
entropy
[20/Mar/2002 09:32:44 01202] [trace] OpenSSL: Handshake: start
[20/Mar/2002 09:32:44 01202] [trace] OpenSSL: Loop: before/accept
initialization[20/Mar/2002 09:32:44 01202] [debug] OpenSSL: read 0/11
bytes from BIO#00208B10 [mem: 0021EC58] (BIO dump follows)
+-------------------------------------------------------------------------+
+-------------------------------------------------------------------------+
[20/Mar/2002 09:32:44 01202] [info] Spurious SSL handshake
interrupt[Hint: Usually just one of those OpenSSL confusions!?]
relevant snippet from httpd.conf:
...
<IfModule mod_ssl.c>
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache/logs/ssl_mutex
SSLRandomSeed startup file:/usr/local/apache/randfile.rnd 512
SSLRandomSeed connect file:/usr/local/apache/randfile.rnd 512
SSLLog /usr/local/apache/logs/ssl_engine_log
SSLLogLevel debug
ErrorLog logs/ssl_error_log
</IfModule>
...
<IfDefine SSL>
<VirtualHost _default_:443>
DocumentRoot "/usr/local/apache/htdocs"
ServerName fake.domainname.com
ServerAdmin [EMAIL PROTECTED]
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache/conf/ssl.crt/fake.domainname.com.crt
SSLCertificateKeyFile
/usr/local/apache/conf/ssl.key/fake.domainname.com.key
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca.testdomain.com.crt
SSLCARevocationFile /usr/local/apache/conf/ssl.crl/ca.testdomain.com.crl
SSLVerifyClient require
SSLVerifyDepth 5
...
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
