https://issues.apache.org/bugzilla/show_bug.cgi?id=56410
Bug ID: 56410
Summary: Apache 2.4.9 breaks existing installation after
upgrading from 2.4.7 when using self-signed SSL
certificates using OpenSSL 0.9.8e (CentOS 5.10)
Product: Apache httpd-2
Version: 2.4.9
Hardware: PC
OS: Linux
Status: NEW
Severity: major
Priority: P2
Component: mod_ssl
Assignee: [email protected]
Reporter: [email protected]
Self-signed certificates cause an unpatched Apache 2.4.9 to fail to start when
SSLCACertificateFile is left unspecified.
This worked correctly under Apache 2.4.7.
--------------------------------------------
The following error is emitted to error_log:
--------------------------------------------
[Mon Apr 14 15:06:11.486441 2014] [suexec:notice] [pid 27131] AH01232: suEXEC
mechanism enabled (wrapper: /usr/local/apache/bin/suexec)
[Mon Apr 14 15:06:11.491588 2014] [ssl:emerg] [pid 27132] AH02562: Failed to
configure certificate cent5ssl.loc:443:0 (with chain), check
/tmp/ssl-keys/server.crt
[Mon Apr 14 15:06:11.491635 2014] [ssl:emerg] [pid 27132] SSL Library Error:
error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH
PARAMETERS) -- Bad file contents or format - or even just a forgotten
SSLCertificateKeyFile?
[Mon Apr 14 15:06:11.491647 2014] [:emerg] [pid 27132] AH00020: Configuration
Failed, exiting
--------------------------------------------
To duplicate, I did the following:
--------------------------------------------
1. Downloaded Apache 2.4.9
2. Downloaded APR 1.5.0
3. Downloaded APR-util 1.5.3
4. Extracted Apache tarball
5. Extracted both APR libraries into srclib directory
6. Ran the following configure line:
./configure --disable-v4-mapped --enable-access-compat=static
--enable-actions=static --enable-alias=static --enable-auth_basic=static
--enable-authn_core=static --enable-authn_file=static
--enable-authz_core=static --enable-authz_groupfile=static
--enable-authz_host=static --enable-authz_user=static --enable-autoindex=static
--enable-cgi=static --enable-deflate=static --enable-dir=static
--enable-expires=static --enable-filter=static --enable-headers=static
--enable-include=static --enable-info=static --enable-log_config=static
--enable-logio=static --enable-mime=static --enable-modules=none
--enable-negotiation=static --enable-proxy=static --enable-proxy-connect=static
--enable-proxy-http=static --enable-rewrite=static --enable-setenvif=static
--enable-slotmem_shm=static --enable-socache_dbm=static
--enable-socache_shmcb=static --enable-ssl=static --enable-status=static
--enable-suexec=static --enable-unixd=static --enable-userdir=static
--prefix=/usr/local/apache --with-included-apr --with-mpm=prefork
--with-pcre=/opt/pcre --with-ssl=/usr --with-suexec-caller=nobody
--with-suexec-docroot=/ --with-suexec-gidmin=100
--with-suexec-logfile=/usr/local/apache/logs/suexec_log
--with-suexec-uidmin=100 --with-suexec-userdir=public_html
7. Generated self-signed certificate and key:
mkdir /tmp/ssl-keys
cd /tmp/ssl-keys
openssl req -new -x509 -nodes -out server.crt -keyout server.key -extensions
usr_cert
8. Created a virtual host in Apache, then added the following SSL options:
SSLEngine on
SSLCertificateFile /tmp/ssl-keys/server.crt
SSLCertificateKeyFile /tmp/ssl-keys/server.key
9. Validated that this _works_ with Apache 2.4.7 using OpenSSL
0.9.8e-fips-rhel5 (CentOS 5.10)
10. Validated that this _breaks_ with Apache 2.4.9 using OpenSSL
0.9.8e-fips-rhel5 (CentOS 5.10)
11. Validated that this _works_ with Apache 2.4.9 using OpenSSL 1.0.1e-fips
(CentOS 6.5)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
