[Bug 62880] New: "Failed to configure CA certificate chain" because OpenSSL's error queue is not cleared

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 62880] New: "Failed to configure CA certificate chain" because OpenSSL's error queue is not cleared

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=62880

            Bug ID: 62880
           Summary: "Failed to configure CA certificate chain" because
                    OpenSSL's error queue is not cleared
           Product: Apache httpd-2
           Version: 2.4.37
          Hardware: PC
                OS: Linux
            Status: NEW
          Keywords: PatchAvailable
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

Created attachment 36241
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36241&action=edit
Bugfix (clear the error queue before loading CA chains)

When using mod_ssl and mod_md in a complex setup (some virtual hosts managed by
mod_md, some not), I got this error from mod_ssl:

AH01903: Failed to configure CA certificate chain!

Before loading the certificate chain, mod_ssl does not clear OpenSSL's error
queue. After loading the certificate chain, mod_ssl inspects the whole error
queue, and finds something. Probably an OpenSSL function called by mod_md has
added something to the error queue.

See also https://github.com/icing/mod_md/issues/84#issuecomment-375959559

The attached patch fixes the bug.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 62880] "Failed to configure CA certificate chain" because OpenSSL's error queue is not cleared

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=62880

Stefan Eissing <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #1 from Stefan Eissing <[hidden email]> ---
Thanks for the patch! Added to trunk in r1845768.
Will propose for backport to 2.4.x

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 62880] "Failed to configure CA certificate chain" because OpenSSL's error queue is not cleared

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=62880

--- Comment #2 from Michael Kaufmann <[hidden email]> ---
Great, thanks!

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 62880] "Failed to configure CA certificate chain" because OpenSSL's error queue is not cleared

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=62880

--- Comment #3 from Graham Leggett <[hidden email]> ---
Backported to v2.4.38.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]