httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From o haya <oh...@yahoo.com.INVALID>
Subject [users@httpd] SSL/CRL Problem - Error 12 (Expired)
Date Tue, 08 Mar 2016 01:43:10 GMT
Hi,

I'm not sure if I should post this to the openssl mailing list or here, but thought that it'd
make sense to start here.  If that is not appropriate, please let me know?


Anyway, we are upgrading some of our Apache instance to 2.4.16 (on Redhat), and we are encountering
a strange problem with SSL and CRLs.


Our websites are configured for SSL client authentication with CRLs in a directory pointed
to by SSLCACertificateRevocationPath and SSLCARevocationCheck set to "chain".  We then place
our CRLs in the directory and create the hashes for them.

However, when we tried to upgrade one of our production instances the requests are failing
and, in the error logs, we are seeing the following messages:

[ssl.debug] [pid 4866] ssl_engine_kernel.c: [client 10.10.10.10-xxxx] Certificate Verification,
depth 1, CRL checking mode: chain [subject: CN=CA4,OU=branch,.... / issuer: CN=Root 3,OU=branch,...
/ serial: 86 / notbefore: Aug 1 00:00:00 2013 GMT / notafter: Aug 1 00:00:00 2021 GMT] 

[ssl.info] [pid 4866] [client 10.10.10.10-xxxx] Certificate Verification: Error (12): CRL
has expired [subject: CN=CA4,OU=branch,... / issuer: CN=Root 3,... / serial: 86 / notbefore:
Aug 1 00:00:00 2013 GMT / notafter: Aug 1 00:00:00 2021 GMT] 

We checked all of the CRL files and they are all within their validity periods.


The thing is that we have not been able to replicate this problem in our test environment,
when we try to re-create a similar PKI heirarchy, so we (or I) suspect that there may be something
going on with either the CRLs or cert files that we are getting from the CAs (but recall that
these same CRLs worked with older Apache.  So I was wondering: If there is any known situations
where that "Error 12" would be logged, but where the problem was being cause by something
other than the CRL files actually being expired?

As I said, this might be more of an openssl question?

Thanks in advance,
Jim

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message