[CentOS] Certificates Revocation Lists and Apache...

Fri Nov 6 10:36:01 UTC 2009
John Doe <jdmls at yahoo.com>

From: Paul Heinlein <heinlein at madboa.com>
> On Thu, 5 Nov 2009, John Doe wrote:
> >> Also, there's an Apache bug that fouls things up if the "CA" and 
> >> "CA SSL" root certificates both have the same CN:
> >>  https://issues.apache.org/bugzilla/show_bug.cgi?id=45708
> >
> > Hum.. that might be the case...
> > They must all use 'myhost.mydomain' as CN...
> > Do you know how to specify different CNs in a common openssl.conf file?
> 
> I use a Makefile wrapper around the openssl calls.

I used the -subj to overide the CN from the conf file and now I have different CNs for the ca and cassl, but it did not solve the problem...
It still works fine without CRL.  But with it:
  [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 2, subject: /C=AA/ST=BB/L=CC/O=DD/CN=my.ca, issuer: /C=AA/ST=BB/L=CC/O=DD/CN=my.ca
  [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 1, subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer: /C=AA/ST=BB/L=CC/O=DD/CN=my.ca
  [debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD, CN=my.ca, lastUpdate: Nov  6 10:16:52 2009 GMT, nextUpdate: Nov  6 10:16:52 2010 GMT
  [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 0, subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain
  [debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD, CN=myhost.mydomain, lastUpdate: Nov  6 10:16:52 2009 GMT, nextUpdate: Nov  6 10:16:52 2010 GMT
  [warn] Invalid signature on CRL
  [error] Certificate Verification: Error (8): CRL signature failure
  [debug] ssl_engine_kernel.c(1779): OpenSSL: Write: SSLv3 read client certificate B
  [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B
  [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B
  [info] [client 192.168.16.23] SSL library error 1 in handshake (server myhost.mydomain:12345)
  [info] SSL Library Error: 67686519 error:0408D077:rsa routines:FIPS_RSA_VERIFY:wrong signature length
  [info] SSL Library Error: 218910726 error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib
  [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
  [info] [client 192.168.16.23] Connection closed to child 1 with abortive shutdown (server myhost.mydomain:12345)

Not sure if the errors after the "CRL signature failure" are a side effect or the reason of the failure; especialy the "wrong signature length"...

Thx,
JD