From: Paul Heinlein <heinlein at madboa.com> > On Thu, 5 Nov 2009, John Doe wrote: > >> Also, there's an Apache bug that fouls things up if the "CA" and > >> "CA SSL" root certificates both have the same CN: > >> https://issues.apache.org/bugzilla/show_bug.cgi?id=45708 > > > > Hum.. that might be the case... > > They must all use 'myhost.mydomain' as CN... > > Do you know how to specify different CNs in a common openssl.conf file? > > I use a Makefile wrapper around the openssl calls. I used the -subj to overide the CN from the conf file and now I have different CNs for the ca and cassl, but it did not solve the problem... It still works fine without CRL. But with it: [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 2, subject: /C=AA/ST=BB/L=CC/O=DD/CN=my.ca, issuer: /C=AA/ST=BB/L=CC/O=DD/CN=my.ca [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 1, subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer: /C=AA/ST=BB/L=CC/O=DD/CN=my.ca [debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD, CN=my.ca, lastUpdate: Nov 6 10:16:52 2009 GMT, nextUpdate: Nov 6 10:16:52 2010 GMT [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 0, subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain [debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD, CN=myhost.mydomain, lastUpdate: Nov 6 10:16:52 2009 GMT, nextUpdate: Nov 6 10:16:52 2010 GMT [warn] Invalid signature on CRL [error] Certificate Verification: Error (8): CRL signature failure [debug] ssl_engine_kernel.c(1779): OpenSSL: Write: SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [info] [client 192.168.16.23] SSL library error 1 in handshake (server myhost.mydomain:12345) [info] SSL Library Error: 67686519 error:0408D077:rsa routines:FIPS_RSA_VERIFY:wrong signature length [info] SSL Library Error: 218910726 error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [info] [client 192.168.16.23] Connection closed to child 1 with abortive shutdown (server myhost.mydomain:12345) Not sure if the errors after the "CRL signature failure" are a side effect or the reason of the failure; especialy the "wrong signature length"... Thx, JD