OSDir


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OCSP with TLS 1.3 in 2.4.37 false positive?


After Yann's mail I double checked and fixed my setup to actually use TLS 1.3 in the test suite when OpenSSL 1.1.1 is available.

I now see a new OCSP test failure, namely test 3 (revoked certificate). The revocation is correctly detected

[Sat Oct 20 06:14:46.492343 2018] [ssl:error] [pid 13631:tid 140131235235584] [client 127.0.0.1:43881] AH03239: OCSP validation completed, certificate status: revoked (1, -1) [subject: emailAddress=test-dev@xxxxxxxxxxxxxxxx,CN=client_revoked,OU=httpd-test,O=ASF,L=San Francisco,ST=California,C=US / issuer: emailAddress=test-dev@xxxxxxxxxxxxxxxx,CN=ca,OU=httpd-test,O=ASF,L=San Francisco,ST=California,C=US / serial: 09 / notbefore: Oct 20 04:04:52 2018 GMT / notafter: Oct 20 04:04:52 2019 GMT] [Sat Oct 20 06:14:46.492452 2018] [ssl:info] [pid 13631:tid 140131235235584] [client 127.0.0.1:43881] AH02276: Certificate Verification: Error (23): certificate revoked [subject: emailAddress=test-dev@xxxxxxxxxxxxxxxx,CN=client_revoked,OU=httpd-test,O=ASF,L=San Francisco,ST=California,C=US / issuer: emailAddress=test-dev@xxxxxxxxxxxxxxxx,CN=ca,OU=httpd-test,O=ASF,L=San Francisco,ST=California,C=US / serial: 09 / notbefore: Oct 20 04:04:52 2018 GMT / notafter: Oct 20 04:04:52 2019 GMT]

and the signaling looks OK:

[Sat Oct 20 06:14:46.492666 2018] [ssl:trace3] [pid 13631:tid 140131235235584] ssl_engine_kernel.c(2210): [client 127.0.0.1:43881] OpenSSL: Write: error [Sat Oct 20 06:14:46.492691 2018] [ssl:trace3] [pid 13631:tid 140131235235584] ssl_engine_kernel.c(2229): [client 127.0.0.1:43881] OpenSSL: Exit: error in error [Sat Oct 20 06:14:46.492708 2018] [ssl:info] [pid 13631:tid 140131235235584] [client 127.0.0.1:43881] AH02008: SSL library error 1 in handshake (server localhost:8535) [Sat Oct 20 06:14:46.492873 2018] [ssl:info] [pid 13631:tid 140131235235584] SSL Library Error: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed [Sat Oct 20 06:14:46.492903 2018] [ssl:info] [pid 13631:tid 140131235235584] [client 127.0.0.1:43881] AH01998: Connection closed to child 136 with abortive shutdown (server localhost:8535)

That looks very similar to what gets logged for TLSv1.2.

But the client shows:


500 Status read failed:
Content-Type: text/plain
Client-Date: Sat, 20 Oct 2018 04:33:39 GMT
Client-Warning: Internal response

Status read failed:  at .../lib/perl5/Net/HTTP/Methods.pm line 282.
not ok 3


instead of


/500 Can't connect to localhost:8535 (SSL connect attempt failed error:14094414:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked)
Content-Type: text/plain
Client-Date: Sat, 20 Oct 2018 04:32:14 GMT
Client-Warning: Internal response

Can't connect to localhost:8535 (SSL connect attempt failed error:14094414:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked)

SSL connect attempt failed error:14094414:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked at .../lib/perl5/LWP/Protocol/http.pm line 50.
ok 3


That looks to me as a change in behavior of the underlying client side TLS layer in how it signals the alert to the HTTP layer.

Regards,

Rainer