From owner-freebsd-apache@FreeBSD.ORG Mon Jun 16 14:03:50 2014 Return-Path: Delivered-To: apache@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 354381AE for ; Mon, 16 Jun 2014 14:03:50 +0000 (UTC) Received: from mail.ultra-secure.de (mail.ultra-secure.de [88.198.178.88]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 916352494 for ; Mon, 16 Jun 2014 14:03:48 +0000 (UTC) Received: (qmail 3811 invoked by uid 89); 16 Jun 2014 14:03:43 -0000 Received: by simscan 1.4.0 ppid: 3806, pid: 3808, t: 0.0396s scanners: attach: 1.4.0 clamav: 0.97.3/m:55/d:19105 Received: from unknown (HELO suse3.ewadmin.local) (rainer@ultra-secure.de@212.71.117.1) by mail.ultra-secure.de with ESMTPA; 16 Jun 2014 14:03:43 -0000 Date: Mon, 16 Jun 2014 16:03:38 +0200 From: Rainer Duffner To: apache@FreeBSD.org Subject: Strange error after upgrading from Apache 2.2.25 to 2.2.27 (and upgrading from FreeBSD9 to FreeBSD10) Message-ID: <20140616160338.39144da0@suse3.ewadmin.local> X-Mailer: Claws Mail 3.9.2 (GTK+ 2.24.22; x86_64-suse-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2014 14:03:50 -0000 Hi, I have a system that does the following: SSLProxyEngine on SSLProxyMachineCertificateFile /usr/local/etc/apache/ssl.crt/DocboxTestProxyClientKeyCert.crt SSLProxyCACertificateFile /usr/local/etc/apache/ssl.crt/ProxyTest_RedAndPurpleCA.crt SSLProxyVerify require SSLProxyVerifyDepth 1 This configuration worked with FreeBSD9, apache-2.2.25. However, after the upgrade to FreeBSD10 and apache-2.2.27, I get: [Fri Jun 13 17:37:16 2014] [debug] ssl_engine_init.c(696): Configuring client authentication [Fri Jun 13 17:37:16 2014] [debug] ssl_engine_init.c(1414): CA certificate: /C=CH/ST=ZH/L=Zuerich/O=H-Net AG, Ingbk/OU=Swiss Medical Suite Docbox Forwarder Test Facility/CN=SMS Docbox Proxy Test Certification Authority/emailAddress=info.swissmedicalsuite.docbox.proxy.ch [Fri Jun 13 17:37:16 2014] [debug] ssl_engine_init.c(1414): CA certificate: /C=CH/ST=ZH/L=Zuerich/O=H-Net AG/OU=H-Net Secure Operations/CN=ihe.h-net.ch/emailAddress=ihe@h-net.ch incomplete client cert configured for SSL proxy (missing or encrypted private key?) I'm a bit puzzled by this, because I don't see any obvious error. openssl verify -CAfile /usr/local/etc/apache/ssl.crt/ProxyTest_RedAndPurpleCA.crt /usr/local/etc/apache/ssl.crt/DocboxTestProxyClientKeyCert.crt /usr/local/etc/apache/ssl.crt/DocboxTestProxyClientKeyCert.crt: OK They seem to match... Can anybody share some insight? I know it's this part that is problematic, because if I comment out this section (and a similar section in another config-file, that uses the same syntax), apache starts again. Rainer