From owner-freebsd-apache@FreeBSD.ORG  Thu Jun 26 21:16:27 2014
Return-Path: <owner-freebsd-apache@FreeBSD.ORG>
Delivered-To: apache@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 86C45869
 for <apache@FreeBSD.org>; Thu, 26 Jun 2014 21:16:27 +0000 (UTC)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21])
 (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass DE-1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 1B6F82960
 for <apache@FreeBSD.org>; Thu, 26 Jun 2014 21:16:26 +0000 (UTC)
Received: from [192.168.0.100] ([87.139.233.65]) by mail.gmx.com (mrgmx102)
 with ESMTPSA (Nemesis) id 0MXmpv-1XDJbC0m2x-00WqxQ; Thu, 26 Jun 2014 23:16:17
 +0200
Message-ID: <53AC8DA2.1020809@gmx.de>
Date: Thu, 26 Jun 2014 23:16:18 +0200
From: olli hauer <ohauer@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 5.1;
 rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Rainer Duffner <rainer@ultra-secure.de>
Subject: Re: Strange error after upgrading from Apache 2.2.25 to 2.2.27 (and
 upgrading from FreeBSD9 to FreeBSD10)
References: <20140616160338.39144da0@suse3.ewadmin.local>
 <20140623104833.2f6fb94d@suse3.ewadmin.local>
In-Reply-To: <20140623104833.2f6fb94d@suse3.ewadmin.local>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:R538sdQcDhFPcTHg0LgHuNL15da/ShIB/aeZ6G9RbikaJuThydA
 sBSKPBxv72+eiFPXt8spm1hV/9W8idfary2iZdFImxU7FRpsTvaG2A1NdGqVK3wo6D4lNgb
 zxn3dnNwjJuAKiB76cbpGmnECXU5aQcrDNgBuFvI0JcmsszfYRitVYvATvXcGccz9DSgfDk
 YK6f4jMfOm5q77K2wvKDQ==
Cc: apache@FreeBSD.org
X-BeenThere: freebsd-apache@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Support of apache-related ports  <freebsd-apache.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-apache>,
 <mailto:freebsd-apache-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-apache/>
List-Post: <mailto:freebsd-apache@freebsd.org>
List-Help: <mailto:freebsd-apache-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-apache>,
 <mailto:freebsd-apache-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jun 2014 21:16:27 -0000

On 2014-06-23 10:48, Rainer Duffner wrote:
> Am Mon, 16 Jun 2014 16:03:38 +0200
> schrieb Rainer Duffner <rainer@ultra-secure.de>:
> 
>> Hi,
>>
>>
>> I have a system that does the following:
>>
>> SSLProxyEngine on
>> SSLProxyMachineCertificateFile /usr/local/etc/apache/ssl.crt/DocboxTestProxyClientKeyCert.crt
>> SSLProxyCACertificateFile /usr/local/etc/apache/ssl.crt/ProxyTest_RedAndPurpleCA.crt
>> SSLProxyVerify require 
>> SSLProxyVerifyDepth 1
>>
>>
>> This configuration worked with FreeBSD9, apache-2.2.25.
>>
>> However, after the upgrade to FreeBSD10 and apache-2.2.27, I get:
> 
> 
> Also, it does work with FreeBSD 9.2p8 and apache-2.2.27.
> 
> So it really seems to be a problem with FreeBSD 10's OpenSSL.
> 

One of the difference between 8/9 and 10 is the OpenSSL version 0.9.8? and 1.0.1?


It seems you are not the only one and it has something to do with the SSL key format (PKCS#8 / PKCS#1)
New OpenSSL is using PKCS#1 which is not supported by mod_ssl but the cert can be converted to PKCS#8

See the Answer from Joe Orton on the RHEL bugtracker

http://mail-archives.apache.org/mod_mbox/httpd-bugs/201310.mbox/%3Cbug-55673-7868@https.issues.apache.org/bugzilla/%3E
https://bugzilla.redhat.com/show_bug.cgi?id=1025057


// olli