Bug 65025

Summary: SSL error "ca key too small" is reported at info level instead of error level
Product: Apache httpd-2 Reporter: Rustam Abdullaev <rustamabd>
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: normal    
Priority: P2    
Version: 2.4.38   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Rustam Abdullaev 2020-12-22 15:23:14 UTC 
A problem with a CA chain is being reported at ssl:info level, which is normally suppressed, resulting in no logging whatsoever for CA-cert-related connection issues.

For example, a 1024-bit CA-cert is blocked by OpenSSL SECLEVEL=2.

There is currently NO logging about it on the server side.

On the client it manifests itself as "ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1399:SSL alert number 80", so not really helpful.

The actual error, ssl_add_cert_chain:ca key too small, is visible in the server log only after bumping LogLevel to debug:

[Tue Dec 22 16:09:14.686357 2020] [ssl:info] [pid 12257:tid 139992554424064] [client ::1:58060] AH02008: SSL library error 1 in handshake (server localhost:443)
[Tue Dec 22 16:09:14.686391 2020] [ssl:info] [pid 12257:tid 139992554424064] SSL Library Error: error:1413C18D:SSL routines:ssl_add_cert_chain:ca key too small
[Tue Dec 22 16:09:14.686414 2020] [ssl:info] [pid 12257:tid 139992554424064] [client ::1:58060] AH01998: Connection closed to child 0 with abortive shutdown (server localhost:443)

Thus hereby a request to change ssl_add_cert_chain error reporting to error level.