Bug 62880 - "Failed to configure CA certificate chain" because OpenSSL's error queue is not cleared
Summary: "Failed to configure CA certificate chain" because OpenSSL's error queue is n...
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.37
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: PatchAvailable
Depends on:
Blocks:
 
Reported: 2018-11-02 16:23 UTC by Michael Kaufmann
Modified: 2018-11-23 15:00 UTC (History)
0 users


Attachments
Bugfix (clear the error queue before loading CA chains) (958 bytes, patch)
2018-11-02 16:23 UTC, Michael Kaufmann 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Kaufmann 2018-11-02 16:23:32 UTC 
Created attachment 36241 [details]
Bugfix (clear the error queue before loading CA chains)

When using mod_ssl and mod_md in a complex setup (some virtual hosts managed by mod_md, some not), I got this error from mod_ssl:

AH01903: Failed to configure CA certificate chain!

Before loading the certificate chain, mod_ssl does not clear OpenSSL's error queue. After loading the certificate chain, mod_ssl inspects the whole error queue, and finds something. Probably an OpenSSL function called by mod_md has added something to the error queue.

See also https://github.com/icing/mod_md/issues/84#issuecomment-375959559

The attached patch fixes the bug.
Comment 1 Stefan Eissing 2018-11-05 10:39:44 UTC 
Thanks for the patch! Added to trunk in r1845768.
Will propose for backport to 2.4.x
Comment 2 Michael Kaufmann 2018-11-05 19:31:26 UTC 
Great, thanks!
Comment 3 Graham Leggett 2018-11-23 15:00:27 UTC 
Backported to v2.4.38.