65025 – SSL error "ca key too small" is reported at info level instead of error level

Bug 65025 - SSL error "ca key too small" is reported at info level instead of error level

Summary: SSL error "ca key too small" is reported at info level instead of error level

Status:	NEW

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_ssl (show other bugs)
Version:	2.4.38
Hardware:	PC Linux

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-12-22 15:23 UTC by Rustam Abdullaev
Modified:	2020-12-22 16:52 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rustam Abdullaev 2020-12-22 15:23:14 UTC

A problem with a CA chain is being reported at ssl:info level, which is normally suppressed, resulting in no logging whatsoever for CA-cert-related connection issues.

For example, a 1024-bit CA-cert is blocked by OpenSSL SECLEVEL=2.

There is currently NO logging about it on the server side.

On the client it manifests itself as "ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1399:SSL alert number 80", so not really helpful.

The actual error, ssl_add_cert_chain:ca key too small, is visible in the server log only after bumping LogLevel to debug:

[Tue Dec 22 16:09:14.686357 2020] [ssl:info] [pid 12257:tid 139992554424064] [client ::1:58060] AH02008: SSL library error 1 in handshake (server localhost:443)
[Tue Dec 22 16:09:14.686391 2020] [ssl:info] [pid 12257:tid 139992554424064] SSL Library Error: error:1413C18D:SSL routines:ssl_add_cert_chain:ca key too small
[Tue Dec 22 16:09:14.686414 2020] [ssl:info] [pid 12257:tid 139992554424064] [client ::1:58060] AH01998: Connection closed to child 0 with abortive shutdown (server localhost:443)

Thus hereby a request to change ssl_add_cert_chain error reporting to error level.