Bug 65025 - SSL error "ca key too small" is reported at info level instead of error level
Summary: SSL error "ca key too small" is reported at info level instead of error level
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.38
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-22 15:23 UTC by Rustam Abdullaev
Modified: 2020-12-22 16:52 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rustam Abdullaev 2020-12-22 15:23:14 UTC
A problem with a CA chain is being reported at ssl:info level, which is normally suppressed, resulting in no logging whatsoever for CA-cert-related connection issues.

For example, a 1024-bit CA-cert is blocked by OpenSSL SECLEVEL=2.

There is currently NO logging about it on the server side.

On the client it manifests itself as "ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1399:SSL alert number 80", so not really helpful.

The actual error, ssl_add_cert_chain:ca key too small, is visible in the server log only after bumping LogLevel to debug:

[Tue Dec 22 16:09:14.686357 2020] [ssl:info] [pid 12257:tid 139992554424064] [client ::1:58060] AH02008: SSL library error 1 in handshake (server localhost:443)
[Tue Dec 22 16:09:14.686391 2020] [ssl:info] [pid 12257:tid 139992554424064] SSL Library Error: error:1413C18D:SSL routines:ssl_add_cert_chain:ca key too small
[Tue Dec 22 16:09:14.686414 2020] [ssl:info] [pid 12257:tid 139992554424064] [client ::1:58060] AH01998: Connection closed to child 0 with abortive shutdown (server localhost:443)

Thus hereby a request to change ssl_add_cert_chain error reporting to error level.