Problem with x86 2.2.29 build and Sha256 hashed certs

Started by spil, March 13, 2015, 09:36:45 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

spil

March 13, 2015, 09:36:45 PM
Hi,

Just received a new set of signed certs (with sha256 hash) and trying to implement these on a Win2k3 x86 system with the ApacheLounge 2.2.29 1.0.1l build

  • it won't start up, not log anything in error log.
  • httpd -t doesn't return any issues
  • httpd -w -e debug loads modules up to mod_ssl and then dies without any message
  • using the same key/cert with the openssl s_server is OK
  • Same key/cert is OK on a FreeBSD 10.1 i386 Apache 2.2.28 / OpenSSL 1.0.1l

Looks like an issue with Windows, the binary version from ApacheLounge behaves exactly the same although that's a VC10 compiled  binary.

Any help appreciated!

Gregg

#1
March 13, 2015, 11:15:39 PM
Sometime you just don't get errors.

If not in the error log, you can look at the Windows Event viewer. If that doesn't work then try starting apache normally from the command line, just type httpd and press Enter. If that gives you nothing then there's LogLevel Debug.

I know SHA2 certificates do not work in Windows XP/2k3, but I think that is only for IIS & IE. I have SHA 256 certs on 2k3 working on Apache 2.4.12.

I'm curious, if you grabbed these certificates from the freebsd machine and dropped them into W2k3, it might possibly be a line ending dilemma. I'd make another copy and run unix2dos on them and give those a go. Other than that, it's just rolling dice.

I just gave it a try on Apache/2.2.29 (Win64) mod_ssl/2.2.29 OpenSSL/1.0.1l Win2k3 and it works with the same certs.

spil

#2
March 13, 2015, 11:33:00 PM
Quote from: Gregg on March 13, 2015, 11:15:39 PMIf not in the error log, you can look at the Windows Event viewer. If that doesn't work then try starting apache normally from the command line, just type httpd and press Enter. If that gives you nothing then there's LogLevel Debug.
Tried that and httpd -w -e debug nothing additional shows.
EventLog only shows Disabled use of AcceptEx()

Quote from: Gregg on March 13, 2015, 11:15:39 PMI know SHA2 certificates do not work in Windows XP/2k3, but I think that is only for IIS & IE. I have SHA 256 certs on 2k3 working on Apache 2.4.12.
Yes, same certificate/key with 2.4.12 (ApacheLounge build) works fine.

Quote from: Gregg on March 13, 2015, 11:15:39 PMI'm curious, if you grabbed these certificates from the freebsd machine and dropped them into W2k3, it might possibly be a line ending dilemma. I'd make another copy and run unix2dos on them and give those a go. Other than that, it's just rolling dice.
Works in 2.4.12, works with openssl s_server, did modify line-ends Win to Unix no dice :/

Quote from: Gregg on March 13, 2015, 11:15:39 PMI just gave it a try on Apache/2.2.29 (Win64) mod_ssl/2.2.29 OpenSSL/1.0.1l Win2k3 and it works with the same certs.
I have both VeriSign and a GlobalSign key/cert, neither seem to work.

??? ??? ??? *sigh*

Sorry. Bit terse, frustration shining through...

Seems the 2.4.12 install stopped crashing (runs on test box) after I have disabled certificate logins... Not running long enough without problems yet to move production :/

Thanks!

Gregg

#3
March 13, 2015, 11:45:12 PM
Quote from: spil on March 13, 2015, 11:33:00 PMWorks in 2.4.12, works with openssl s_server, did modify line-ends Win to Unix no dice :/

Unix -> Win, not the reverse. I assume that's a typo but making sure.

If only 2.2 had the trace level logging like 2.4 does.
Print
Go Up Pages1
User actions