On 8/22/2012 9:36 AM, Eric Covener wrote: > On Wed, Aug 22, 2012 at 9:24 AM, Ben Johnson <ben@xxxxxxxxxxxxxxxx> wrote: >> >> >> On 8/22/2012 8:56 AM, Eric Covener wrote: >>>> Dovecot dropped its TLS capabilities, but it still started >>>> the server and bound to the non-secure port. >>> >>> I'd personally prefer the server fail startup rather than operate w/o SSL. >> >> While that may be, this preference should not be assumed. Even if the >> current behavior (failing to start under said circumstances) is made the >> default, I would prefer this to be a configurable behavior. > > I'd suggest opening a bug/bugs if there's not already one. mod_ssl > doesn't load keys during config test. Thanks for your helpful responses, Eric; much appreciated. Indeed; I will open a bug report or feature request, as appropriate, and recommend that mod_ssl be made to load the various certificate components during validation. >> >> My post's primary purpose was to underscore the fact that Apache fails >> *silently* under the key/cert mismatch scenario. >> >> Perhaps with a sufficiently high log-level this error would be revealed. >> But even if that is so, such a critical failure should be logged >> regardless of the setting. > > I get this in 2.2: > > [Wed Aug 22 09:32:44 2012] [error] Unable to configure RSA server private key > [Wed Aug 22 09:32:44 2012] [error] SSL Library Error: 185073780 > error:0B080074:x509 certificate routines:X509_check_private_key:key > values mismatch > > In 2.4 it's even higher severity (emerg) and has a few more messages. > But maybe your scenario is different. Very interesting. This is exactly the type of message I had hoped and expected to see. Thank you for taking the time to recreate the scenario and report your findings. I wonder why this message was not present in my logs. For the sake of thoroughness, in which log does this message appear on your system? > What was your LogLevel? LogLevel warn Apache version is Apache/2.2.14 (Ubuntu), so, we should expect to see the same output on this system. Unfortunately, the system in question is a production system, so I cannot test different scenarios without consequences. I will try to reproduce the problem on a development system. Thanks again, -Ben > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|