Hi, we are using openssl in an environment with a Windows 2003 PKI/CA. OpenSSL together with OpenLDAP shall be used to provide Single Sign On. This is working as long as the servers public key on the Windows AD server is not getting larger than 1024 bit.
I have tested the following commands with openssl 0.9.8d and 0.9.8e on SuSE Linux and Windows XP. This is the typical result if i try to connect to a server with a key larger than 1024 bit: # openssl s_client -connect 10.17.1.1:636 CONNECTED(00000003) depth=1 /DC=local/DC=customer/CN=customer Issuing CA 01 verify error:num=20:unable to get local issuer certificate verify return:0 21981:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226: On a server with a 1024 bit key the command succeedes: # openssl s_client -connect 10.17.1.12:636 CONNECTED(00000003) depth=1 /DC=local/DC=customer/CN=customer Issuing CA 01 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s: i:/DC=local/DC=customer/CN=customer Issuing CA 01 1 s:/DC=local/DC=customer/CN=customer Issuing CA 01 i:/[EMAIL PROTECTED]/C=SE/L=Stockholm/O=customer International/OU=DIS/CN=customer Root CA --- Server certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- subject= issuer=/DC=local/DC=customer/CN=customer Issuing CA 01 --- Acceptable client certificate CA names .... --- SSL handshake has read 6828 bytes and written 336 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 Session-ID: 601000005105DAFED51A8BB80941B1AE8B457DE646892B94E2B0F9A78270703C Session-ID-ctx: Master-Key: B9F4C617C9FF5D987701C3ED6619FDB984D8732B23B797FAFAB86FBD0850ABEEF374CCBF 85E6E2AD5E6CCB4FEAD08D1C Key-Arg : None Start Time: 1179235781 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- read:errno=0 Running both commands with debug and comparing the output the main difference seems to be: 606c548 < Server public key is 4096 bit --- > Server public key is 1024 bit We have reduced the key size to 2048 and then further down to 1024 which makes openssl work again. I hope this helps you finding a solution. Best regards, Olaf ______________________________________________________________________ "This is an e-mail from a DeLaval company. This e-mail is confidential and may also be privileged. Please delete the email and notify us immediately if you are not the intended recipient. DeLaval does not enter into contracts or contractual obligations via electronic mail, unless otherwise agreed in writing between parties concerned. Thank you." ______________________________________________________________________ Geschaeftsfuehrerin/Managing Director: Marie Ornesved Gustafsson Registriert am Amtsgericht Luebeck, HRB 2344 RE Sitz: DeLaval Services GmbH, Wilhelm-Bergner-Str. 1, D-21509 Glinde ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]