Hi,
we are using openssl in an environment with a Windows 2003 PKI/CA.
OpenSSL together with OpenLDAP shall be used to provide Single Sign On.
This is working as long as the servers public key on the Windows AD
server is not getting larger than 1024 bit.
I have tested the following commands with openssl 0.9.8d and 0.9.8e on
SuSE Linux and Windows XP.
This is the typical result if i try to connect to a server with a key
larger than 1024 bit:
# openssl s_client -connect 10.17.1.1:636
CONNECTED(00000003)
depth=1 /DC=local/DC=customer/CN=customer Issuing CA 01
verify error:num=20:unable to get local issuer certificate
verify return:0
21981:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:
On a server with a 1024 bit key the command succeedes:
# openssl s_client -connect 10.17.1.12:636
CONNECTED(00000003)
depth=1 /DC=local/DC=customer/CN=customer Issuing CA 01
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:
i:/DC=local/DC=customer/CN=customer Issuing CA 01
1 s:/DC=local/DC=customer/CN=customer Issuing CA 01
i:/[EMAIL PROTECTED]/C=SE/L=Stockholm/O=customer
International/OU=DIS/CN=customer Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=
issuer=/DC=local/DC=customer/CN=customer Issuing CA 01
---
Acceptable client certificate CA names
....
---
SSL handshake has read 6828 bytes and written 336 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:
601000005105DAFED51A8BB80941B1AE8B457DE646892B94E2B0F9A78270703C
Session-ID-ctx:
Master-Key:
B9F4C617C9FF5D987701C3ED6619FDB984D8732B23B797FAFAB86FBD0850ABEEF374CCBF
85E6E2AD5E6CCB4FEAD08D1C
Key-Arg : None
Start Time: 1179235781
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
read:errno=0
Running both commands with debug and comparing the output the main
difference seems to be:
606c548
< Server public key is 4096 bit
---
> Server public key is 1024 bit
We have reduced the key size to 2048 and then further down to 1024 which
makes openssl work again.
I hope this helps you finding a solution.
Best regards,
Olaf
______________________________________________________________________
"This is an e-mail from a DeLaval company. This e-mail is confidential
and may also be privileged. Please delete the email and notify us
immediately if you are not the intended recipient. DeLaval does not
enter into contracts or contractual obligations via electronic mail,
unless otherwise agreed in writing between parties concerned.
Thank you."
______________________________________________________________________
Geschaeftsfuehrerin/Managing Director: Marie Ornesved Gustafsson
Registriert am Amtsgericht Luebeck, HRB 2344 RE
Sitz: DeLaval Services GmbH, Wilhelm-Bergner-Str. 1, D-21509 Glinde
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
