Thanks Steve for the pointers. Still having a problem
though.
You were right, I was getting those warnings on linux too.
Everthing scrolled by so fast I never paid attention to it.
I added a -CApath on my hpux system's call to s_client. That
got rid of the PRNG error you pointed out. However, adding
that path showed another error about a certificate expiring.
Then I noticed at the top of all of these messages about
"Consider setting the RANDFILE environment variable".
This didn't show up on the linux side, only the hpux side.
So I
did add that environment variable and now I can connect
to that server. However, it
still doesn't quite work. I enter on the HPUX system:
# apps/openssl s_client -connect www.dceweb.it.wsu.edu:443
And it appears to connect correctly because it stops with
the same/similar dialog that I see on the linux side:
.
.
.
No client certificate CA names sent
---
SSL handshake has read 840 bytes and written 320 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: C4C23C87D8E5D6471BAE4ABE14C90D4AE6EF5D35E4E3426F323DAC7F8DA75294
Session-ID-ctx:
Master-Key:
A49B5435ACB883EBD3DEAACBAD01FEB80868F459747D0CEF320AB28B98F9B3678071D9F60C6CE88CB2DE310A8D5A770E
Key-Arg : None
Start Time: 974408762
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
So at this point I enter:
exec /UNIX_Systems/cgi-bin/ov_ping_apps.cgi
On the linux side, that "exec" will run the cgi script. But
on the hpux system, the s_client just hangs there and eventually
it'll give a:
read:errno=0
Any ideas whats going on with the hpux
s_client? -- dean
On Thu, 16 Nov 2000 01:25:52 +0000 you wrote:
> Dean Guenther wrote:
> >
> >
> > unable to load 'random state'
> > This means that the random number generator has not been seeded
> > with much random data.
> > Consider setting the RANDFILE environment variable to point at a file that
> > 'random' data can be kept in (the file will be overwritten).
> > CONNECTED(00000003)
> > depth=0 /C=US/ST=Washington/L=Pullman/O=Washington State University/OU=Information
>Technology/OU=Terms of use at www.verisign.com/RPA (c)99/CN=www.dceweb.it.wsu.edu
> > verify error:num=20:unable to get local issuer certificate
> > verify return:1
> > depth=0 /C=US/ST=Washington/L=Pullman/O=Washington State University/OU=Information
>Technology/OU=Terms of use at www.verisign.com/RPA (c)99/CN=www.dceweb.it.wsu.edu
> > verify error:num=27:certificate not trusted
> > verify return:1
> > depth=0 /C=US/ST=Washington/L=Pullman/O=Washington State University/OU=Information
>Technology/OU=Terms of use at www.verisign.com/RPA (c)99/CN=www.dceweb.it.wsu.edu
> > verify error:num=21:unable to verify the first certificate
> > verify return:1
> > 24293:error:24064064:random number
> > generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:474:You need to read the
>OpenSSL FAQ, http://www.openssl.org/support/faq.html
> >
> > I read the FAQ and documentation on verify, but I can't
> > figure out from the documentation how to fix the certificate
> > problem.
>
> The PRNG not seeded is the fatal error that's causing this to fail.
>
> The certificate problem is a warning, you may well be getting it on
> Linux too. You can get rid of it by including the path to you 'certs'
> directory with the -CApath option unless the server uses a nonstandard
> CA.
>
> Steve.
> --
> Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
> Personal Email: [EMAIL PROTECTED]
> Senior crypto engineer, Celo Communications: http://www.celocom.com/
> Core developer of the OpenSSL project: http://www.openssl.org/
> Business Email: [EMAIL PROTECTED] PGP key: via homepage.
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
Dean Guenther Internet: [EMAIL PROTECTED]
Washington State University AT&T: 509 335-0433
Pullman, WA. 99164-1222 fax: 509 335-0540
www & UNIX System Admin
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
