On Tue, Sep 11, 2007 at 11:45:41AM -0400, Joseph Burch wrote:
> The suspicious libraries were /usr/sfw/lib/libcrypto.so.0.9.7 and
> /usr/sfw/lib/libssl.so.0.9.7, both in the SUN Solaris 10 distribution.
> Building openssl_0.9.7m from source using /opt/SUNWspro/bin/cc and
> swapping in the new libraries cleared the problem.
>
> >Folks - My apologies if this topic has already been addressed -
> >
> >SunOS 5.10 Generic_125100-10 sun4u sparc SUNW,Sun-Fire-V440
> >(SUN distributed pkgs) Server: Apache/2.0.55, Interface:
> >mod_ssl/2.0.55, Library: OpenSSL/0.9.7d
> >
> >Following an error-free startup of Apache, I try to establish an https
> >connection, encounter this (in part), and the connection drops:
> >
> >[Fri Sep 07 16:54:46 2007] [debug] ssl_engine_kernel.c(1813): OpenSSL:
> >Exit: error in SSLv3 read certificate verify A
> >[Fri Sep 07 16:54:46 2007] [info] SSL library error 1 in handshake
> >(server naos.lib.virginia.edu:443, client 128.143.12.29)
> >[Fri Sep 07 16:54:46 2007] [info] SSL Library Error: 336187530
> >error:1409D08A:SSL routines:SSL3_SETUP_KEY_BLOCK:cipher or hash
> >unavailable
Sun only provides AES-128, and not AES-256. The OpenSSL 0.9.7 library
(with cipherlists other than "DEFAULT" which Sun explicitly modified to
drop the AES-256 ciphers) was not until 0.9.7m able to notice that part
of the AES ciphers was missing. From the change log:
*) Since AES128 and AES256 share a single mask bit in the logic of
ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
kludge to work properly if AES128 is available and AES256 isn't.
[Victor Duchovni]
When using the Sun libraries you must construct your cipherlist by
subtracting from "DEFAULT".
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
