No certificate corresponds to SSL cipher suides
Hello, I am trying to set up SSL for Tomcat 5 using OpenSSL and I am getting this error: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled. Anybody know what my problem is? I'm using md5WithRSAEncryption so I don't think there should be a problem. Both my keystore and truststore only have 1 entry each: truststore has my CA that I created in Openssl and my keystore has my certificate signed by my CA. Thanks. _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: No certificate corresponds to SSL cipher suides
java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled. Strangely enough, if I FIRST create a self-signed entry in my keystore before i import my CA signed-certificate, it works. Although this shouldn't be the case. =( For instance, if I first do this: keytool -genkey -keyalg RSA -keystore newKeystore -validity 3650 And then this: keytool -import -trustcacerts -file myCASignedFile.cer -keystore newKeystore -alias myCASignedFile It seems to work. But it should work with just myCASignedFile.cer in my keystore I think HELP! =P Liam _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: debbuging my application with entering into OpenSSL
Igal Ore wrote: I have some quite simple application develloped to use OpenSSL 0.9.7d , and test simple calls throw engine API. i compiled OpenSSL , Linux Mandrake 10.0 pentium686 gcc 3.3.2, with debbuging info (./config -g). Now how should i compile my application that not shared library (built as Release version , parallel term from Windows MSVC jargon) will be used but static library (libcrypto.a) ?? In GDB normally there more ways to tell to it where sources of openssl (by the way any example how to launch it will be appreciated also) ? Does answer is there ? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] apparantely , even that if build had been not to be configured to create shared objects in debug , it is still possible by or editing Configure file - and generating speciall build or by building in debug as usual and invoking make build-shared. This will build shared objects as usual __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
AW: question about certificate creation
Hzhijun, maybe this part from the openssl FAQs (at www.openssl.org) may help you: -- 1. Why do I get a "PRNG not seeded" error message? Cryptographic software needs a source of unpredictable data to work correctly. Many open source operating systems provide a "randomness device" (/dev/urandom or /dev/random) that serves this purpose. All OpenSSL versions try to use /dev/urandom by default; starting with version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not available. On other systems, applications have to call the RAND_add() or RAND_seed() function with appropriate data before generating keys or performing public key encryption. (These functions initialize the pseudo-random number generator, PRNG.) Some broken applications do not do this. As of version 0.9.5, the OpenSSL functions that need randomness report an error if the random number generator has not been seeded with at least 128 bits of randomness. If this error occurs and is not discussed in the documentation of the application you are using, please contact the author of that application; it is likely that it never worked correctly. OpenSSL 0.9.5 and later make the error visible by refusing to perform potentially insecure encryption. If you are using Solaris 8, you can add /dev/urandom and /dev/random devices by installing patch 112438 (Sparc) or 112439 (x86), which are available via the Patchfinder at http://sunsolve.sun.com (Solaris 9 includes these devices by default). For /dev/random support for earlier Solaris versions, see Sun's statement at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606zone_32=SUNWski (the SUNWski package is available in patch 105710). On systems without /dev/urandom and /dev/random, it is a good idea to use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for details. Starting with version 0.9.7, OpenSSL will automatically look for an EGD socket at /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool and /etc/entropy. Most components of the openssl command line utility automatically try to seed the random number generator from a file. The name of the default seeding file is determined as follows: If environment variable RANDFILE is set, then it names the seeding file. Otherwise if environment variable HOME is set, then the seeding file is $HOME/.rnd. If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will use file .rnd in the current directory while OpenSSL 0.9.6a uses no default seeding file at all. OpenSSL 0.9.6b and later will behave similarly to 0.9.6a, but will use a default of "C:\" for HOME on Windows systems if the environment variable has not been set. If the default seeding file does not exist or is too short, the "PRNG not seeded" error message may occur. The openssl command line utility will write back a new state to the default seeding file (and create this file if necessary) unless there was no sufficient seeding. Pointing $RANDFILE to an Entropy Gathering Daemon socket does not work. Use the "-rand" option of the OpenSSL command line tools instead. The $RANDFILE environment variable and $HOME/.rnd are only used by the OpenSSL command line tools. Applications using the OpenSSL library provide their own configuration options to specify the entropy source, please check out the documentation coming the with application. -- Regards -Ursprngliche Nachricht-Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Gesendet: Freitag, 13. August 2004 04:31An: [EMAIL PROTECTED]Betreff: Re: question about certificate creation u mean "openssl.cnf"? what hold back me to make certificate is about "unable to load 'random state'This means that the random number generator has not been seeded" how to deal with it? Regards - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 12, 2004 8:21 PM Subject: AW: question about certificate creation Maybe you didn't specify a configuration file? -Ursprngliche Nachricht-Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Gesendet: Donnerstag, 12. August 2004 10:48An: [EMAIL PROTECTED]Betreff: question about certificate creation this is my first time to play with openssl(version:OpenSSL 0.9.7b 10 Apr 2003), below is the problem i met when i execute thecommand: perl CA.pl -newca the following information is found, why? and how to fix it? CA certificate filename (or enter to create) Making CA certificate ...Unable to load config infounable to load 'random state'This means that the random
SSL Error re pass phrase
I'm trying to get two vhosts on separate public IPs using separate secure certificates working on an apache server (mods and version in log below). The operating system is Mandrake 10. The sites work perfectly without the secure certificates as IP based vhosts. I've been playing with the Vhosts.conf trying to get the directives right but haven't figured out the problem. I now have the SSL directives commented out on one of the sites and I'm getting the following errors in error_log on my apache server on the other site when I try to do a graceful restart: -- Snip Begin [Fri Aug 13 21:52:32 2004] [notice] Graceful restart requested, doing restart [Fri Aug 13 21:52:41 2004] [notice] Digest: generating secret for digest authentication ... [Fri Aug 13 21:52:41 2004] [notice] Digest: done [Fri Aug 13 21:52:41 2004] [error] Init: Unable to read pass phrase [Hint: key introduced or changed before restart?] [Fri Aug 13 21:52:41 2004] [error] SSL Library Error: 218710120 error:0D094068:lib(13):func(148):reason(104) [Fri Aug 13 21:52:41 2004] [error] SSL Library Error: 218529960 error:0D0680A8:lib(13):func(104):reason(168) [Fri Aug 13 21:52:41 2004] [error] SSL Library Error: 218595386 error:0D07803A:lib(13):func(120):reason(58) [Fri Aug 13 21:52:41 2004] [error] SSL Library Error: 218734605 error:0D09A00D:lib(13):func(154):reason(13) [Fri Aug 13 21:55:53 2004] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/apache2-suexec) [Fri Aug 13 21:55:53 2004] [notice] Digest: generating secret for digest authentication ... [Fri Aug 13 21:55:53 2004] [notice] Digest: done [Fri Aug 13 21:55:53 2004] [notice] Apache-AdvancedExtranetServer/2.0.48 (Mandrake Linux/6mdk) mod_perl/1.99_11 Perl/v5.8.3 mod_ssl/2.0.48 OpenSSL/0.9.7c PHP/4.3.4 configured -- resuming normal operations -- Snip End It appears that I have damanged the certificates in some way. I've googled for all the keywords in SSL Library Errors and Unable to read pass phrase but can't seem to find an answer. A document that discusses multiple secure certs on a single server would be welcome. The Vhosts.conf for the site that is generating the erros has the following SSL directives: VirtualHost 192.168.1.103:443 DocumentRoot /home/domainname_com/public_html ServerName www.domainname.com SSLEngine on SSLCertificateFile /etc/httpd/2.0/conf/ssl.crt/www.domainname.com.cer SSLCertificateKeyFile /etc/httpd/2.0/conf/ssl.key/www.domainname.com.key SSLCertificateChainFile /etc/httpd/2.0/conf/ssl.crt/sf_issuing.cer RewriteEngine On RewriteOptions inherit Alias /awstatsicons /home/domainname_com/public_html/icon/ ScriptAlias /awstats/ home/domainname_com/public_html/cgi-bin/ Setenv VLOG /home/domainname_com/logs # ErrorLogs /home/domainname_com/logs/test2-error_log /VirtualHost I'm at a loss and would appreciate any guidance. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: No certificate corresponds to SSL cipher suides
Liam Escario wrote: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled. Strangely enough, if I FIRST create a self-signed entry in my keystore before i import my CA signed-certificate, it works. Although this shouldn't be the case. =( For instance, if I first do this: keytool -genkey -keyalg RSA -keystore newKeystore -validity 3650 And then this: keytool -import -trustcacerts -file myCASignedFile.cer -keystore newKeystore -alias myCASignedFile It seems to work. But it should work with just myCASignedFile.cer in my keystore I think It's easiest to start with keytool to generate the private key and CSR, if you plan to have a working keystore when you import the signed certificate. Are you sure the entries in your keystore are getting chained correctly? It's pretty easy to unknowingly import a certificate that isn't. Make sure you are understanding the output of keytool -v -list ... Have a look at http://mark.foster.cc/kb/openssl-keytool.html and http://mark.foster.cc/kb/keytool for more info. -- Some days it's just not worth chewing through the restraints... Mark D. Foster, CISSP [EMAIL PROTECTED] http://mark.foster.cc/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL 0.9.7d WIN - IA64 port
Hi: I'm now investigating build OpenSSL -0.9.7d on a WIN IA64 architecture machine. Has anyone had any experience with this, or is there any active work in progress to support WIN IA64 platforms? Thanks very much. Dave McLellan EMC Corporation, SPEA Engineering [EMAIL PROTECTED]/[EMAIL PROTECTED]
FW: Netscape International step-up
Hi, Somehow it didn't appear in the mailing list. I am submitting it again. Does Netscape international step-up work with openssl s_server? My initial thought was that one just needed the global_id certificate with s_server and hit it with an old Netscape browser like Communicator 4.7 International version. I have Netscape Communicator 4.7 installed on my Windows machine. about: tells me: This version supports International security with RSA Public Key Cryptography, MD2, MD5, RC2-CBC, RC4. According to the Netscape documentation (http://developer.netscape.com/tech/security/stepup/overview.html#configure) , this version of browser should do step-up handshake if the server presents a global_id certificate. I am running OpenSSL (0.9.7) s_server on my Linux machine and use the global certificate from Verisign. Here is how I start the server: openssl s_server -accept 443 -cert cert-global-server-id-chained.cer -key verisign-global-server-1024key -state -debug -www Now when I access this server using the Communicator, it doesn't step-up. Rather it just completes the handshake using EXP-RC4-MD5 which is export mode 40-bit RC4-MD5 cipher. I was expecting to see it step up to the next strong cipher because the server presented the global_id cert. I will really appreciate suggestions/comments. Thanks, Imran. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Generating Test Certificates
The HOWTO\certificates.txt says to generate the self-signed cert with: openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 I tried with both an RSA key and a DSA key. They each fail in slightly different ways, but both seem to be trying to get something from the environment. C:\work\3rdparty\OpenSSL\openssl-0.9.7dout32\openssl req -new -x509 -key myrsakey.pem -out myrsacert.pem -days 1095 Unable to load config info unable to find 'distinguished_name' in config problems making Certificate Request 2660:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:.\crypto\conf\conf_lib.c:325: C:\work\3rdparty\OpenSSL\openssl-0.9.7dout32\openssl req -new -x509 -key mydsakey.pem -out mydsasert.pem -days 1095 Unable to load config info Loading 'screen' into random state - done unable to find 'distinguished_name' in config problems making Certificate Request 1996:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:.\crypto\conf\conf_lib.c:325: I had no problems generating the keys with the command in HOWTO\keys.txt. What is it that is missing from the environment? As long as I'm at it ... what do I do with the certificates once I have them? I am trying to enable SSL communications on a Windows 2000 machine. -- -Richard M. Hartman [EMAIL PROTECTED] 186,000 mi/sec: not just a good idea, it's the LAW! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]