Flaw (IMO) in openssl 0.9.8g make install
"make install" created .../openssl.0.9.8g/include as 744. That means that other non-root build efforts will fail because they can't read the openssl header files. What is worse is that the resulting errors from make may be somewhat misleading. I ran in to this trying to build Apache 2.2.8 with --enable-ssl and --with-ssl=/... and it took me a good while to figure out the problem. Suggestion: openssl "make install" should create .../openssl.0.9.8g/include with 755 permissions instead of 744 (might be umask related?). Will the openssl developers pick up on this posting to this list? I hope this helps someone else. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: AW: Problems about how to store private key safely
Quoting Emre Binisik <[EMAIL PROTECTED]>: > > -Ursprüngliche Nachricht- > > Von: [EMAIL PROTECTED] [mailto:owner-openssl- > > [EMAIL PROTECTED] Im Auftrag von [EMAIL PROTECTED] > > Gesendet: Samstag, 29. März 2008 20:34 > > An: openssl-users@openssl.org > > Betreff: Re: Problems about how to store private key safely > > > > Hello, > > > > [EMAIL PROTECTED] wrote on 03/28/2008 10:18:39 AM: > > > > > Hello, > > > > > > I hope to design an application that uses OpenSSL. Users will use > > this > > application from > > > different PCs or Laptops. Therefore, users will have to have their > > private key in > > > different pcs. If I use the pass phrase protected private key, is it > > possible for other > > > persons to steal and decrypt that key. > > > > > > Or do you have more feasible ways to implement it? > > Smartcards. > > > One question here: Is there a possibility or interface, > to make the private key operations on the smartcard, > so that the private key never leave the smardcard? > For example some functionality, that maps private key > operations on pkcs11? Hallo. I am no expert, but I have worked with digital certificates on smart cards to control access to SSL (via openssl) on Apache. The private keys were indeed locked on the smart card with no way to copy them off as a security measure. With SSL via the browser, a bit of software called a security module plugs in to the browser for controlling access to the certs on the smart card. >From what I read at the time, if it is possible to crack that, it is not trivial. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Solved - Re: Problem making shared libraries on Solaris
Got it. Using the sun Studio 11 C compiler and manually specifying: ./Configure solaris-sparcv8-cc --prefix=/usr/local/openssl.0.9.8g --openssldir=/usr/local/openssl.0.9.8g shared threads Thanks to those that helped! Quoting Carson Gaspar <[EMAIL PROTECTED]>: > Joseph Felten wrote: > > Has anyone out there managed to compile openssl-0.9.8g shared libraries > under > > Solaris 8? I've tried both gcc version 3.4.6 and the Sun Studio 11 Sparc > > compiler (the installation of which was an odyssey unto itself) and both > puke > > on linking with the below error "relocations remain against allocatable but > > non-writable sections" which is pretty much gibberish to me. > > Works For Me (TM). > > Please provide the _exact_ configure/compile sequence you used. Be > _very_ sure that GNU ld / GNU as are _NOT_ in your PATH ahead of > /usr/ccs/bin. Also make sure that you have all compiler tool chain > patches applied. > > -- > Carson > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problem making shared libraries on Solaris
Has anyone out there managed to compile openssl-0.9.8g shared libraries under Solaris 8? I've tried both gcc version 3.4.6 and the Sun Studio 11 Sparc compiler (the installation of which was an odyssey unto itself) and both puke on linking with the below error "relocations remain against allocatable but non-writable sections" which is pretty much gibberish to me. I'm about out of ideas at this point. Any suggestions? Note to anyone out there trying to install the Sun Studio 11 compiler / development suite on Sparc Solaris 8.: The installer will NOT work with java 1.6.0_04 throwing this exception: "Exception in thread "Thread-72" java.lang.NoClassDefFoundError: com/sun/install/panels/ComponentSelectionListener". I had to find and install a local copy of Java Development Kit 5.0 Update 15 (java version "1.5.0_15") (http://java.sun.com/j2se/1.5.0/download.jsp ; the self-extracting version lets you install a local copy so you don't stink up your OS with an old version of Java). Sun's java installer is apparently not forwards compatible with newer versions of Java and is not graceful about it at all. The studio 11 installation guide does say it requires "J2SE 1.4.2_08 technology or J2SE 5.0 Update 3". But as I wrote above, the Sun Sparc compiler did not fix my openssl 0.9.8g shared library link problem. Quoting Joseph Felten <[EMAIL PROTECTED]>: > I am getting an odd error when trying to create the shared libraries under > SPARC > Solaris 8. If I leave off the "shared" it all seems to build fine, but I > need > the shared libraries (for ssh). > > Here is my config command.: > > ./config --prefix=/usr/local/openssl.0.9.8g > --openssldir=/usr/local/openssl.0.9.8g shared > > This is actually the 2nd run through. Everything has compiled O.K. but it > pukes > when trying to link the shared libraries for libcrypto and libssl.: > > making all in crypto/store... > making all in crypto/pqueue... > if [ -n "libcrypto.so.0.9.8 libssl.so.0.9.8" ]; then \ > (cd ..; make libcrypto.so.0.9.8); \ > fi > Text relocation remains referenced > against symbol offset in file >0x6cc libcrypto.a(e_sureware.o) >0x6d0 libcrypto.a(e_sureware.o) > . . . > memset 0xf20 libcrypto.a(e_sureware.o) > memset 0x1c48 libcrypto.a(e_sureware.o) > memset 0x2300 libcrypto.a(e_sureware.o) > ld: fatal: relocations remain against allocatable but non-writable sections > collect2: ld returned 1 exit status > making all in ssl... > > if [ -n "libcrypto.so.0.9.8 libssl.so.0.9.8" ]; then \ > (cd ..; make libssl.so.0.9.8); \ > fi > Text relocation remains referenced > against symbol offset in file >0x6cc libcrypto.a(e_sureware.o) >0x6d0 libcrypto.a(e_sureware.o) >0x6d4 libcrypto.a(e_sureware.o) > . . . > memset 0xf20 libcrypto.a(e_sureware.o) > memset 0x1c48 libcrypto.a(e_sureware.o) > memset 0x2300 libcrypto.a(e_sureware.o) > ld: fatal: relocations remain against allocatable but non-writable sections > collect2: ld returned 1 exit status > making all in engines... > making all in apps... > > Actually it does make libssl.so.0.9.8, but I don't trust it. It does not > make > libcrypto.so.0.9.8 at all. > > $ ls -ld *so.0.9.8 > -rwx-- 1 jfelten users1479924 Mar 24 17:36 libssl.so.0.9.8 > > The sureware libraries do exist.: > > $ ls -ld engines/*sureware*o > -rw--- 1 jfelten users 28228 Mar 24 17:20 engines/e_sureware.o > -rwx-- 1 jfelten users 611988 Mar 24 17:20 engines/libsureware.so > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Problem making shared libraries on Solaris
I am getting an odd error when trying to create the shared libraries under SPARC Solaris 8. If I leave off the "shared" it all seems to build fine, but I need the shared libraries (for ssh). Here is my config command.: ./config --prefix=/usr/local/openssl.0.9.8g --openssldir=/usr/local/openssl.0.9.8g shared This is actually the 2nd run through. Everything has compiled O.K. but it pukes when trying to link the shared libraries for libcrypto and libssl.: making all in crypto/store... making all in crypto/pqueue... if [ -n "libcrypto.so.0.9.8 libssl.so.0.9.8" ]; then \ (cd ..; make libcrypto.so.0.9.8); \ fi Text relocation remains referenced against symbol offset in file 0x6cc libcrypto.a(e_sureware.o) 0x6d0 libcrypto.a(e_sureware.o) . . . memset 0xf20 libcrypto.a(e_sureware.o) memset 0x1c48 libcrypto.a(e_sureware.o) memset 0x2300 libcrypto.a(e_sureware.o) ld: fatal: relocations remain against allocatable but non-writable sections collect2: ld returned 1 exit status making all in ssl... if [ -n "libcrypto.so.0.9.8 libssl.so.0.9.8" ]; then \ (cd ..; make libssl.so.0.9.8); \ fi Text relocation remains referenced against symbol offset in file 0x6cc libcrypto.a(e_sureware.o) 0x6d0 libcrypto.a(e_sureware.o) 0x6d4 libcrypto.a(e_sureware.o) . . . memset 0xf20 libcrypto.a(e_sureware.o) memset 0x1c48 libcrypto.a(e_sureware.o) memset 0x2300 libcrypto.a(e_sureware.o) ld: fatal: relocations remain against allocatable but non-writable sections collect2: ld returned 1 exit status making all in engines... making all in apps... Actually it does make libssl.so.0.9.8, but I don't trust it. It does not make libcrypto.so.0.9.8 at all. $ ls -ld *so.0.9.8 -rwx-- 1 jfelten users1479924 Mar 24 17:36 libssl.so.0.9.8 The sureware libraries do exist.: $ ls -ld engines/*sureware*o -rw--- 1 jfelten users 28228 Mar 24 17:20 engines/e_sureware.o -rwx-- 1 jfelten users 611988 Mar 24 17:20 engines/libsureware.so __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Upgrade shows wrong version
I just compiled it for SPARC Solaris and it reports the correct version.: # ./openssl version OpenSSL 0.9.8g 19 Oct 2007 But I have to go back and redo it because it dumped the binary in /usr/local/bin and I want it self contained in its own tree so it doesn't conflict with earlier versions. Quoting "Ian M. Evans" <[EMAIL PROTECTED]>: > Maybe I need some more coffee before I google... > > I just upgraded to openssl-0.9.8g, but when I type openssl version it > still shows me the old one. > > Am I missing some steps here and is there a web page where I can find them? > > Thanks. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: AES 128 Counter mode
Perhaps you are using a different version, but if I do a "openssl -enc -ciphers" I just get the help list as there is no command. But if I use the "openssl ciphers" command, I receive the below response.: # openssl version OpenSSL 0.9.8e 23 Feb 2007 # openssl ciphers DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:IDEA-CBC-MD5:RC2-CBC-MD5:RC4-SHA:RC4-MD5:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5 Quoting [EMAIL PROTECTED]: > Hi, > > Is AES Counter mode enabled by default in OpenSSL. If not can anyone help me > how enable it. > When i use to command line tool to get the list of ciphers "openssl -enc > -ciphers" i don't see AES_128_ctr in the list. > > Any help will be appreciated. > > thanks > Karthick > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
NEVER MIND - Re: Can't get PKI Client Authentication Enforcement to work
I believe I have solved the problem which was caused by some directory permissions. That is why when I ran openssl verify by hand, everything seemed to work. What threw me was Apache said it was reading the CA certs in the log, but apparently wasn't really. I spent 3 days working on this before posting to this mailing list, and a few hours after doing so, seem to have solved the problem. Sorry to have bothered everyone but maybe if someone else has the same problem in the future, they will find this and give their directory permissions a check. Quoting Joseph Felten <[EMAIL PROTECTED]>: > I'm stumped so I thought I would give this list a try as I believe my problem > is > an openssl issue. > > Background: Building an SSL enabled Apache web server on a closed network. > Apache under Solaris 8 OS. Need to restrict access to users with ID > certificates issued by particular CA's (issued by particular Root issuers) > read > from a smart card. I can make everything work except restricting access to > particular CA's. Whenever I enable SSLVerifyClient and SSLVerifyDepth in > Apache it denies all access even though I present a cert that was issued by > one > of the CA's under SSLCACertificatePath. Even though I have those CA's certs > loaded on the server and can dump and verify them with openssl. I get errors > in the Apache log such as.: > > "Certificate Verification: Error (20): unable to get local issuer > certificate" > > and > > "SSL Library Error: 336105650 error:140890B2:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned" > > I'm not sure which certificate is not being returned. From the browser/smart > card? It seems to be presenting the cert to the server. I suspect that > error > is misleading. > > I know the browser is reading the cert from the smart card as the browser > security module kicks in and asks which cert from the smart card to present > to > the server. I can't just install the user ID cert directly in the browser as > they are flagged non-exportable for security reasons, plus the smart cards > are > a requirement. > > Software: Apache/2.2.4 (Unix) mod_jk/1.2.21 DAV/2 mod_ssl/2.2.4 > OpenSSL/0.9.8e > mod_perl/2.0.3 Perl/v5.8.8 > > I tried some tests with openssl verify, s_client, s_server etc. openssl > s_server seems happy with everything. For example.: > > openssl s_server -key conf/euukmoappd003n.dev.local.server.key -cert > conf/cert.euukmoappd003n.dev.local.server.crt -CApath conf/ssl.crt -state > -Verify 10 > > verify depth is 10, must return a certificate > Enter pass phrase for conf/disa.euukmoappd003n.dev.local.server.key: > Using default temp DH parameters > Using default temp ECDH parameters > ACCEPT > > And I can connect with s_client. > > Below is the debug log from starting the SSL server and trying and failing to > view a test page with a certificate issued by a root/CA chain the server has > loaded. When I try to load a test page, it grinds a bit, asks me to insert > my > smart card, grinds a bit, asks for my smart card PIN, grinds a bit more, then > the browser displays an error page that "The page cannot be displayed". This > is with microsoft internet explorer (unfortunately that is the browser the > users have). Sorry I can't post the actual certs here as we have pretty > tight > security rules. Thanks in advance. > > [Fri Dec 07 19:11:40 2007] [info] Loading certificate & private key of > SSL-aware > server > [Fri Dec 07 19:11:40 2007] [debug] ssl_engine_pphrase.c(481): encrypted RSA > private key - pass phrase reused > [Fri Dec 07 19:11:41 2007] [info] Configuring server for SSL protocol > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(405): Creating new SSL > context (protocols: SSLv3, TLSv1) > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(538): Configuring client > authentication > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: > /C=US/O=USG/OU=DD/OU=PKI/CN=DD CLASS 3 Root CA > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: > /C=US/O=USG/OU=ECA/CN=ECA Root CA > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: > /C=US/O=USG/OU=DD/OU=PKI/CN=DD Root CA 2 > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: > /C=US/ST=Cambs/L=Mole/O=USG/OU=USA OU PKI DD/CN=euukmoappd003n.dev.local > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: > /C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-12 > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: > /C=US/O=USG/OU=DD/OU=PKI/CN=DD CLASS 3 Root CA > [Fri Dec 07 19:11:41 2007]
Follow up - Re: Can't get PKI Client Authentication Enforcement to work
Replying to my own message to add additional information. When I try it with Firefox, it asks which cert to use from my smart card etc. and then throws this error dialog.: "Could not establish an encrypted connection because your certificate was rejected by euukmoappd003n.dev.local. Error Code: -12271" I looked up Firefox error code -12271 = "SSL_ERROR_BAD_CERT_ALERT SSL peer cannot verify your certificate. The remote system has received a certificate from the local system, and has rejected it for some reason." Again, I have the proper CA's installed on the server including the one that issued the ID cert on the smart card. Quoting Joseph Felten <[EMAIL PROTECTED]>: > I'm stumped so I thought I would give this list a try as I believe my problem > is > an openssl issue. > > Background: Building an SSL enabled Apache web server on a closed network. > Apache under Solaris 8 OS. Need to restrict access to users with ID > certificates issued by particular CA's (issued by particular Root issuers) > read > from a smart card. I can make everything work except restricting access to > particular CA's. Whenever I enable SSLVerifyClient and SSLVerifyDepth in > Apache it denies all access even though I present a cert that was issued by > one > of the CA's under SSLCACertificatePath. Even though I have those CA's certs > loaded on the server and can dump and verify them with openssl. I get errors > in the Apache log such as.: > > "Certificate Verification: Error (20): unable to get local issuer > certificate" > > and > > "SSL Library Error: 336105650 error:140890B2:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned" > > I'm not sure which certificate is not being returned. From the browser/smart > card? It seems to be presenting the cert to the server. I suspect that > error > is misleading. > > I know the browser is reading the cert from the smart card as the browser > security module kicks in and asks which cert from the smart card to present > to > the server. I can't just install the user ID cert directly in the browser as > they are flagged non-exportable for security reasons, plus the smart cards > are > a requirement. > > Software: Apache/2.2.4 (Unix) mod_jk/1.2.21 DAV/2 mod_ssl/2.2.4 > OpenSSL/0.9.8e > mod_perl/2.0.3 Perl/v5.8.8 > > I tried some tests with openssl verify, s_client, s_server etc. openssl > s_server seems happy with everything. For example.: > > openssl s_server -key conf/euukmoappd003n.dev.local.server.key -cert > conf/cert.euukmoappd003n.dev.local.server.crt -CApath conf/ssl.crt -state > -Verify 10 > > verify depth is 10, must return a certificate > Enter pass phrase for conf/disa.euukmoappd003n.dev.local.server.key: > Using default temp DH parameters > Using default temp ECDH parameters > ACCEPT > > And I can connect with s_client. > > Below is the debug log from starting the SSL server and trying and failing to > view a test page with a certificate issued by a root/CA chain the server has > loaded. When I try to load a test page, it grinds a bit, asks me to insert > my > smart card, grinds a bit, asks for my smart card PIN, grinds a bit more, then > the browser displays an error page that "The page cannot be displayed". This > is with microsoft internet explorer (unfortunately that is the browser the > users have). Sorry I can't post the actual certs here as we have pretty > tight > security rules. Thanks in advance. > > [Fri Dec 07 19:11:40 2007] [info] Loading certificate & private key of > SSL-aware > server > [Fri Dec 07 19:11:40 2007] [debug] ssl_engine_pphrase.c(481): encrypted RSA > private key - pass phrase reused > [Fri Dec 07 19:11:41 2007] [info] Configuring server for SSL protocol > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(405): Creating new SSL > context (protocols: SSLv3, TLSv1) > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(538): Configuring client > authentication > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: > /C=US/O=USG/OU=DD/OU=PKI/CN=DD CLASS 3 Root CA > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: > /C=US/O=USG/OU=ECA/CN=ECA Root CA > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: > /C=US/O=USG/OU=DD/OU=PKI/CN=DD Root CA 2 > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: > /C=US/ST=Cambs/L=Mole/O=USG/OU=USA OU PKI DD/CN=euukmoappd003n.dev.local > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: > /C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-12 > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certif
Can't get PKI Client Authentication Enforcement to work
I'm stumped so I thought I would give this list a try as I believe my problem is an openssl issue. Background: Building an SSL enabled Apache web server on a closed network. Apache under Solaris 8 OS. Need to restrict access to users with ID certificates issued by particular CA's (issued by particular Root issuers) read from a smart card. I can make everything work except restricting access to particular CA's. Whenever I enable SSLVerifyClient and SSLVerifyDepth in Apache it denies all access even though I present a cert that was issued by one of the CA's under SSLCACertificatePath. Even though I have those CA's certs loaded on the server and can dump and verify them with openssl. I get errors in the Apache log such as.: "Certificate Verification: Error (20): unable to get local issuer certificate" and "SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned" I'm not sure which certificate is not being returned. From the browser/smart card? It seems to be presenting the cert to the server. I suspect that error is misleading. I know the browser is reading the cert from the smart card as the browser security module kicks in and asks which cert from the smart card to present to the server. I can't just install the user ID cert directly in the browser as they are flagged non-exportable for security reasons, plus the smart cards are a requirement. Software: Apache/2.2.4 (Unix) mod_jk/1.2.21 DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.8e mod_perl/2.0.3 Perl/v5.8.8 I tried some tests with openssl verify, s_client, s_server etc. openssl s_server seems happy with everything. For example.: openssl s_server -key conf/euukmoappd003n.dev.local.server.key -cert conf/cert.euukmoappd003n.dev.local.server.crt -CApath conf/ssl.crt -state -Verify 10 verify depth is 10, must return a certificate Enter pass phrase for conf/disa.euukmoappd003n.dev.local.server.key: Using default temp DH parameters Using default temp ECDH parameters ACCEPT And I can connect with s_client. Below is the debug log from starting the SSL server and trying and failing to view a test page with a certificate issued by a root/CA chain the server has loaded. When I try to load a test page, it grinds a bit, asks me to insert my smart card, grinds a bit, asks for my smart card PIN, grinds a bit more, then the browser displays an error page that "The page cannot be displayed". This is with microsoft internet explorer (unfortunately that is the browser the users have). Sorry I can't post the actual certs here as we have pretty tight security rules. Thanks in advance. [Fri Dec 07 19:11:40 2007] [info] Loading certificate & private key of SSL-aware server [Fri Dec 07 19:11:40 2007] [debug] ssl_engine_pphrase.c(481): encrypted RSA private key - pass phrase reused [Fri Dec 07 19:11:41 2007] [info] Configuring server for SSL protocol [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(405): Creating new SSL context (protocols: SSLv3, TLSv1) [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(538): Configuring client authentication [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: /C=US/O=USG/OU=DD/OU=PKI/CN=DD CLASS 3 Root CA [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: /C=US/O=USG/OU=ECA/CN=ECA Root CA [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: /C=US/O=USG/OU=DD/OU=PKI/CN=DD Root CA 2 [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: /C=US/ST=Cambs/L=Mole/O=USG/OU=USA OU PKI DD/CN=euukmoappd003n.dev.local [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: /C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-12 [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: /C=US/O=USG/OU=DD/OU=PKI/CN=DD CLASS 3 Root CA [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: /C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-13 [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: /C=US/O=USG/OU=ECA/CN=ECA Root CA [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: /C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-12 [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: /C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-13 [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: /C=US/O=USG/OU=DD/OU=PKI/CN=DD CLASS 3 Root CA [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: /C=US/O=USG/OU=DD/OU=PKI/CN=DD Root CA 2 [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: /C=US/O=USG/OU=ECA/CN=ECA Root CA [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: /C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-12 [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: /C=US/O=USG/OU=DD/OU=PKI/CN=DD Root CA 2 [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: /C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-15 [Fri Dec 07 19:11:41