Re: [openssl-users] osf-contact Latest Openssl Issue with Bind 9.12.2-P2 on RHEL 7.5
See the error message about looking at the FAQ? Here it is: https://www.openssl.org/docs/faq.html#USER1 From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of aakash.ku...@orange.com Sent: Sunday, October 07, 2018 22:51 To: openssl-users@openssl.org Cc: osf-cont...@openssl.org Subject: Re: [openssl-users] osf-contact Latest Openssl Issue with Bind 9.12.2-P2 on RHEL 7.5 Hi Team, Please find below error in text format. [root@g3r1 ~]# systemctl status bind -l ● bind.service - LSB: DNS Daemon Loaded: loaded (/etc/rc.d/init.d/bind) Active: active (exited) since Fri 2018-10-05 13:31:09 CEST; 2 days ago Docs: man:systemd-sysv-generator(8) Process: 32417 ExecStop=/etc/rc.d/init.d/bind stop (code=exited, status=0/SUCCESS) Process: 32421 ExecStart=/etc/rc.d/init.d/bind start (code=exited, status=0/SUCCESS) Oct 05 13:31:09 g3r1 named[32429]: Oct 05 13:31:09 g3r1 named[32429]: adjusted limit on open files from 4096 to 1048576 Oct 05 13:31:09 g3r1 named[32429]: found 1 CPU, using 1 worker thread Oct 05 13:31:09 g3r1 named[32429]: using 1 UDP listener per interface Oct 05 13:31:09 g3r1 named[32429]: using up to 4096 sockets Oct 05 13:31:09 g3r1 named[32429]: openssl_link.c:296: fatal error: Oct 05 13:31:09 g3r1 named[32429]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ) Oct 05 13:31:09 g3r1 named[32429]: exiting (due to fatal error in library) Oct 05 13:31:09 g3r1 bind[32421]: [13B blob data] Oct 05 13:31:09 g3r1 systemd[1]: Started LSB: DNS Daemon. [root@g3r1 ~]# tail /var/log/message Oct 5 13:31:09 g3r1 systemd: Starting LSB: DNS Daemon... Oct 5 13:31:09 g3r1 bind: /etc/rc.d/init.d/bind: line 36: log_info_msg: command not found Oct 5 13:31:09 g3r1 named[32429]: starting BIND 9.12.2-P2 Oct 5 13:31:09 g3r1 named[32429]: running on Linux x86_64 3.10.0-327.13.1.el7.x86_64 #1 SMP Mon Feb 29 13:22:02 EST 2016 Oct 5 13:31:09 g3r1 named[32429]: built with '--prefix=/usr' '--sysconfdir=/etc' '--localstatedir=/var' 'mandir=/usr/share/man' '--enable-threads' '--with-libtool' '--with-openssl=/usr/local/ssl' '--disable-static' '--with-randomdev=/dev/urandom' Oct 5 13:31:09 g3r1 named[32429]: running as: named -u named -t /srv/named -c /etc/named.conf Oct 5 13:31:09 g3r1 named[32429]: compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-28) Oct 5 13:31:09 g3r1 named[32429]: compiled with OpenSSL version: OpenSSL 1.0.2p 14 Aug 2018 Oct 5 13:31:09 g3r1 named[32429]: linked to OpenSSL version: OpenSSL 1.0.2p 14 Aug 2018 Oct 5 13:31:09 g3r1 named[32429]: compiled with zlib version: 1.2.7 Oct 5 13:31:09 g3r1 named[32429]: linked to zlib version: 1.2.7 Oct 5 13:31:09 g3r1 named[32429]: threads support is enabled Oct 5 13:31:09 g3r1 named[32429]: Oct 5 13:31:09 g3r1 named[32429]: BIND 9 is maintained by Internet Systems Consortium, Oct 5 13:31:09 g3r1 named[32429]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Oct 5 13:31:09 g3r1 named[32429]: corporation. Support and training for BIND 9 are Oct 5 13:31:09 g3r1 named[32429]: available at https://www.isc.org/support Oct 5 13:31:09 g3r1 named[32429]: Oct 5 13:31:09 g3r1 named[32429]: adjusted limit on open files from 4096 to 1048576 Oct 5 13:31:09 g3r1 named[32429]: found 1 CPU, using 1 worker thread Oct 5 13:31:09 g3r1 named[32429]: using 1 UDP listener per interface Oct 5 13:31:09 g3r1 named[32429]: using up to 4096 sockets Oct 5 13:31:09 g3r1 named[32429]: openssl_link.c:296: fatal error: Oct 5 13:31:09 g3r1 named[32429]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ) Thanks & Regards, Aakash kumar ITE - India Tower B, 8th Floor, DLF Infinity Towers, DLF Cyber City Phase - II Gurgaon - 122002, Haryana, INDIA aakash.ku...@orange.com Mobile: +91-8527288977 CVS: 7357 3706 -Original Message- From: Viktor Dukhovni [mailto:openssl-us...@dukhovni.org] Sent: 05 October 2018 21:23 To: KUMAR Aakash IMT/OINIS Cc: osf-cont...@openssl.org; SRIVASTAVA Himanshu IMT/OINIS; VARSHNEY Praveen IMT/OINIS Subject: Re: osf-contact Latest Openssl Issue with Bind 9.12.2-P2 on RHEL 7.5 Please try to send the text of error reports, not pictures. > I am getting below error while starting the bind service. > > If you ask on the openssl-users list, someone else may have seen the same issue, and may have useful advice to share. NOTE!!!: I've set the Reply-To: address to . If you just hit "Reply", your answer may go to the list, though you'd need to join the list first to be able to post... Does
Re: [openssl-users] osf-contact Latest Openssl Issue with Bind 9.12.2-P2 on RHEL 7.5
Hi Team, Please find below error in text format. [root@g3r1 ~]# systemctl status bind -l ● bind.service - LSB: DNS Daemon Loaded: loaded (/etc/rc.d/init.d/bind) Active: active (exited) since Fri 2018-10-05 13:31:09 CEST; 2 days ago Docs: man:systemd-sysv-generator(8) Process: 32417 ExecStop=/etc/rc.d/init.d/bind stop (code=exited, status=0/SUCCESS) Process: 32421 ExecStart=/etc/rc.d/init.d/bind start (code=exited, status=0/SUCCESS) Oct 05 13:31:09 g3r1 named[32429]: Oct 05 13:31:09 g3r1 named[32429]: adjusted limit on open files from 4096 to 1048576 Oct 05 13:31:09 g3r1 named[32429]: found 1 CPU, using 1 worker thread Oct 05 13:31:09 g3r1 named[32429]: using 1 UDP listener per interface Oct 05 13:31:09 g3r1 named[32429]: using up to 4096 sockets Oct 05 13:31:09 g3r1 named[32429]: openssl_link.c:296: fatal error: Oct 05 13:31:09 g3r1 named[32429]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ) Oct 05 13:31:09 g3r1 named[32429]: exiting (due to fatal error in library) Oct 05 13:31:09 g3r1 bind[32421]: [13B blob data] Oct 05 13:31:09 g3r1 systemd[1]: Started LSB: DNS Daemon. [root@g3r1 ~]# tail /var/log/message Oct 5 13:31:09 g3r1 systemd: Starting LSB: DNS Daemon... Oct 5 13:31:09 g3r1 bind: /etc/rc.d/init.d/bind: line 36: log_info_msg: command not found Oct 5 13:31:09 g3r1 named[32429]: starting BIND 9.12.2-P2 Oct 5 13:31:09 g3r1 named[32429]: running on Linux x86_64 3.10.0-327.13.1.el7.x86_64 #1 SMP Mon Feb 29 13:22:02 EST 2016 Oct 5 13:31:09 g3r1 named[32429]: built with '--prefix=/usr' '--sysconfdir=/etc' '--localstatedir=/var' 'mandir=/usr/share/man' '--enable-threads' '--with-libtool' '--with-openssl=/usr/local/ssl' '--disable-static' '--with-randomdev=/dev/urandom' Oct 5 13:31:09 g3r1 named[32429]: running as: named -u named -t /srv/named -c /etc/named.conf Oct 5 13:31:09 g3r1 named[32429]: compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-28) Oct 5 13:31:09 g3r1 named[32429]: compiled with OpenSSL version: OpenSSL 1.0.2p 14 Aug 2018 Oct 5 13:31:09 g3r1 named[32429]: linked to OpenSSL version: OpenSSL 1.0.2p 14 Aug 2018 Oct 5 13:31:09 g3r1 named[32429]: compiled with zlib version: 1.2.7 Oct 5 13:31:09 g3r1 named[32429]: linked to zlib version: 1.2.7 Oct 5 13:31:09 g3r1 named[32429]: threads support is enabled Oct 5 13:31:09 g3r1 named[32429]: Oct 5 13:31:09 g3r1 named[32429]: BIND 9 is maintained by Internet Systems Consortium, Oct 5 13:31:09 g3r1 named[32429]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Oct 5 13:31:09 g3r1 named[32429]: corporation. Support and training for BIND 9 are Oct 5 13:31:09 g3r1 named[32429]: available at https://www.isc.org/support Oct 5 13:31:09 g3r1 named[32429]: Oct 5 13:31:09 g3r1 named[32429]: adjusted limit on open files from 4096 to 1048576 Oct 5 13:31:09 g3r1 named[32429]: found 1 CPU, using 1 worker thread Oct 5 13:31:09 g3r1 named[32429]: using 1 UDP listener per interface Oct 5 13:31:09 g3r1 named[32429]: using up to 4096 sockets Oct 5 13:31:09 g3r1 named[32429]: openssl_link.c:296: fatal error: Oct 5 13:31:09 g3r1 named[32429]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ) Thanks & Regards, Aakash kumar ITE - India Tower B, 8th Floor, DLF Infinity Towers, DLF Cyber City Phase - II Gurgaon - 122002, Haryana, INDIA aakash.ku...@orange.com Mobile: +91-8527288977 CVS: 7357 3706 -Original Message- From: Viktor Dukhovni [mailto:openssl-us...@dukhovni.org] Sent: 05 October 2018 21:23 To: KUMAR Aakash IMT/OINIS Cc: osf-cont...@openssl.org; SRIVASTAVA Himanshu IMT/OINIS; VARSHNEY Praveen IMT/OINIS Subject: Re: osf-contact Latest Openssl Issue with Bind 9.12.2-P2 on RHEL 7.5 Please try to send the text of error reports, not pictures. > I am getting below error while starting the bind service. > > If you ask on the openssl-users list, someone else may have seen the same issue, and may have useful advice to share. NOTE!!!: I've set the Reply-To: address to . If you just hit "Reply", your answer may go to the list, though you'd need to join the list first to be able to post... Does the error still happen when you disable "chroot" in BIND? Perhaps BIND is doing late initialization of the PRNG after entering the chroot jail, and maybe trying to use "/dev/urandom", which not be in the jail? That's a wild guess. You'd need to trace system calls to see what it is actually doing... -- Viktor. __
Re: POP3 client with OpenSSL issue
Thanks a lot for the reply Mr Dave!
The info on wireshark was really helpful.
By flush I meant the buffer before being used in sprintf was clean.
On Mon, Apr 22, 2013 at 9:48 AM, Viktor Dukhovni wrote:
> On Sun, Apr 21, 2013 at 10:17:31PM -0400, Dave Thompson wrote:
>
> > >scanf("%s",password);
>
> This also mishandles passwords containing whitespace. The code
> looks so poor that my guess is that someone is asking us to do
> their homework.
>
> --
> Viktor.
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
Re: POP3 client with OpenSSL issue
On Sun, Apr 21, 2013 at 10:17:31PM -0400, Dave Thompson wrote:
> >scanf("%s",password);
This also mishandles passwords containing whitespace. The code
looks so poor that my guess is that someone is asking us to do
their homework.
--
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
RE: POP3 client with OpenSSL issue
>From: owner-openssl-us...@openssl.org On Behalf Of vinay krishna
>Sent: Sunday, 21 April, 2013 00:52
>Hello I am writing a POP3 client in C on ubuntu. I am using OpenSSl
>I am stuck in the AUTHORIZATION state! I send the user name and get
>a success response, and when i send the password , it always says
>-ERR bad command. I am sure the password is correct. Since i am
Are you sure the username is correct? Usual security practice has
long required, as RFC 1939 hints, that the feedback for a uid/pw
login should not indicate which one was bad nor in what way,
only that the *pair* is bad. This means that a bad USER
would still +OK and only the subsequent PASS would -ERR.
Although -ERR "bad command" is somewhat discourteous;
it could be a little more specific and still be secure.
>using open ssl , wireshark was of not of much help. Heres how
For recent versions of wireshark (about the last 2 years or so)
if your code gets the SSL_SESSION after handshake (i.e. after
SSL_connect or equivalent for a client) and _print's it to a file
which you give to wireshark it should be able to decrypt.
(And wireshark has vulnerabilities, at least loop or crash
vulnerabilities, often enough it's good to keep up to date.)
>i am sending the password
>scanf("%s",password);
>sprintf(pass_cmd,"PASS %s\r\n",password);
If either the input to password or the line to pass_cmd
exceeds the size of the respective buffer, this will
overrun memory and do unpredictably bad things.
The official C term for this is Undefined Behavior.
Use *scanf %s where limit is at most size-1,
and unless you've prearranged the sizes to fit,
either sprintf %.s or snprintf (standard in C99,
but widely available before and outside that).
Alternatively if this is the only data on an input line,
and I expect in this situation it would be, use fgets
and discard the \n if (and only if) it's there.
>sent = SSL_write(ssl, pass_cmd, strlen(pass_cmd));
>pass_cmd is flushed and cleaned before used in write.
What exactly is flush? Normally that is used for I/O
(write especially, less often read) and there is no I/O
before the SSL_write; the SSL_write IS the I/O.
Assuming clean means OPENSSL_cleanse or equivalent,
before the build (sprintf) or between that and write?
The former is useless; the latter would destroy exactly
the data you want to send, which is stupid. If you want
to clean it so you don't have it in memory, clean it after
sending. And clean password anytime after using it to
build pass_cmd. (It may be and often is convenient
to group all needed clean operations at the end
of the function body, just before the return --
assuming there is a single return, which is often but
not universally considered good programming practice.)
>The strlen is also giving a valid size including \r\n
But not after being cleaned, if in fact it is.
FWIW {,f,s,sn}printf returns the number of characters
written, excluding the null terminator, so you could
remember that and use that. Tomayto, tomahto.
>Is this in anyway related to OpenSSL?
Very unlikely. If you get an application level response -ERR
then your application level request got there.
If the server allows nonSSL access that might be easier
to debug. Alternatively, try connecting with commandline
s_client and typing the (few) commands manually. (It's
not easy to get the CR on terminal input at least on Unix,
but a Postelian server will likely accept plain-LF.)
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
POP3 client with OpenSSL issue
Hello I am writing a POP3 client in C on ubuntu. I am using OpenSSl I am
stuck in the AUTHORIZATION state! I send the user name and get a success
response, and when i send the password , it always says *-ERR bad command*.
I am sure the password is correct. Since i am using open ssl , wireshark
was of not of much help. Heres how i am sending the password
scanf("%s",password);
sprintf(pass_cmd,"PASS %s\r\n",password);
sent = SSL_write(ssl, pass_cmd, strlen(pass_cmd));
pass_cmd is flushed and cleaned before used in write.The strlen is also
giving a valid size including \r\n
Is this in anyway related to OpenSSL?
Any pointers will be greatly appreciated!!
Openssl issue??
I am trying to to use ftps for secure server. We have two identical client trying to connect to the server.Client 1 can connect but not client 2. Client 2 throws below error error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag Openssl on both clients openssl-0.9.7a-43.1 xmlsec1-openssl-1.2.6-3 openssl-devel-0.9.7a-43.1 client 1 --- curl -3 -v --ftp-ssl -k -S ftp://abc:xyz...@10.10.10.1 * About to connect() to 10.10.10.1 port 21 * Trying 10.10.10.1... * connected * Connected to 10.10.10.1 (10.10.10.1) port 21 < 220 (vsFTPd 2.0.1) > AUTH SSL < 234 Proceed with negotiation. * successfully set certificate verify locations: * CAfile: /usr/share/ssl/certs/ca-bundle.crt CApath: none * SSL connection using DES-CBC3-SHA * Server certificate: *subject: /C=US/ST=NJ/L=FP/O=test/CN=test.test.com *start date: 2010-03-31 04:53:33 GMT *expire date: 2011-03-31 04:53:33 GMT *common name: test.test.com (does not match '10.10.10.1') *issuer: /C=US/ST=NJ/L=FP/O=test/CN=test.test.com * SSL certificate verify result: error number 1 (18), continuing anyway. > USER abc < 331 Please specify the password. > PASS xyz123 < 530 Login incorrect. * the username and/or the password are incorrect * Closing connection #0 client2 # curl -3 -v --ftp-ssl -k -S ftp://abc:xyz...@10.10.10.1 * About to connect() to 10.10.10.1 port 21 * Trying 10.10.10.1... * connected * Connected to 10.10.10.1 (10.10.10.1) port 21 < 220 (vsFTPd 2.0.1) > AUTH SSL < 234 Proceed with negotiation. * successfully set certificate verify locations: * CAfile: /usr/share/ssl/certs/ca-bundle.crt CApath: none * error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag * Closing connection #0 Cheers CG __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Reg: openSSL issue with Apache Server
Hi Team, We have upgraded our openssl from 0.9.7 to 0.9.8 version. The OS on the system is Solaris 8. We have complied the Apache Webserver [ 1.3.29 ] with 0.9.7, I suppose. We have rebooted the whole Hardware server and while starting the apache, we are getting the following error. Error Message: Syntax error on line 208 of /opt/semagix/apache/conf/httpd.conf: Cannot load /opt/semagix/apache/libexec/libssl.so into server: ld.so.1: libhttpd.ep: fatal: libssl.so.0.9.7: open failed: No such file or directory Could you help us regarding... The line no : 208 on the apache configuration file is 207 208 LoadModule ssl_module libexec/libssl.so 209 LD_LIBRARY_PATH - has /usr/local/ssl/lib path Thanks and Regards, Karunamurthy K., __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Recall: Reg: openSSL issue with Apache Server
The sender would like to recall the message, "Reg: openSSL issue with Apache Server". __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: What is an OpenSSL issue (was Re[2]: Vista 64 bit)
smime.p7m Description: S/MIME encrypted message
Re: What is an OpenSSL issue (was Re[2]: Vista 64 bit)
David Schwartz wrote: > However, they generally require particular versions of OpenSSL or particular > build environments. They impose their own requirements. If you can state and > explain these requirements and reduce your question to one that is actually > about OpenSSL, then I agree with you. And yet there are folks like Thomas Hruska who are distributing installer packages for end users (not developers) that are claimed to be the "official OpenSSL win32 binary" and application developers who don't want to link to crypto code because they are afraid of the legal issues surrounding crypto in some countries. Now when a user is told by their application documentation to go get OpenSSL and install it and there is someone claiming to provide the official build and there are packages specifically for non-developers, what are you expecting the non-developer users to do when they have a question? The application developer doesn't know enough to realize that they need to be careful about the OpenSSL version they use. The application developer wants to treat OpenSSL just like any other package that can be installed such as Kerberos or Perl. When they have a question they are going to come to the folks that developed the software they have a question about. Now perhaps the question should have been sent to Thomas Hruska because he distributes the builds he claims are official but when someone looks for OpenSSL they see the OpenSSL Users mailing list as free and Thomas' support costs money. Where do you think the user will go first? The best you can do is try to give end users a message to send back to the application developer and at the same time attempt to answer their question or point them at the "official" distributors and let Thomas deal with the fallout. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
RE: What is an OpenSSL issue (was Re[2]: Vista 64 bit)
> > OpenSSL is *NOT* intended to be 'used' by people who use > > programs that use > > it. It is intended to be used by programs and by people who make them. > I'll stick my 0.01 euro cent in here and state i disagree with this > hypothesis. whether you are a user via a 3rd party program (as almost > all users of openssl are!) or are directly using openssl as a developer > both camps and parties should be catered for - especially > as a lot of apps that use openssl really only look for the DLL > or shared library - or, if built from source, the required dev libraries > and link libraries. However, they generally require particular versions of OpenSSL or particular build environments. They impose their own requirements. If you can state and explain these requirements and reduce your question to one that is actually about OpenSSL, then I agree with you. OpenSSL explicitly is *not* a stable library such that you can make library upgrades without consideration application details -- other than withing the same minor version to fix specific security issues. If a post is about a specific known OpenSSL security issue, and the issue is how to fix that issue within the minor version required by the application, that would be an OpenSSL issue. Even then, it may be dangerous to do that if the application contains its own workaround to that same issue. Or the application may not even use the part of OpenSSL that has the vulnerability, making the exercise pointless. This should still, in most cases, be treated as an application issue first. If it is handled as an OpenSSL issue, that should be by one of the application's developers, not a mere user. > either type of user may be intersted in such things as keeping an > up-to-date version for security - or ways of configuring it for > better speed, performance or security settings. That's true. I agree, my position as stated is a bit too harsh. I disagree about security settings though, those are application issues, not library issues. It's dangerous to treat them as library issues. A security issue should not be fixed without the presence of *someone* with detailed understanding of how the application uses OpenSSL. An actual user (in the sense of application developer) of the library needs to do this to be sure it's done properly. Even OpenSSL experts would either have to familiarize themselves with the application or do a lot of guessing. Guessing in the security field is bad. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Openssl issue with embedded linux - monavista
Hello, I am using openssl 0.9.8a with SSL support. When I call SSL_CTX_free() when we close HTTP Session the openssl stack causes segmentation fault. in crypto/stack/stck.c in function sk_pop_free() the ht->num has some junk value. whihc causes the segfault. When we used openssl 0.9.7d we never entered the for look present in sk_pop_free funtion. Any fix for this. Kindly elt me know if you need any further information about my setup Regards Prasanna __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL issue with xsupplicant
On Mon, 8 Aug 2005, Michael Wang wrote:
On 8/6/05, Shane Stixrud <[EMAIL PROTECTED]> wrote:
I am attempting to use xsupplicant to connect my fedora 4 laptop to a Open
/ static wep / eap-tls enabled cisco wireless network with Cisco ACS
radius server and a Microsoft CA, everything works fine if I just use wep
and avoid EAP-TLS.
My xsupplicant configuration files seems to be correct, however my
authentication requests fail during an openssl handshake to my radius
server with the following error:
[AUTH TYPE] --- SSL_verify : depth 1
[AUTH TYPE] --- SSL_verify error : num=19:self signed certificate in
certificate chain:depth=1:/DC=org/DC=vmmc/DC=vmad/CN=vmad1
[AUTH TYPE] --- SSL : SSLv3 read server certificate B
[AUTH TYPE] --- ALERT : unknown CA
[AUTH TYPE] --- SSL : SSLv3 read server certificate B
OpenSSL Error -- error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Failure!
Look at your eap.conf, section tls, CA_file parameter.
Is CA_file pointing to the certificate of the CA that signed your user
certificate?
It seems so:
default
{
allow_types = eap_tls
identity = spgsrs-laptop
eap_tls {
user_cert = /etc/xsupplicant/cert.cer
user_key = /etc/xsupplicant/key.pem
user_key_pass = XX
root_cert = /etc/xsupplicant/root/vm.pem
crl_dir = /etc/xsupplicant/crl
chunk_size = 1398
random_file = /dev/urandom
}
}
[EMAIL PROTECTED] ~]# openssl x509 -noout -issuer -in
/etc/xsupplicant/root/vm.pem
issuer= /DC=org/DC=vmmc/DC=vmad/CN=vmad1
[EMAIL PROTECTED] ~]# openssl x509 -noout -issuer -in
/etc/xsupplicant/key.pem
issuer= /DC=org/DC=vmmc/DC=vmad/CN=vmad1
Thanks,
Shane
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL issue with xsupplicant
On 8/6/05, Shane Stixrud <[EMAIL PROTECTED]> wrote: > I am attempting to use xsupplicant to connect my fedora 4 laptop to a Open > / static wep / eap-tls enabled cisco wireless network with Cisco ACS > radius server and a Microsoft CA, everything works fine if I just use wep > and avoid EAP-TLS. > > My xsupplicant configuration files seems to be correct, however my > authentication requests fail during an openssl handshake to my radius > server with the following error: > > [AUTH TYPE] --- SSL_verify : depth 1 > [AUTH TYPE] --- SSL_verify error : num=19:self signed certificate in > certificate chain:depth=1:/DC=org/DC=vmmc/DC=vmad/CN=vmad1 > [AUTH TYPE] --- SSL : SSLv3 read server certificate B > [AUTH TYPE] --- ALERT : unknown CA > [AUTH TYPE] --- SSL : SSLv3 read server certificate B > OpenSSL Error -- error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > Failure! > Look at your eap.conf, section tls, CA_file parameter. Is CA_file pointing to the certificate of the CA that signed your user certificate? Michael __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL issue with xsupplicant
I am attempting to use xsupplicant to connect my fedora 4 laptop to a Open / static wep / eap-tls enabled cisco wireless network with Cisco ACS radius server and a Microsoft CA, everything works fine if I just use wep and avoid EAP-TLS. My xsupplicant configuration files seems to be correct, however my authentication requests fail during an openssl handshake to my radius server with the following error: [AUTH TYPE] --- SSL_verify : depth 1 [AUTH TYPE] --- SSL_verify error : num=19:self signed certificate in certificate chain:depth=1:/DC=org/DC=vmmc/DC=vmad/CN=vmad1 [AUTH TYPE] --- SSL : SSLv3 read server certificate B [AUTH TYPE] --- ALERT : unknown CA [AUTH TYPE] --- SSL : SSLv3 read server certificate B OpenSSL Error -- error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Failure! This seems to be a common error for many programs that use openssl. I attempted to solve this by adding our Microsoft cert to /etc/pki/tls/certs as a hash. This change did allow openssl verify to confirm the certificate without error but did have any affect on xsupplicant. I would think the above change would behave similarly to adding our Microsoft CA to our Windows XP clients "Trusted root certificate authorities" list on Windows, but it does not appear so. Any suggestions would be most welcome. Cheers, Shane __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
