Re: SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931)
I use the src rpm downloaded from http://koji.fedoraproject.org/koji/buildinfo?buildID=551423 . Inquired about this issue with one of the package maintainers from koji.fedoraproject.org and following was his comment. Apparently the Known answer test for RSA X9.31 signatures does not match anymore which is most probably caused by change in rsa_eay.c introduced in 1.0.1i. The question is whether the change was wrong or whether the known answer test value in the FIPS selftest is wrong. I reverted the file rsa_eay.c to the previous version ( 1.0.1h ) which fixed the issue. Just wanted to share this in case if someone else is facing the same issue with that src rpm. Is this safe ? Regards, Abdul On 12-Aug-14 11:37 PM, Dr. Stephen Henson wrote: On Mon, Aug 11, 2014, Abdul Anshad wrote: Hello All, I have a set up which runs Apache http-2.4.10 and Openssl-1.0.1i, when I try to start the http server with FIPS mode i get the following error. [Mon Aug 11 14:39:24.407781 2014] [suexec:notice] [pid 380] AH01232: suEXEC mechanism enabled (wrapper: /apps/apache/2.4.10/bin/suexec) [Mon Aug 11 14:39:24.428616 2014] [ssl:emerg] [pid 380] AH01885: FIPS mode failed [Mon Aug 11 14:39:24.428656 2014] [ssl:emerg] [pid 380] SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931) [Mon Aug 11 14:39:24.428663 2014] [ssl:emerg] [pid 380] AH02312: Fatal error initialising mod_ssl, exiting. AH00016: Configuration Failed Could somebody help me out with this issue ? Thanks in advance. Which version of the validated module are you using? That's a POST failure. The usual cause of that is a compiler bug. In the FIPS capable OpenSSL directory (i.e. 1.0.1i in your case) try this: OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl md5 /dev/null OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl sha1 /dev/null Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com
Re: SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931)
On Wed, Aug 13, 2014, Abdul Anshad wrote: I use the src rpm downloaded from http://koji.fedoraproject.org/koji/buildinfo?buildID=551423 . Inquired about this issue with one of the package maintainers from koji.fedoraproject.org and following was his comment. Apparently the Known answer test for RSA X9.31 signatures does not match anymore which is most probably caused by change in rsa_eay.c introduced in 1.0.1i. The question is whether the change was wrong or whether the known answer test value in the FIPS selftest is wrong. I reverted the file rsa_eay.c to the previous version ( 1.0.1h ) which fixed the issue. Just wanted to share this in case if someone else is facing the same issue with that src rpm. Is this safe ? Please check to see if the official version of OpenSSL exhibits this behaviour. I've just tested 1.0.1 and don't get and problems entering FIPS mode. A change in rsa_eay.c in the OpenSSL sources should not affect the FIPS module which has a separate implementation. I can only assume that the version you are using is doing something strange and I can't really comment on distribution specific changes. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931)
The official version of OpenSSL works fine when compiled against the upstream FIPS module. Yes, It's distribution specific and reverting the file fixed the issue. Thanks for your time. Regards, Abdul On 13-Aug-14 7:02 PM, Dr. Stephen Henson wrote: On Wed, Aug 13, 2014, Abdul Anshad wrote: I use the src rpm downloaded from http://koji.fedoraproject.org/koji/buildinfo?buildID=551423 . Inquired about this issue with one of the package maintainers from koji.fedoraproject.org and following was his comment. Apparently the Known answer test for RSA X9.31 signatures does not match anymore which is most probably caused by change in rsa_eay.c introduced in 1.0.1i. The question is whether the change was wrong or whether the known answer test value in the FIPS selftest is wrong. I reverted the file rsa_eay.c to the previous version ( 1.0.1h ) which fixed the issue. Just wanted to share this in case if someone else is facing the same issue with that src rpm. Is this safe ? Please check to see if the official version of OpenSSL exhibits this behaviour. I've just tested 1.0.1 and don't get and problems entering FIPS mode. A change in rsa_eay.c in the OpenSSL sources should not affect the FIPS module which has a separate implementation. I can only assume that the version you are using is doing something strange and I can't really comment on distribution specific changes. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931)
$ openssl genrsa 2048 key.pem $ openssl req -new -x509 -key key.pem -out cert.pem -sha256 On Tue, Aug 12, 2014 at 11:08 AM, Abdul Anshad ab...@visolve.com wrote: Could you please provide me the steps for creating a self signed certificate meeting the current FIPS standard ? Thank you for the response. Regards, Abdul On 12-Aug-14 3:02 AM, Kurt Cancemi wrote: Your using a SHA-1 signed certificate, the current FIPS standard mandates a SHA-256 (SHA-2) signed certificate with a bit size = 2048. --- Kurt Cancemi https://www.x64Architecture.com On Mon, Aug 11, 2014 at 5:24 AM, Abdul Anshad ab...@visolve.com wrote: Hello All, I have a set up which runs Apache http-2.4.10 and Openssl-1.0.1i, when I try to start the http server with FIPS mode i get the following error. [Mon Aug 11 14:39:24.407781 2014] [suexec:notice] [pid 380] AH01232: suEXEC mechanism enabled (wrapper: /apps/apache/2.4.10/bin/suexec) [Mon Aug 11 14:39:24.428616 2014] [ssl:emerg] [pid 380] AH01885: FIPS mode failed [Mon Aug 11 14:39:24.428656 2014] [ssl:emerg] [pid 380] SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931) [Mon Aug 11 14:39:24.428663 2014] [ssl:emerg] [pid 380] AH02312: Fatal error initialising mod_ssl, exiting. AH00016: Configuration Failed Could somebody help me out with this issue ? Thanks in advance. -- Regards, Abdul --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-...@openssl.org Automated List Manager majord...@openssl.org --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-...@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931)
On Tue, Aug 12, 2014 at 11:24:40AM +0530, Thulasi Goriparthi wrote: $ openssl genrsa 2048 key.pem Don't forget umask 077 before that. Otherwise, the key file is often world-readable. With AFS, fs setacl . ... to restrict access to the containing directory. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931)
Thank you for the response. I already have a SHA-256 self signed certificate with a bit size 2048 but still ended up with the same error. I used the following command to create the self signed certificate. $ openssl req -x509 -sha256 -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt $ openssl x509 -noout -text -in /etc/pki/tls/certs/localhost.crt | grep Signature Algorithm Signature Algorithm: sha256WithRSAEncryption Signature Algorithm: sha256WithRSAEncryption $ openssl version OpenSSL 1.0.1i-fips 6 Aug 2014 Any suggestions ? Regards, Abdul On 12-Aug-14 3:02 AM, Kurt Cancemi wrote: Your using a SHA-1 signed certificate, the current FIPS standard mandates a SHA-256 (SHA-2) signed certificate with a bit size = 2048. --- Kurt Cancemi https://www.x64Architecture.com On Mon, Aug 11, 2014 at 5:24 AM, Abdul Anshad ab...@visolve.com wrote: Hello All, I have a set up which runs Apache http-2.4.10 and Openssl-1.0.1i, when I try to start the http server with FIPS mode i get the following error. [Mon Aug 11 14:39:24.407781 2014] [suexec:notice] [pid 380] AH01232: suEXEC mechanism enabled (wrapper: /apps/apache/2.4.10/bin/suexec) [Mon Aug 11 14:39:24.428616 2014] [ssl:emerg] [pid 380] AH01885: FIPS mode failed [Mon Aug 11 14:39:24.428656 2014] [ssl:emerg] [pid 380] SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931) [Mon Aug 11 14:39:24.428663 2014] [ssl:emerg] [pid 380] AH02312: Fatal error initialising mod_ssl, exiting. AH00016: Configuration Failed Could somebody help me out with this issue ? Thanks in advance. -- Regards, Abdul --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-...@openssl.org Automated List Manager majord...@openssl.org --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931)
check 'ldd mod_ssl.so' for proper linkage. -Jayadev. On Tue, Aug 12, 2014 at 7:01 PM, Abdul Anshad ab...@visolve.com wrote: Thank you for the response. I already have a SHA-256 self signed certificate with a bit size 2048 but still ended up with the same error. I used the following command to create the self signed certificate. $ openssl req -x509 -sha256 -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt $ openssl x509 -noout -text -in /etc/pki/tls/certs/localhost.crt | grep Signature Algorithm Signature Algorithm: sha256WithRSAEncryption Signature Algorithm: sha256WithRSAEncryption $ openssl version OpenSSL 1.0.1i-fips 6 Aug 2014 Any suggestions ? Regards, Abdul On 12-Aug-14 3:02 AM, Kurt Cancemi wrote: Your using a SHA-1 signed certificate, the current FIPS standard mandates a SHA-256 (SHA-2) signed certificate with a bit size = 2048. --- Kurt Cancemi https://www.x64Architecture.com On Mon, Aug 11, 2014 at 5:24 AM, Abdul Anshad ab...@visolve.com wrote: Hello All, I have a set up which runs Apache http-2.4.10 and Openssl-1.0.1i, when I try to start the http server with FIPS mode i get the following error. [Mon Aug 11 14:39:24.407781 2014] [suexec:notice] [pid 380] AH01232: suEXEC mechanism enabled (wrapper: /apps/apache/2.4.10/bin/suexec) [Mon Aug 11 14:39:24.428616 2014] [ssl:emerg] [pid 380] AH01885: FIPS mode failed [Mon Aug 11 14:39:24.428656 2014] [ssl:emerg] [pid 380] SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931) [Mon Aug 11 14:39:24.428663 2014] [ssl:emerg] [pid 380] AH02312: Fatal error initialising mod_ssl, exiting. AH00016: Configuration Failed Could somebody help me out with this issue ? Thanks in advance. -- Regards, Abdul --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-...@openssl.org Automated List Manager majord...@openssl.org --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931)
On Tue, Aug 12, 2014, Thulasi Goriparthi wrote: $ openssl genrsa 2048 key.pem $ openssl req -new -x509 -key key.pem -out cert.pem -sha256 You also need to set the environment variable OPENSSL_FIPS=1 so the operations are performed in FIPS mode. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931)
On Mon, Aug 11, 2014, Abdul Anshad wrote: Hello All, I have a set up which runs Apache http-2.4.10 and Openssl-1.0.1i, when I try to start the http server with FIPS mode i get the following error. [Mon Aug 11 14:39:24.407781 2014] [suexec:notice] [pid 380] AH01232: suEXEC mechanism enabled (wrapper: /apps/apache/2.4.10/bin/suexec) [Mon Aug 11 14:39:24.428616 2014] [ssl:emerg] [pid 380] AH01885: FIPS mode failed [Mon Aug 11 14:39:24.428656 2014] [ssl:emerg] [pid 380] SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931) [Mon Aug 11 14:39:24.428663 2014] [ssl:emerg] [pid 380] AH02312: Fatal error initialising mod_ssl, exiting. AH00016: Configuration Failed Could somebody help me out with this issue ? Thanks in advance. Which version of the validated module are you using? That's a POST failure. The usual cause of that is a compiler bug. In the FIPS capable OpenSSL directory (i.e. 1.0.1i in your case) try this: OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl md5 /dev/null OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl sha1 /dev/null Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: SSL Library Error
Well, I recompiled AGAIN with no mention of the 0.9.8 library in any of my environment variables. The resulting httpd binary showed no links to the 0.9.8 libraries, just 0.9.7 (the system OS libraries). THIS one won't even start. I get an error of: /usr/lib/dld.sl: Unresolved symbol: __umoddi3 (code) from /usr/local/lib/libcrypto.sl Not to mention that in order to get THAT far, I have to comment out the loading of the mod_ldap because it throws a much more vague Unresolved External error when it tries to load. This system is cursedCURSED I SAY! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor Duchovni Sent: Tuesday, September 11, 2007 4:12 PM To: openssl-users@openssl.org Subject: Re: SSL Library Error On Tue, Sep 11, 2007 at 03:34:13PM -0400, Aaron Smith wrote: Looking at the output of LDD closer, it looks like the httpd binary is linked to both libraries. BUT, I don't think this is the cause of the problem as the httpd binary that DOES work is ALSO linked this way Being linked to both libraries is a problem, but even more so if the first library that is loaded does not match the compile-time headers. First escape DLL-hell, then debug other issues. If your LDAP library depends on OpenSSL 0.9.7, you need to link Apache also with 0.9.7. Mixing 0.9.7 and 0.9.8 in the same binary leads to unspecified behaviour. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL Library Error
Hello, Well, I recompiled AGAIN with no mention of the 0.9.8 library in any of my environment variables. The resulting httpd binary showed no links to the 0.9.8 libraries, just 0.9.7 (the system OS libraries). THIS one won't even start. I get an error of: /usr/lib/dld.sl: Unresolved symbol: __umoddi3 (code) from /usr/local/lib/libcrypto.sl This symbol is in libgcc. Depending on gcc compilation, libgcc may be static or dynamic (or both). In this case it looks like main program is linked static (or not) with libgcc and when loading libcrypto.sl there is no link to this library. You may need to add this dynamic library to httpd recompilation (or rename temporary static version of libgcc). Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL Library Error
I added --with-ssl=/usr/local to the the configure options and recompiled. Although mod_ldap is still unhappy, that corrects the unresolved symbol error if I launch apache without mod_ldap. However, the result is the same problem I've been wrestling with. Piling up child processes in a waiting... state. This installation has no mention in the ldd output of links to the 0.9.8 so it should be, as far as I can tell, using ONLY the 0.9.7 system, OS installed Openssl libraries. Aaron -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola Sent: Wednesday, September 12, 2007 9:41 AM To: openssl-users@openssl.org Subject: RE: SSL Library Error Hello, Well, I recompiled AGAIN with no mention of the 0.9.8 library in any of my environment variables. The resulting httpd binary showed no links to the 0.9.8 libraries, just 0.9.7 (the system OS libraries). THIS one won't even start. I get an error of: /usr/lib/dld.sl: Unresolved symbol: __umoddi3 (code) from /usr/local/lib/libcrypto.sl This symbol is in libgcc. Depending on gcc compilation, libgcc may be static or dynamic (or both). In this case it looks like main program is linked static (or not) with libgcc and when loading libcrypto.sl there is no link to this library. You may need to add this dynamic library to httpd recompilation (or rename temporary static version of libgcc). Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL Library Error
Hello, I've missed that this is on hpux11. Very important is what version you have: hpux1100, hpux, hpux1123ia, hpux1123pa, hpux1131ia or hpux1131pa ? I added --with-ssl=/usr/local to the the configure options and recompiled. Although mod_ldap is still unhappy, that corrects the unresolved symbol error if I launch apache without mod_ldap. However, the result is the same problem I've been wrestling with. Piling up child processes in a waiting... state. This installation has no mention in the ldd output of links to the 0.9.8 so it should be, as far as I can tell, using ONLY the 0.9.7 system, OS installed Openssl libraries. Check that all software is compiled with gcc or with HP compiler. If some part (like Apache) is compiled with HP compiler and other (like OpenSSL) with gcc then OpenSSL requires libgcc but Apache has no link to this library because libgcc is not used by HP compiler. On hpux1100 there is no standard OpenSSL library (and not OpenSSL headers). If you have your Apapche running you may check with lsof what shared libraries are used by apache and from what directories. I think you should be able to perform clean rebuild of Apache and current OpenSSL. Depending on hpux you have, to be sure, you may temporary rename link /usr/include/openssl (which sometime points to /opt/openssl/include/openssl and sometimes is directory) when you compile your applications to be sure that header files are from your specified locations If Aapache is running try to connect with 'openssl s_client' with specified protocols (-ssl2, -ssl3 -tls1). Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL Library Error
The system is 11.11. I'm *pretty* sure everything has been compiled with gcc. I'm compiling apache with gcc, but OpenLDAP and Openssl might have been compiled with something different. The apache install that works was definitely also compiled with gcc and uses the same install of OpenSSL and OpenLDAP. There is no lsof on this system, but I might be able to track down a copy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola Sent: Wednesday, September 12, 2007 11:43 AM To: openssl-users@openssl.org Subject: RE: SSL Library Error Hello, I've missed that this is on hpux11. Very important is what version you have: hpux1100, hpux, hpux1123ia, hpux1123pa, hpux1131ia or hpux1131pa ? I added --with-ssl=/usr/local to the the configure options and recompiled. Although mod_ldap is still unhappy, that corrects the unresolved symbol error if I launch apache without mod_ldap. However, the result is the same problem I've been wrestling with. Piling up child processes in a waiting... state. This installation has no mention in the ldd output of links to the 0.9.8 so it should be, as far as I can tell, using ONLY the 0.9.7 system, OS installed Openssl libraries. Check that all software is compiled with gcc or with HP compiler. If some part (like Apache) is compiled with HP compiler and other (like OpenSSL) with gcc then OpenSSL requires libgcc but Apache has no link to this library because libgcc is not used by HP compiler. On hpux1100 there is no standard OpenSSL library (and not OpenSSL headers). If you have your Apapche running you may check with lsof what shared libraries are used by apache and from what directories. I think you should be able to perform clean rebuild of Apache and current OpenSSL. Depending on hpux you have, to be sure, you may temporary rename link /usr/include/openssl (which sometime points to /opt/openssl/include/openssl and sometimes is directory) when you compile your applications to be sure that header files are from your specified locations If Aapache is running try to connect with 'openssl s_client' with specified protocols (-ssl2, -ssl3 -tls1). Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL Library Error
Hello, The system is 11.11. I'm *pretty* sure everything has been compiled with gcc. I'm compiling apache with gcc, but OpenLDAP and Openssl might have been compiled with something different. The apache install that works was definitely also compiled with gcc and uses the same install of OpenSSL and OpenLDAP. I think that you may try to compile Apache, OpenSSL and OpenLDAP from scratch to (for example) /usr/local/httpd-VER, /usr/local/openssl-VER and /usr/local/openldap-VER (to not disturb working system) and on configure of Apache use only this dependencies. or ... if your goal is to have Apache with SSL and LDAP you may just download OpenSSL and Apache as swinstall boundle from http://www.software.hp.com (HP-UX Apache-based Web Server v.2.18 and OpenSSL) install on hpux (installs to /opt/openssl and /opt/hpws) and use it (with mod_ldap and others). You may have already installed old/current versions in /opt/apache, /opt/apache2 or /opt/hpws. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL Library Error: 336187530 error :1409D08A
The suspicious libraries were /usr/sfw/lib/libcrypto.so.0.9.7 and /usr/sfw/lib/libssl.so.0.9.7, both in the SUN Solaris 10 distribution. Building openssl_0.9.7m from source using /opt/SUNWspro/bin/cc and swapping in the new libraries cleared the problem. Thanks, Joe Joseph Burch wrote: Folks - My apologies if this topic has already been addressed - SunOS 5.10 Generic_125100-10 sun4u sparc SUNW,Sun-Fire-V440 (SUN distributed pkgs) Server: Apache/2.0.55, Interface: mod_ssl/2.0.55, Library: OpenSSL/0.9.7d Following an error-free startup of Apache, I try to establish an https connection, encounter this (in part), and the connection drops: [Fri Sep 07 16:54:46 2007] [debug] ssl_engine_kernel.c(1813): OpenSSL: Exit: error in SSLv3 read certificate verify A [Fri Sep 07 16:54:46 2007] [info] SSL library error 1 in handshake (server naos.lib.virginia.edu:443, client 128.143.12.29) [Fri Sep 07 16:54:46 2007] [info] SSL Library Error: 336187530 error:1409D08A:SSL routines:SSL3_SETUP_KEY_BLOCK:cipher or hash unavailable Can someone help? Regards, Joseph Burch ITC-Unix University of Virginia __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL Library Error: 336187530 error :1409D08A
On Tue, Sep 11, 2007 at 11:45:41AM -0400, Joseph Burch wrote: The suspicious libraries were /usr/sfw/lib/libcrypto.so.0.9.7 and /usr/sfw/lib/libssl.so.0.9.7, both in the SUN Solaris 10 distribution. Building openssl_0.9.7m from source using /opt/SUNWspro/bin/cc and swapping in the new libraries cleared the problem. Folks - My apologies if this topic has already been addressed - SunOS 5.10 Generic_125100-10 sun4u sparc SUNW,Sun-Fire-V440 (SUN distributed pkgs) Server: Apache/2.0.55, Interface: mod_ssl/2.0.55, Library: OpenSSL/0.9.7d Following an error-free startup of Apache, I try to establish an https connection, encounter this (in part), and the connection drops: [Fri Sep 07 16:54:46 2007] [debug] ssl_engine_kernel.c(1813): OpenSSL: Exit: error in SSLv3 read certificate verify A [Fri Sep 07 16:54:46 2007] [info] SSL library error 1 in handshake (server naos.lib.virginia.edu:443, client 128.143.12.29) [Fri Sep 07 16:54:46 2007] [info] SSL Library Error: 336187530 error:1409D08A:SSL routines:SSL3_SETUP_KEY_BLOCK:cipher or hash unavailable Sun only provides AES-128, and not AES-256. The OpenSSL 0.9.7 library (with cipherlists other than DEFAULT which Sun explicitly modified to drop the AES-256 ciphers) was not until 0.9.7m able to notice that part of the AES ciphers was missing. From the change log: *) Since AES128 and AES256 share a single mask bit in the logic of ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a kludge to work properly if AES128 is available and AES256 isn't. [Victor Duchovni] When using the Sun libraries you must construct your cipherlist by subtracting from DEFAULT. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL Library Error
On Tue, Sep 11, 2007 at 01:43:50PM -0400, Aaron Smith wrote: I apologize in advance if this is not the correct forum for this question. I haven't had much luck in the apache forums. I have an apache 2.0.55 installation that I'm attempting to recompile on an HP-UX 11 system. It has mod_ssl 2.0.66 and I have OpenSSL 0.9.8d installed in /opt/openssl098d. The system itself apparently has an older version of OpenSSL (0.9.7e) installed in /usr/local. We have apache running on this system just fine, but I have to recompile in order to add LDAP support. If I take a fresh tarball of apache-2.0.55 and do a configure, make, make install, everything completes without error. Doing an LDD of the httpd binary shows it linked to the OpenSSL 0.9.8d libraries in /opt/openssl098d/lib. The server starts up without issue, but when I connect (with apache in debug mode), I get this: Perhaps you are using headers from one version of OpenSSL and linking with libraries from another. Make sure compile-time and run-time versions match. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL Library Error
Looking at the output of LDD closer, it looks like the httpd binary is linked to both libraries. BUT, I don't think this is the cause of the problem as the httpd binary that DOES work is ALSO linked this way -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor Duchovni Sent: Tuesday, September 11, 2007 1:57 PM To: openssl-users@openssl.org Subject: Re: SSL Library Error On Tue, Sep 11, 2007 at 01:43:50PM -0400, Aaron Smith wrote: I apologize in advance if this is not the correct forum for this question. I haven't had much luck in the apache forums. I have an apache 2.0.55 installation that I'm attempting to recompile on an HP-UX 11 system. It has mod_ssl 2.0.66 and I have OpenSSL 0.9.8d installed in /opt/openssl098d. The system itself apparently has an older version of OpenSSL (0.9.7e) installed in /usr/local. We have apache running on this system just fine, but I have to recompile in order to add LDAP support. If I take a fresh tarball of apache-2.0.55 and do a configure, make, make install, everything completes without error. Doing an LDD of the httpd binary shows it linked to the OpenSSL 0.9.8d libraries in /opt/openssl098d/lib. The server starts up without issue, but when I connect (with apache in debug mode), I get this: Perhaps you are using headers from one version of OpenSSL and linking with libraries from another. Make sure compile-time and run-time versions match. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL Library Error
for 32-bit objects set SHLIB_PATH and unset LD_LIBRARY_PATH for 64-bit objects set LD_LIBRARY_PATH and unset SHLIB_PATH might help.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Aaron Smith Sent: Tuesday, September 11, 2007 3:34 PM To: openssl-users@openssl.org Subject: RE: SSL Library Error Looking at the output of LDD closer, it looks like the httpd binary is linked to both libraries. BUT, I don't think this is the cause of the problem as the httpd binary that DOES work is ALSO linked this way -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor Duchovni Sent: Tuesday, September 11, 2007 1:57 PM To: openssl-users@openssl.org Subject: Re: SSL Library Error On Tue, Sep 11, 2007 at 01:43:50PM -0400, Aaron Smith wrote: I apologize in advance if this is not the correct forum for this question. I haven't had much luck in the apache forums. I have an apache 2.0.55 installation that I'm attempting to recompile on an HP-UX 11 system. It has mod_ssl 2.0.66 and I have OpenSSL 0.9.8d installed in /opt/openssl098d. The system itself apparently has an older version of OpenSSL (0.9.7e) installed in /usr/local. We have apache running on this system just fine, but I have to recompile in order to add LDAP support. If I take a fresh tarball of apache-2.0.55 and do a configure, make, make install, everything completes without error. Doing an LDD of the httpd binary shows it linked to the OpenSSL 0.9.8d libraries in /opt/openssl098d/lib. The server starts up without issue, but when I connect (with apache in debug mode), I get this: Perhaps you are using headers from one version of OpenSSL and linking with libraries from another. Make sure compile-time and run-time versions match. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL Library Error
Hello, I apologize in advance if this is not the correct forum for this question. I haven’t had much luck in the apache forums. I have an apache 2.0.55 installation that I’m attempting to recompile on an HP-UX 11 system. It has mod_ssl 2.0.66 and I have OpenSSL 0.9.8d installed in /opt/openssl098d. The system itself apparently has an older version of OpenSSL (0.9.7e) installed in /usr/local. We have apache running on this system just fine, but I have to recompile in order to add LDAP support. If I take a fresh tarball of apache-2.0.55 and do a configure, make, make install, everything completes without error. Doing an LDD of the httpd binary shows it linked to the OpenSSL 0.9.8d libraries in /opt/openssl098d/lib. The server starts up without issue, but when I connect (with apache in debug mode), I get this: [Tue Sep 11 10:10:43 2007] [info] Connection to child 2 established (server ourserver.name.scrubbed:8040, client client IP scrubbed) [Tue Sep 11 10:10:43 2007] [info] Seeding PRNG with 136 bytes of entropy [Tue Sep 11 10:10:43 2007] [debug] ssl_engine_io.c(1512): OpenSSL: read 11/11 bytes from BIO#401a3500 [mem: 401aabb0] (BIO dump fo llows) [Tue Sep 11 10:10:43 2007] [debug] ssl_engine_io.c(1459): +--- --+ [Tue Sep 11 10:10:43 2007] [debug] ssl_engine_io.c(1484): | : 80 67 01 03 01 00 4e 00-00 00 10 .gN This looks like SSL2 client hello with TLS1 proposition. [Tue Sep 11 10:10:43 2007] [info] SSL library error 1 in handshake (server ourserver.name.scrubbed:8040, client client IP scrubbed) [Tue Sep 11 10:10:43 2007] [info] SSL Library Error: 336027900 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol speaking not SSL to HTTPS port!? Maybe you have only SSL3 enabled on server, in this case OpenSSL refuses SSL2 client hello (GNUTLS accepts). Check connection over SSL with commads: $ openssl s_client -connect ip:port -ssl2 $ openssl s_client -connect ip:port -ssl3 $ openssl s_client -connect ip:port -tls1 is any of this command working ? Maybe you should modify Apache SSLProtocol directive. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL Library Error
On Tue, Sep 11, 2007 at 03:34:13PM -0400, Aaron Smith wrote: Looking at the output of LDD closer, it looks like the httpd binary is linked to both libraries. BUT, I don't think this is the cause of the problem as the httpd binary that DOES work is ALSO linked this way Being linked to both libraries is a problem, but even more so if the first library that is loaded does not match the compile-time headers. First escape DLL-hell, then debug other issues. If your LDAP library depends on OpenSSL 0.9.7, you need to link Apache also with 0.9.7. Mixing 0.9.7 and 0.9.8 in the same binary leads to unspecified behaviour. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL Library Error
I'll see if I can figure out what's causing apache to link to 0.9.7. As far as I know, I've got all my environment variables set to look at the 0.9.8 libraries. It seems odd that the original compile would work though. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor Duchovni Sent: Tuesday, September 11, 2007 4:12 PM To: openssl-users@openssl.org Subject: Re: SSL Library Error On Tue, Sep 11, 2007 at 03:34:13PM -0400, Aaron Smith wrote: Looking at the output of LDD closer, it looks like the httpd binary is linked to both libraries. BUT, I don't think this is the cause of the problem as the httpd binary that DOES work is ALSO linked this way Being linked to both libraries is a problem, but even more so if the first library that is loaded does not match the compile-time headers. First escape DLL-hell, then debug other issues. If your LDAP library depends on OpenSSL 0.9.7, you need to link Apache also with 0.9.7. Mixing 0.9.7 and 0.9.8 in the same binary leads to unspecified behaviour. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL Library Error
On Tue, Sep 11, 2007 at 04:15:47PM -0400, Aaron Smith wrote: I'll see if I can figure out what's causing apache to link to 0.9.7. As far as I know, I've got all my environment variables set to look at the 0.9.8 libraries. It seems odd that the original compile would work though. On any complex system that mixes multiple TLS talking components (LDAP, Apache itself, nss modules that use LDAP, ...) it is important to standardize on a single system-wide version of the OpenSSL library (not just OpenSSL, similar concerns apply to Berkeley DB and other core components). When faced with such a system (one that is partly built from source, and partly via vendor binary packages), you must resist the urge to use the latest-greatest version of a library that is also included at a different release level in the base system. If the default OpenSSL for the vendor system is 0.9.7, stick with that, but use the latest patch level. If you want 0.9.8, upgrade to a system release that uses 0.9.8 throughout. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL Library Error
Hi (sorry for my english), I got a similar problem. openssl-0.9.7d has problems with some kind of ciphers; for example, my client offers as first cipher AES256-SHA (Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1) and when transmission starts I get: 2005.03.07 12:54:08 LOG6[3764:1572]: SSL connected: new session negotiated 2005.03.07 12:54:08 LOG6[3764:1572]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 2005.03.07 12:54:30 LOG7[3764:1572]: SSL alert (write): fatal: bad record mac 2005.03.07 12:54:30 LOG3[3764:1572]: SSL_read: 1408F455: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac 2005.03.07 12:54:30 LOG5[3764:1572]: Connection reset: 17 bytes sent to SSL, 189 bytes sent to socket 2005.03.07 12:54:30 LOG7[3764:1572]: telnet finished (0 left) Try to use for example RC4-MD5. I also try to ask to someone if knows the changes to make on *.c and *.h from openssl-0.9.7d and the last version openssl-0.9.7f but anyone answered. So, if you know some good new, please write to me. Regards Maddalena Pulcini Kai-Uwe Schmidt [EMAIL PROTECTED]@openssl.org on 06/04/2005 21.50.01 Please respond to openssl-users@openssl.org Sent by:[EMAIL PROTECTED] To:openssl-users@openssl.org cc: Subject:SSL Library Error Hi List, can anyone point me to a solution for this ? [Sat Apr 09 16:14:30 2005] [info] SSL library error 1 in handshake (server muc03306:443, client 149.235.163.228) [Sat Apr 09 16:14:30 2005] [info] SSL Library Error: 336131157 error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac [Sat Apr 09 16:14:30 2005] [info] Connection to child 84 closed with abortive shutdown(server muc03306:443, client 149.235.163.228) i am using apache2-2.0.49-27.8 with openssl-0.9.7d-15.10 on a linux box. This only happens under heavy load. Has anyone a clue about this ? regards Kai-Uwe __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL library error follows
Vladimir Litovka [EMAIL PROTECTED]: [Sun Sep 26 09:42:38 1999] [error] OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch What does it mean? Possible you installed the CA certificate instead of the certificate created for your server (use "openssl x509 -in whatever -text" to see the names in the certificate you tried to use); or you've lost the key you created the certificate request with. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
