This turned out to be a problem with the OpenSSL 0.9.7i's Configure
script. It specified Intel-based darwin as being big-endian, which of
course it isn't. Once I fixed that script and re-built OpenSSL,
recompiled apache (just to be sure) and re-generated the self-signed
certificate, everything worked just fine.
For anyone else who runs into this problem, here's the fix to
openssl-0.9.7i/Configure
The original line is:
"darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common -
DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK
DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$
(SHLIB_MINOR).dylib",
If it is changed to this, things should work:
"darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common -
DL_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK
DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$
(SHLIB_MINOR).dylib",
Mark
On Mar 16, 2006, at 2:46 PM, Mark Slater wrote:
I've been building my own binaries for apache and openssl for a few
years now, and I can't recall ever having a problem like this
before. Both packages built find and both seem to be working
correctly, except that apache is unable to use the self-signed SSL
certificate I created. Apache is working just fine on http, and at
the same time failing on https.
The procedure I'm using is the same as I've used on machines I've
set up previously. The biggest difference is that the new machine
is running MacOS X on an Intel chip. Everything has been compiled
natively for it (I didn't copy any binaries from other machines),
so I would have assumed the procedures for generating a self-signed
certificate would be the same.
In the past, I've found these instructions worked just fine, even
with Apache 2.x
http://developer.apple.com/internet/serverside/modssl.html
These instructions are basically the same as the ones found on the
mod_ssl website:
http://www.modssl.org/docs/2.8/ssl_faq.html#cert-real
http://www.modssl.org/docs/2.8/ssl_faq.html#cert-ownca
539 openssl genrsa -des3 -out server.key 1024
540 openssl req -new -key server.key -out server.csr
541 dir
542 openssl genrsa -des3 -out ca.key 1024
543 openssl req -new -x509 -days 365 -key ca.key -out ca.crt
544 mroe sign.sh
545 more sign.sh
546 ./sign.sh server.csr
547 sudo cp server.key /usr/local/apache2/conf/ssl.key/
548 sudo cp server.crt /usr/local/apache2/conf/ssl.crt/
549 sudo /usr/local/apache2/bin/apachectl stop
550 sudo /usr/local/apache2/bin/apachectl startssl
However, when I followed them this time and restarted apache, my
browser was unable to create a secure connection. There are no
error messages in the log files related to SSL. I used curl to see
if I could get more information:
======================================================================
===
$ curl -g -3 -k https://whisper.cse.ucsc.edu
curl: (35) error:04077068:rsa routines:RSA_verify:bad signature
======================================================================
===
Then I ran openssl's s_client command and got this:
======================================================================
===
$ openssl s_client -connect localhost:443
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE
Software Engineering Lab/CN=whisper.cse.ucsc.edu/
[EMAIL PROTECTED]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE
Software Engineering Lab/CN=whisper.cse.ucsc.edu/
[EMAIL PROTECTED]
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE
Software Engineering Lab/CN=whisper.cse.ucsc.edu/
[EMAIL PROTECTED]
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE
Software Engineering Lab/CN=whisper.cse.ucsc.edu/
[EMAIL PROTECTED]
i:/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE
Software Engineering Lab/CN=Mark Slater/
[EMAIL PROTECTED]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC3DCCAkUCAQEwDQYJKoZIhvcNAQEEBQAwgbExCzAJBgNVBAYTAlVTMRMwEQYD
VQQIEwpDYWxpZm9ybmlhMRMwEQYDVQQHEwpTYW50YSBDcnV6MRYwFAYDVQQKEw1V
QyBTYW50YSBDcnV6MSUwIwYDVQQLExxTT0UgU29mdHdhcmUgRW5naW5lZXJpbmcg
TGFiMRQwEgYDVQQDEwtNYXJrIFNsYXRlcjEjMCEGCSqGSIb3DQEJARYUbXNsYXRl
ckBzb2UudWNzYy5lZHUwHhcNMDYwMzE2MjAzODMwWhcNMDcwMzE2MjAzODMwWjCB
ujELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNVBAcTClNh
bnRhIENydXoxFjAUBgNVBAoTDVVDIFNhbnRhIENydXoxJTAjBgNVBAsTHFNPRSBT
b2Z0d2FyZSBFbmdpbmVlcmluZyBMYWIxHTAbBgNVBAMTFHdoaXNwZXIuY3NlLnVj
c2MuZWR1MSMwIQYJKoZIhvcNAQkBFhRtc2xhdGVyQHNvZS51Y3NjLmVkdTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA6F0mA2DqryuSduNy3ossnxn3FhR9OnS6
8rrOj/zws85hnUSjeaoVVrYZ9ns50apoovlpPoHJNXTY2AYJBRJEPb7y9g3sn3kw
iE8vljGWHzA2vv/NQNPxAFVRCpvZiys2ixC7rbzosRYnmEbvqzzi9aisJ3vDDOd3
gGZsxm0MWpcCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBKNhqbGIV4lQp5az3ebG2z
GyKVzRrd7Oy8D8SUjN3qP+MNLL2i4c2vt7WOZ2nvwgpCEDlPWX4V4uGjDkZhWu1S
0Nd8LHYig+e8eULEJbV+WjMrmz3t0gflBcJkR7b2ri2qbYwZoTsA7b+LaeWvmSYj
NbereZPBdGF44YigxjYT5w==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE
Software Engineering Lab/CN=whisper.cse.ucsc.edu/
[EMAIL PROTECTED]
issuer=/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE
Software Engineering Lab/CN=Mark Slater/
[EMAIL PROTECTED]
---
No client certificate CA names sent
---
SSL handshake has read 1300 bytes and written 346 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
6EA0454B3C48C92BE620031BD0302FBDAC8D07A33D7710868A45D4251060D4BD
Session-ID-ctx:
Master-Key:
3E0CF350B3BB3248C20013C8676E5E7D38E85F70CA7BF67D2DEC3A8F950192BB1F91EA
B2FEE029A0FEED1218FFD7D655
Key-Arg : None
Start Time: 1142545988
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
^C
======================================================================
===
I then tried this set of directions: http://www.securityfocus.com/
infocus/1818
I ran the command: openssl req -new -x509 -days 365 -keyout
server.key -out server.crt
Then I installed the generated files in apache and restarted
(apachectl startssl).
I got the same error with my browser and with curl, but openssl
s_client gave this:
======================================================================
===
$ openssl s_client -connect whisper.cse.ucsc.edu:443
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE
Software Engineering Lab/CN=whisper.cse.ucsc.edu/
[EMAIL PROTECTED]
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE
Software Engineering Lab/CN=whisper.cse.ucsc.edu/
[EMAIL PROTECTED]
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE
Software Engineering Lab/CN=whisper.cse.ucsc.edu/
[EMAIL PROTECTED]
i:/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE
Software Engineering Lab/CN=whisper.cse.ucsc.edu/
[EMAIL PROTECTED]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEGTCCA4KgAwIBAgIJAIFnlzdIQqO8MA0GCSqGSIb3DQEBBAUAMIG6MQswCQYD
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTETMBEGA1UEBxMKU2FudGEgQ3J1
ejEWMBQGA1UEChMNVUMgU2FudGEgQ3J1ejElMCMGA1UECxMcU09FIFNvZnR3YXJl
IEVuZ2luZWVyaW5nIExhYjEdMBsGA1UEAxMUd2hpc3Blci5jc2UudWNzYy5lZHUx
IzAhBgkqhkiG9w0BCQEWFG1zbGF0ZXJAc29lLnVjc2MuZWR1MB4XDTA2MDMxNjIx
NTYwMloXDTA3MDMxNjIxNTYwMlowgboxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpD
YWxpZm9ybmlhMRMwEQYDVQQHEwpTYW50YSBDcnV6MRYwFAYDVQQKEw1VQyBTYW50
YSBDcnV6MSUwIwYDVQQLExxTT0UgU29mdHdhcmUgRW5naW5lZXJpbmcgTGFiMR0w
GwYDVQQDExR3aGlzcGVyLmNzZS51Y3NjLmVkdTEjMCEGCSqGSIb3DQEJARYUbXNs
YXRlckBzb2UudWNzYy5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK4n
3ODtRv7l77GFQkEdRxINB7/CGOJjbTgTB6Q75Chm4NMi7k50uBIVVfY4V7zxuv5m
K4x4y37B6GmG5yXhBAI1LhtZxy9IKkg4brXXzOOJQhBuQSTMempnacMlbxGBRON5
Xqt0iuk06Ly/R1lCdDJCSJwVMJmCZYJRhPls2GttAgMBAAGjggEjMIIBHzAdBgNV
HQ4EFgQUBUP6LK0EJZrh80OYfsZonqwoTfYwge8GA1UdIwSB5zCB5IAUBUP6LK0E
JZrh80OYfsZonqwoTfahgcCkgb0wgboxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpD
YWxpZm9ybmlhMRMwEQYDVQQHEwpTYW50YSBDcnV6MRYwFAYDVQQKEw1VQyBTYW50
YSBDcnV6MSUwIwYDVQQLExxTT0UgU29mdHdhcmUgRW5naW5lZXJpbmcgTGFiMR0w
GwYDVQQDExR3aGlzcGVyLmNzZS51Y3NjLmVkdTEjMCEGCSqGSIb3DQEJARYUbXNs
YXRlckBzb2UudWNzYy5lZHWCCQCBZ5c3SEKjvDAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBBAUAA4GBAJo/Y40mwSmttCGon0TuYBtB/paGhbummFiwDhsYZbTn5VUW
kOAiv4Y4FOOe6sEyzt9GGBeRjSoBJ3Ja6UqTo2trcJN8ulfAZaMAx7uVNwbdZvei
xe19jcPtxvfRuk6izJt+XgfmIuy3tFbADRCESzezC3eCZV16ucedP/gBJie3
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE
Software Engineering Lab/CN=whisper.cse.ucsc.edu/
[EMAIL PROTECTED]
issuer=/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE
Software Engineering Lab/CN=whisper.cse.ucsc.edu/
[EMAIL PROTECTED]
---
No client certificate CA names sent
---
SSL handshake has read 1617 bytes and written 346 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
002C52406C37D29DEA0DFB9BDEDE44DB3289F0E5719767A449CDD6C2FBDD1989
Session-ID-ctx:
Master-Key:
235C61CC423B0D9E386E4767EF8F0F0B9A98DE490DEF4CC20F7B9A7E820A314CC85049
57441F473D582F9A7283654B46
Key-Arg : None
Start Time: 1142546565
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
closed
======================================================================
===
Could this be an endian issue with the intel processor? I would
think that, since I built the binaries on the intel machine (and
saw the processor correctly registered in the ./configure process),
that endianness wouldn't be an issue. Is there something else that
I should be doing instead?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
