Re: [users@httpd] self-signed SSL cert problems with httpd-2.0.55 and openssl-0.9.7i

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This turned out to be a problem with the OpenSSL 0.9.7i's Configure script. It specified Intel-based darwin as being big-endian, which of course it isn't. Once I fixed that script and re-built OpenSSL, recompiled apache (just to be sure) and re-generated the self-signed certificate, everything worked just fine.

For anyone else who runs into this problem, here's the fix to openssl-0.9.7i/Configure

The original line is:

"darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common - DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$ (SHLIB_MINOR).dylib",

If it is changed to this, things should work:

"darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common - DL_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$ (SHLIB_MINOR).dylib",

Mark

On Mar 16, 2006, at 2:46 PM, Mark Slater wrote:

I've been building my own binaries for apache and openssl for a few years now, and I can't recall ever having a problem like this before. Both packages built find and both seem to be working correctly, except that apache is unable to use the self-signed SSL certificate I created. Apache is working just fine on http, and at the same time failing on https.

The procedure I'm using is the same as I've used on machines I've set up previously. The biggest difference is that the new machine is running MacOS X on an Intel chip. Everything has been compiled natively for it (I didn't copy any binaries from other machines), so I would have assumed the procedures for generating a self-signed certificate would be the same.

In the past, I've found these instructions worked just fine, even with Apache 2.x
    http://developer.apple.com/internet/serverside/modssl.html

These instructions are basically the same as the ones found on the mod_ssl website:
    http://www.modssl.org/docs/2.8/ssl_faq.html#cert-real
    http://www.modssl.org/docs/2.8/ssl_faq.html#cert-ownca

  539  openssl genrsa -des3 -out server.key 1024
  540  openssl req -new -key server.key -out server.csr
  541  dir
  542  openssl genrsa -des3 -out ca.key 1024
  543  openssl req -new -x509 -days 365 -key ca.key -out ca.crt
  544  mroe sign.sh
  545  more sign.sh
  546  ./sign.sh server.csr
  547  sudo cp server.key /usr/local/apache2/conf/ssl.key/
  548  sudo cp server.crt /usr/local/apache2/conf/ssl.crt/
  549  sudo /usr/local/apache2/bin/apachectl stop
  550  sudo /usr/local/apache2/bin/apachectl startssl


However, when I followed them this time and restarted apache, my browser was unable to create a secure connection. There are no error messages in the log files related to SSL. I used curl to see if I could get more information:

====================================================================== ===
$ curl -g -3 -k https://whisper.cse.ucsc.edu
curl: (35) error:04077068:rsa routines:RSA_verify:bad signature
====================================================================== ===

Then I ran openssl's s_client command and got this:

====================================================================== ===
$ openssl s_client -connect localhost:443
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE Software Engineering Lab/CN=whisper.cse.ucsc.edu/ emailAddress=mslater@xxxxxxxxxxxx
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE Software Engineering Lab/CN=whisper.cse.ucsc.edu/ emailAddress=mslater@xxxxxxxxxxxx
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE Software Engineering Lab/CN=whisper.cse.ucsc.edu/ emailAddress=mslater@xxxxxxxxxxxx
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE Software Engineering Lab/CN=whisper.cse.ucsc.edu/ emailAddress=mslater@xxxxxxxxxxxx i:/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE Software Engineering Lab/CN=Mark Slater/ emailAddress=mslater@xxxxxxxxxxxx
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC3DCCAkUCAQEwDQYJKoZIhvcNAQEEBQAwgbExCzAJBgNVBAYTAlVTMRMwEQYD
VQQIEwpDYWxpZm9ybmlhMRMwEQYDVQQHEwpTYW50YSBDcnV6MRYwFAYDVQQKEw1V
QyBTYW50YSBDcnV6MSUwIwYDVQQLExxTT0UgU29mdHdhcmUgRW5naW5lZXJpbmcg
TGFiMRQwEgYDVQQDEwtNYXJrIFNsYXRlcjEjMCEGCSqGSIb3DQEJARYUbXNsYXRl
ckBzb2UudWNzYy5lZHUwHhcNMDYwMzE2MjAzODMwWhcNMDcwMzE2MjAzODMwWjCB
ujELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNVBAcTClNh
bnRhIENydXoxFjAUBgNVBAoTDVVDIFNhbnRhIENydXoxJTAjBgNVBAsTHFNPRSBT
b2Z0d2FyZSBFbmdpbmVlcmluZyBMYWIxHTAbBgNVBAMTFHdoaXNwZXIuY3NlLnVj
c2MuZWR1MSMwIQYJKoZIhvcNAQkBFhRtc2xhdGVyQHNvZS51Y3NjLmVkdTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA6F0mA2DqryuSduNy3ossnxn3FhR9OnS6
8rrOj/zws85hnUSjeaoVVrYZ9ns50apoovlpPoHJNXTY2AYJBRJEPb7y9g3sn3kw
iE8vljGWHzA2vv/NQNPxAFVRCpvZiys2ixC7rbzosRYnmEbvqzzi9aisJ3vDDOd3
gGZsxm0MWpcCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBKNhqbGIV4lQp5az3ebG2z
GyKVzRrd7Oy8D8SUjN3qP+MNLL2i4c2vt7WOZ2nvwgpCEDlPWX4V4uGjDkZhWu1S
0Nd8LHYig+e8eULEJbV+WjMrmz3t0gflBcJkR7b2ri2qbYwZoTsA7b+LaeWvmSYj
NbereZPBdGF44YigxjYT5w==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE Software Engineering Lab/CN=whisper.cse.ucsc.edu/ emailAddress=mslater@xxxxxxxxxxxx issuer=/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE Software Engineering Lab/CN=Mark Slater/ emailAddress=mslater@xxxxxxxxxxxx
---
No client certificate CA names sent
---
SSL handshake has read 1300 bytes and written 346 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
Session-ID: 6EA0454B3C48C92BE620031BD0302FBDAC8D07A33D7710868A45D4251060D4BD
    Session-ID-ctx:
Master-Key: 3E0CF350B3BB3248C20013C8676E5E7D38E85F70CA7BF67D2DEC3A8F950192BB1F91EA B2FEE029A0FEED1218FFD7D655
    Key-Arg   : None
    Start Time: 1142545988
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
^C
====================================================================== ===

I then tried this set of directions: http://www.securityfocus.com/ infocus/1818

I ran the command: openssl req -new -x509 -days 365 -keyout server.key -out server.crt Then I installed the generated files in apache and restarted (apachectl startssl). I got the same error with my browser and with curl, but openssl s_client gave this:

====================================================================== ===
$ openssl s_client -connect whisper.cse.ucsc.edu:443
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE Software Engineering Lab/CN=whisper.cse.ucsc.edu/ emailAddress=mslater@xxxxxxxxxxxx
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE Software Engineering Lab/CN=whisper.cse.ucsc.edu/ emailAddress=mslater@xxxxxxxxxxxx
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE Software Engineering Lab/CN=whisper.cse.ucsc.edu/ emailAddress=mslater@xxxxxxxxxxxx i:/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE Software Engineering Lab/CN=whisper.cse.ucsc.edu/ emailAddress=mslater@xxxxxxxxxxxx
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEGTCCA4KgAwIBAgIJAIFnlzdIQqO8MA0GCSqGSIb3DQEBBAUAMIG6MQswCQYD
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTETMBEGA1UEBxMKU2FudGEgQ3J1
ejEWMBQGA1UEChMNVUMgU2FudGEgQ3J1ejElMCMGA1UECxMcU09FIFNvZnR3YXJl
IEVuZ2luZWVyaW5nIExhYjEdMBsGA1UEAxMUd2hpc3Blci5jc2UudWNzYy5lZHUx
IzAhBgkqhkiG9w0BCQEWFG1zbGF0ZXJAc29lLnVjc2MuZWR1MB4XDTA2MDMxNjIx
NTYwMloXDTA3MDMxNjIxNTYwMlowgboxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpD
YWxpZm9ybmlhMRMwEQYDVQQHEwpTYW50YSBDcnV6MRYwFAYDVQQKEw1VQyBTYW50
YSBDcnV6MSUwIwYDVQQLExxTT0UgU29mdHdhcmUgRW5naW5lZXJpbmcgTGFiMR0w
GwYDVQQDExR3aGlzcGVyLmNzZS51Y3NjLmVkdTEjMCEGCSqGSIb3DQEJARYUbXNs
YXRlckBzb2UudWNzYy5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK4n
3ODtRv7l77GFQkEdRxINB7/CGOJjbTgTB6Q75Chm4NMi7k50uBIVVfY4V7zxuv5m
K4x4y37B6GmG5yXhBAI1LhtZxy9IKkg4brXXzOOJQhBuQSTMempnacMlbxGBRON5
Xqt0iuk06Ly/R1lCdDJCSJwVMJmCZYJRhPls2GttAgMBAAGjggEjMIIBHzAdBgNV
HQ4EFgQUBUP6LK0EJZrh80OYfsZonqwoTfYwge8GA1UdIwSB5zCB5IAUBUP6LK0E
JZrh80OYfsZonqwoTfahgcCkgb0wgboxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpD
YWxpZm9ybmlhMRMwEQYDVQQHEwpTYW50YSBDcnV6MRYwFAYDVQQKEw1VQyBTYW50
YSBDcnV6MSUwIwYDVQQLExxTT0UgU29mdHdhcmUgRW5naW5lZXJpbmcgTGFiMR0w
GwYDVQQDExR3aGlzcGVyLmNzZS51Y3NjLmVkdTEjMCEGCSqGSIb3DQEJARYUbXNs
YXRlckBzb2UudWNzYy5lZHWCCQCBZ5c3SEKjvDAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBBAUAA4GBAJo/Y40mwSmttCGon0TuYBtB/paGhbummFiwDhsYZbTn5VUW
kOAiv4Y4FOOe6sEyzt9GGBeRjSoBJ3Ja6UqTo2trcJN8ulfAZaMAx7uVNwbdZvei
xe19jcPtxvfRuk6izJt+XgfmIuy3tFbADRCESzezC3eCZV16ucedP/gBJie3
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE Software Engineering Lab/CN=whisper.cse.ucsc.edu/ emailAddress=mslater@xxxxxxxxxxxx issuer=/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE Software Engineering Lab/CN=whisper.cse.ucsc.edu/ emailAddress=mslater@xxxxxxxxxxxx
---
No client certificate CA names sent
---
SSL handshake has read 1617 bytes and written 346 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
Session-ID: 002C52406C37D29DEA0DFB9BDEDE44DB3289F0E5719767A449CDD6C2FBDD1989
    Session-ID-ctx:
Master-Key: 235C61CC423B0D9E386E4767EF8F0F0B9A98DE490DEF4CC20F7B9A7E820A314CC85049 57441F473D582F9A7283654B46
    Key-Arg   : None
    Start Time: 1142546565
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
closed
====================================================================== ===

Could this be an endian issue with the intel processor? I would think that, since I built the binaries on the intel machine (and saw the processor correctly registered in the ./configure process), that endianness wouldn't be an issue. Is there something else that I should be doing instead?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux