Re: [users@httpd] self-signed SSL cert problems with httpd-2.0.55 and openssl-0.9.7i

[Mark Slater <lists@xxxxxxxxxxxxxxxxxx>]

This turned out to be a problem with the OpenSSL 0.9.7i's Configure  
script. It specified Intel-based darwin as being big-endian, which of  
course it isn't. Once I fixed that script and re-built OpenSSL,  
recompiled apache (just to be sure) and re-generated the self-signed  
certificate, everything worked just fine.

For anyone else who runs into this problem, here's the fix to  
openssl-0.9.7i/Configure

The original line is:

"darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common - 
DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK  
DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$ 
(SHLIB_MINOR).dylib",

If it is changed to this, things should work:

"darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common - 
DL_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK  
DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$ 
(SHLIB_MINOR).dylib",

Mark

On Mar 16, 2006, at 2:46 PM, Mark Slater wrote:

> I've been building my own binaries for apache and openssl for a few  
> years now, and I can't recall ever having a problem like this  
> before. Both packages built find and both seem to be working  
> correctly, except that apache is unable to use the self-signed SSL  
> certificate I created. Apache is working just fine on http, and at  
> the same time failing on https.
>
> The procedure I'm using is the same as I've used on machines I've  
> set up previously. The biggest difference is that the new machine  
> is running MacOS X on an Intel chip. Everything has been compiled  
> natively for it (I didn't copy any binaries from other machines),  
> so I would have assumed the procedures for generating a self-signed  
> certificate would be the same.
>
> In the past, I've found these instructions worked just fine, even  
> with Apache 2.x
>     http://developer.apple.com/internet/serverside/modssl.html
>
> These instructions are basically the same as the ones found on the  
> mod_ssl website:
>     http://www.modssl.org/docs/2.8/ssl_faq.html#cert-real
>     http://www.modssl.org/docs/2.8/ssl_faq.html#cert-ownca
>
>   539  openssl genrsa -des3 -out server.key 1024
>   540  openssl req -new -key server.key -out server.csr
>   541  dir
>   542  openssl genrsa -des3 -out ca.key 1024
>   543  openssl req -new -x509 -days 365 -key ca.key -out ca.crt
>   544  mroe sign.sh
>   545  more sign.sh
>   546  ./sign.sh server.csr
>   547  sudo cp server.key /usr/local/apache2/conf/ssl.key/
>   548  sudo cp server.crt /usr/local/apache2/conf/ssl.crt/
>   549  sudo /usr/local/apache2/bin/apachectl stop
>   550  sudo /usr/local/apache2/bin/apachectl startssl
>
>
> However, when I followed them this time and restarted apache, my  
> browser was unable to create a secure connection. There are no  
> error messages in the log files related to SSL. I used curl to see  
> if I could get more information:
>
> ====================================================================== 
> ===
> $ curl -g -3 -k https://whisper.cse.ucsc.edu
> curl: (35) error:04077068:rsa routines:RSA_verify:bad signature
> ====================================================================== 
> ===
>
> Then I ran openssl's s_client command and got this:
>
> ====================================================================== 
> ===
> $ openssl s_client -connect localhost:443
> CONNECTED(00000003)
> depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  
> Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 
> emailAddress=mslater@xxxxxxxxxxxx
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  
> Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 
> emailAddress=mslater@xxxxxxxxxxxx
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  
> Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 
> emailAddress=mslater@xxxxxxxxxxxx
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
> 0 s:/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  
> Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 
> emailAddress=mslater@xxxxxxxxxxxx
>    i:/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  
> Software Engineering Lab/CN=Mark Slater/ 
> emailAddress=mslater@xxxxxxxxxxxx
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIC3DCCAkUCAQEwDQYJKoZIhvcNAQEEBQAwgbExCzAJBgNVBAYTAlVTMRMwEQYD
> VQQIEwpDYWxpZm9ybmlhMRMwEQYDVQQHEwpTYW50YSBDcnV6MRYwFAYDVQQKEw1V
> QyBTYW50YSBDcnV6MSUwIwYDVQQLExxTT0UgU29mdHdhcmUgRW5naW5lZXJpbmcg
> TGFiMRQwEgYDVQQDEwtNYXJrIFNsYXRlcjEjMCEGCSqGSIb3DQEJARYUbXNsYXRl
> ckBzb2UudWNzYy5lZHUwHhcNMDYwMzE2MjAzODMwWhcNMDcwMzE2MjAzODMwWjCB
> ujELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNVBAcTClNh
> bnRhIENydXoxFjAUBgNVBAoTDVVDIFNhbnRhIENydXoxJTAjBgNVBAsTHFNPRSBT
> b2Z0d2FyZSBFbmdpbmVlcmluZyBMYWIxHTAbBgNVBAMTFHdoaXNwZXIuY3NlLnVj
> c2MuZWR1MSMwIQYJKoZIhvcNAQkBFhRtc2xhdGVyQHNvZS51Y3NjLmVkdTCBnzAN
> BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA6F0mA2DqryuSduNy3ossnxn3FhR9OnS6
> 8rrOj/zws85hnUSjeaoVVrYZ9ns50apoovlpPoHJNXTY2AYJBRJEPb7y9g3sn3kw
> iE8vljGWHzA2vv/NQNPxAFVRCpvZiys2ixC7rbzosRYnmEbvqzzi9aisJ3vDDOd3
> gGZsxm0MWpcCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBKNhqbGIV4lQp5az3ebG2z
> GyKVzRrd7Oy8D8SUjN3qP+MNLL2i4c2vt7WOZ2nvwgpCEDlPWX4V4uGjDkZhWu1S
> 0Nd8LHYig+e8eULEJbV+WjMrmz3t0gflBcJkR7b2ri2qbYwZoTsA7b+LaeWvmSYj
> NbereZPBdGF44YigxjYT5w==
> -----END CERTIFICATE-----
> subject=/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  
> Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 
> emailAddress=mslater@xxxxxxxxxxxx
> issuer=/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  
> Software Engineering Lab/CN=Mark Slater/ 
> emailAddress=mslater@xxxxxxxxxxxx
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1300 bytes and written 346 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 1024 bit
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : DHE-RSA-AES256-SHA
>     Session-ID:  
> 6EA0454B3C48C92BE620031BD0302FBDAC8D07A33D7710868A45D4251060D4BD
>     Session-ID-ctx:
>     Master-Key:  
> 3E0CF350B3BB3248C20013C8676E5E7D38E85F70CA7BF67D2DEC3A8F950192BB1F91EA 
> B2FEE029A0FEED1218FFD7D655
>     Key-Arg   : None
>     Start Time: 1142545988
>     Timeout   : 300 (sec)
>     Verify return code: 21 (unable to verify the first certificate)
> ---
> ^C
> ====================================================================== 
> ===
>
> I then tried this set of directions: http://www.securityfocus.com/ 
> infocus/1818
>
> I ran the command: openssl req -new -x509 -days 365 -keyout  
> server.key -out server.crt
> Then I installed the generated files in apache and restarted  
> (apachectl startssl).
> I got the same error with my browser and with curl, but openssl  
> s_client gave this:
>
> ====================================================================== 
> ===
> $ openssl s_client -connect whisper.cse.ucsc.edu:443
> CONNECTED(00000003)
> depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  
> Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 
> emailAddress=mslater@xxxxxxxxxxxx
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  
> Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 
> emailAddress=mslater@xxxxxxxxxxxx
> verify return:1
> ---
> Certificate chain
> 0 s:/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  
> Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 
> emailAddress=mslater@xxxxxxxxxxxx
>    i:/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  
> Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 
> emailAddress=mslater@xxxxxxxxxxxx
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIEGTCCA4KgAwIBAgIJAIFnlzdIQqO8MA0GCSqGSIb3DQEBBAUAMIG6MQswCQYD
> VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTETMBEGA1UEBxMKU2FudGEgQ3J1
> ejEWMBQGA1UEChMNVUMgU2FudGEgQ3J1ejElMCMGA1UECxMcU09FIFNvZnR3YXJl
> IEVuZ2luZWVyaW5nIExhYjEdMBsGA1UEAxMUd2hpc3Blci5jc2UudWNzYy5lZHUx
> IzAhBgkqhkiG9w0BCQEWFG1zbGF0ZXJAc29lLnVjc2MuZWR1MB4XDTA2MDMxNjIx
> NTYwMloXDTA3MDMxNjIxNTYwMlowgboxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpD
> YWxpZm9ybmlhMRMwEQYDVQQHEwpTYW50YSBDcnV6MRYwFAYDVQQKEw1VQyBTYW50
> YSBDcnV6MSUwIwYDVQQLExxTT0UgU29mdHdhcmUgRW5naW5lZXJpbmcgTGFiMR0w
> GwYDVQQDExR3aGlzcGVyLmNzZS51Y3NjLmVkdTEjMCEGCSqGSIb3DQEJARYUbXNs
> YXRlckBzb2UudWNzYy5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK4n
> 3ODtRv7l77GFQkEdRxINB7/CGOJjbTgTB6Q75Chm4NMi7k50uBIVVfY4V7zxuv5m
> K4x4y37B6GmG5yXhBAI1LhtZxy9IKkg4brXXzOOJQhBuQSTMempnacMlbxGBRON5
> Xqt0iuk06Ly/R1lCdDJCSJwVMJmCZYJRhPls2GttAgMBAAGjggEjMIIBHzAdBgNV
> HQ4EFgQUBUP6LK0EJZrh80OYfsZonqwoTfYwge8GA1UdIwSB5zCB5IAUBUP6LK0E
> JZrh80OYfsZonqwoTfahgcCkgb0wgboxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpD
> YWxpZm9ybmlhMRMwEQYDVQQHEwpTYW50YSBDcnV6MRYwFAYDVQQKEw1VQyBTYW50
> YSBDcnV6MSUwIwYDVQQLExxTT0UgU29mdHdhcmUgRW5naW5lZXJpbmcgTGFiMR0w
> GwYDVQQDExR3aGlzcGVyLmNzZS51Y3NjLmVkdTEjMCEGCSqGSIb3DQEJARYUbXNs
> YXRlckBzb2UudWNzYy5lZHWCCQCBZ5c3SEKjvDAMBgNVHRMEBTADAQH/MA0GCSqG
> SIb3DQEBBAUAA4GBAJo/Y40mwSmttCGon0TuYBtB/paGhbummFiwDhsYZbTn5VUW
> kOAiv4Y4FOOe6sEyzt9GGBeRjSoBJ3Ja6UqTo2trcJN8ulfAZaMAx7uVNwbdZvei
> xe19jcPtxvfRuk6izJt+XgfmIuy3tFbADRCESzezC3eCZV16ucedP/gBJie3
> -----END CERTIFICATE-----
> subject=/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  
> Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 
> emailAddress=mslater@xxxxxxxxxxxx
> issuer=/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  
> Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 
> emailAddress=mslater@xxxxxxxxxxxx
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1617 bytes and written 346 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 1024 bit
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : DHE-RSA-AES256-SHA
>     Session-ID:  
> 002C52406C37D29DEA0DFB9BDEDE44DB3289F0E5719767A449CDD6C2FBDD1989
>     Session-ID-ctx:
>     Master-Key:  
> 235C61CC423B0D9E386E4767EF8F0F0B9A98DE490DEF4CC20F7B9A7E820A314CC85049 
> 57441F473D582F9A7283654B46
>     Key-Arg   : None
>     Start Time: 1142546565
>     Timeout   : 300 (sec)
>     Verify return code: 18 (self signed certificate)
> ---
> closed
> ====================================================================== 
> ===
>
> Could this be an endian issue with the intel processor? I would  
> think that, since I built the binaries on the intel machine (and  
> saw the processor correctly registered in the ./configure process),  
> that endianness wouldn't be an issue. Is there something else that  
> I should be doing instead?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server  
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx