Turns out the problem lies with SunStudio 11 on Solaris 9 -- there is a compiler optimization bug that doesn't compile OpenSSL properly (specifically, the AES algorithms fail the make test).
I went in and did the normal ./config to OpenSSL, but then edited the Makefile. I changed CFLAG from
CFLAG= -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H - xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN - DBN_DIV2W
toCFLAG= -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H - xstrconst -xdepend=no -Xa -DB_ENDIAN -DBN_DIV2W
Basically, just took out the optimization stuff and compiled for a generic environment. You have to make sure to specify -xdepend=no though, otherwise the compiler will automatically change optimization to level 3 in order to support dependence based transformations.
Hope this helps someone. Thank you to everyone that offered suggestions and support.
Regards, John Consolati Lawrence Livermore National Laboratory On Nov 30, 2009, at 11:59 AM, John J. Consolati wrote:
Hi All,I'll try to squeeze everyone's suggestions into this mail. Sorry for the delay -- was busy eating turkey for a couple of days :)Dan:When I built OpenSSL, I only specified --openssldir in the ./ config. The libraries are in .../installed/lib.Daniel: bash-2.05# pldd 1410014100: /erd/www/erd/server/apache/httpd-2.2.14/installed/bin/httpd - f /erd/ww/usr/lib/libm.so.1/erd/www/erd/server/apache/httpd-2.2.14/installed/lib/ libaprutil-1.so.0/erd/www/erd/server/apache/httpd-2.2.14/installed/lib/libexpat.so.0 /erd/www/erd/server/apache/httpd-2.2.14/installed/lib/libapr-1.so.0 /usr/lib/libuuid.so.1 /usr/lib/libsendfile.so.1 /usr/lib/librt.so.1 /usr/lib/libsocket.so.1 /usr/lib/libnsl.so.1 /usr/lib/libpthread.so.1 /usr/lib/libdl.so.1 /usr/lib/libthread.so.1 /usr/lib/libc.so.1 /usr/ucblib/libucb.so.1 /usr/lib/libresolv.so.2 /usr/lib/libelf.so.1 /usr/lib/libaio.so.1 /usr/lib/libmd5.so.1 /usr/lib/libmp.so.2 /usr/platform/sun4u-us3/lib/libc_psr.so.1 /usr/lib/nss_files.so.1 /usr/lib/nss_nisplus.so.1 /usr/lib/libdoor.so.1 Crypto: Yes, I will be using client authentication. Sander: OpenSSL was built with Sun CC. I'm currently trying the build with the new PATH. Here the output of the openssl s_client: CONNECTED(00000004) write to 0x20fdd0 [0x2103e0] (124 bytes => 124 (0x7C))0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00 .z....Q... ..9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ 0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03 .. 3..2../....... 0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00 ................ 0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 ......@......... 0050 - 00 00 06 04 00 80 00 00-03 02 00 80 81 2b f6 0f .............+.. 0060 - 23 aa 7d 2e 5c ae 1b 8c-3e 95 78 65 ef 22 b7 54 #.}. \...>.xe.".T0070 - a2 8e d9 dd 39 26 b6 e7-03 6c f4 42 ....9&...l.B read from 0x20fdd0 [0x215940] (7 bytes => 7 (0x7)) 0000 - 16 03 01 00 2a 02 ....*. 0007 - <SPACES/NULS> read from 0x20fdd0 [0x215947] (40 bytes => 40 (0x28))0000 - 00 26 03 01 4b 13 ec f7-25 b2 46 61 86 86 ba 6f .&..K... %.Fa...o 0010 - 72 8e d3 f7 a4 e9 21 79-c5 2f 4c 86 4c 54 14 42 r.....!y./ L.LT.B0020 - 31 41 a1 b9 00 00 39 1A....9 0028 - <SPACES/NULS> read from 0x20fdd0 [0x215940] (5 bytes => 5 (0x5)) 0000 - 16 03 01 09 f3 ..... read from 0x20fdd0 [0x215945] (2547 bytes => 2547 (0x9F3))0000 - 0b 00 09 ef 00 09 ec 00-05 46 30 82 05 42 30 82 .........F0..B0. 0010 - 04 2a a0 03 02 01 02 02-10 39 37 ec 17 22 f4 a8 .*....... 97..".. 0020 - f9 08 49 8f bf 92 b1 b6-e0 30 0d 06 09 2a 86 48 ..I...... 0...*.H 0030 - 86 f7 0d 01 01 05 05 00-30 81 b0 31 0b 30 09 06 ........ 0..1.0.. 0040 - 03 55 04 06 13 02 55 53-31 17 30 15 06 03 55 04 .U....US1.0...U. 0050 - 0a 13 0e 56 65 72 69 53-69 67 6e 2c 20 49 6e 63 ...VeriSign, Inc 0060 - 2e 31 1f 30 1d 06 03 55-04 0b 13 16 56 65 72 69 . 1.0...U....Veri 0070 - 53 69 67 6e 20 54 72 75-73 74 20 4e 65 74 77 6f Sign Trust Netwo 0080 - 72 6b 31 3b 30 39 06 03-55 04 0b 13 32 54 65 72 rk1;09..U... 2Ter 0090 - 6d 73 20 6f 66 20 75 73-65 20 61 74 20 68 74 74 ms of use at htt 00a0 - 70 73 3a 2f 2f 77 77 77-2e 76 65 72 69 73 69 67 ps:// www.*verisig 00b0 - 6e 2e 63 6f 6d 2f 72 70-61 20 28 63 29 30 35 31 n.com/rpa (c)051 00c0 - 2a 30 28 06 03 55 04 03-13 21 56 65 72 69 53 69 *0(..U...! VeriSi 00d0 - 67 6e 20 43 6c 61 73 73-20 33 20 53 65 63 75 72 gn Class 3 Secur 00e0 - 65 20 53 65 72 76 65 72-20 43 41 30 1e 17 0d 30 e Server CA0...0 00f0 - 39 30 35 30 34 30 30 30-30 30 30 5a 17 0d 31 30 90504000000Z..10 0100 - 30 35 30 34 32 33 35 39-35 39 5a 30 81 b5 31 0b 0504235959Z0..1. 0110 - 30 09 06 03 55 04 06 13-02 55 53 31 13 30 11 06 0...U....US1.0.. 0120 - 03 55 04 08 13 0a 43 61-6c 69 66 6f 72 6e 69 61 .U....California 0130 - 31 12 30 10 06 03 55 04-07 14 09 4c 69 76 65 72 1.0...U....Liver 0140 - 6d 6f 72 65 31 2f 30 2d-06 03 55 04 0a 14 26 4c more1/0-..U...&L 0150 - 61 77 72 65 6e 63 65 20-4c 69 76 65 72 6d 6f 72 awrence Livermor 0160 - 65 20 4e 61 74 69 6f 6e-61 6c 20 4c 61 62 6f 72 e National Labor 0170 - 61 74 6f 72 79 31 30 30-2e 06 03 55 04 0b 14 27 atory100...U...' 0180 - 45 6e 76 69 72 6f 6e 6d-65 6e 74 61 6c 20 52 65 Environmental Re 0190 - 73 74 6f 72 61 74 69 6f-6e 20 44 69 76 69 73 69 storation Divisi 01a0 - 6f 6e 20 65 72 64 63 31-1a 30 18 06 03 55 04 03 on erdc1.0...U.. 01b0 - 14 11 77 77 77 2d 65 72-64 63 2e 6c 6c 6e 6c 2e ..www- erdc.llnl. 01c0 - 67 6f 76 30 81 9f 30 0d-06 09 2a 86 48 86 f7 0d gov0..0...*.H... 01d0 - 01 01 01 05 00 03 81 8d-00 30 81 89 02 81 81 00 ......... 0...... 01e0 - b5 d0 17 60 87 b1 67 2c-66 88 db 6e 5a fb 03 50 ...`..g,f..nZ..P 01f0 - 1c 64 88 2e 35 84 af 92-24 d8 d0 7d bb 20 43 a7 .d.. 5...$..}. C. 0200 - 00 e4 81 42 75 7c e9 ef-d3 42 9f 22 2d 43 26 97 ...Bu|...B."-C&. 0210 - 75 6b 29 7e 67 43 c7 99-37 4d 09 53 59 49 7b ae uk)~gC.. 7M.SYI{. 0220 - dd fb 66 f7 a1 9c 76 67-c0 39 e7 9a 84 2c a2 a9 ..f...vg. 9...,.. 0230 - d3 29 51 5f 25 e9 85 03-5d 96 e5 44 3c 2e 59 c9 .)Q_ %...]..D<.Y. 0240 - 5c ac ab 50 72 4c b2 c3-46 83 d5 6d 53 ac 7e 5b \..PrL..F..mS.~[ 0250 - 8d a4 93 60 15 85 4e f5-94 c7 f4 91 6f e6 2f 1f ...`..N.....o./. 0260 - 02 03 01 00 01 a3 82 01-d3 30 82 01 cf 30 09 06 ......... 0...0.. 0270 - 03 55 1d 13 04 02 30 00-30 0b 06 03 55 1d 0f 04 .U.... 0.0...U... 0280 - 04 03 02 05 a0 30 44 06-03 55 1d 1f 04 3d 30 3b ..... 0D..U...=0; 0290 - 30 39 a0 37 a0 35 86 33-68 74 74 70 3a 2f 2f 53 09.7.5.3http://*S 02a0 - 56 52 53 65 63 75 72 65-2d 63 72 6c 2e 76 65 72 VRSecure- crl.ver 02b0 - 69 73 69 67 6e 2e 63 6f-6d 2f 53 56 52 53 65 63 isign.com/ SVRSec 02c0 - 75 72 65 32 30 30 35 2e-63 72 6c 30 44 06 03 55 ure2005.crl0D..U 02d0 - 1d 20 04 3d 30 3b 30 39-06 0b 60 86 48 01 86 f8 . .=0;09..`.H... 02e0 - 45 01 07 17 03 30 2a 30-28 06 08 2b 06 01 05 05 E....0*0(.. +....02f0 - 07 02 01 16 1c 68 74 74-70 73 3a 2f 2f 77 77 77 .....https://*www0300 - 2e 76 65 72 69 73 69 67-6e 2e 63 6f 6d 2f 72 70 .verisign.com/rp 0310 - 61 30 1d 06 03 55 1d 25-04 16 30 14 06 08 2b 06 a0...U.%.. 0...+. 0320 - 01 05 05 07 03 01 06 08-2b 06 01 05 05 07 03 02 ........ +....... 0330 - 30 1f 06 03 55 1d 23 04-18 30 16 80 14 6f ec af 0...U.#.. 0...o.. 0340 - a0 dd 8a a4 ef f5 2a 10-67 2d 3f 55 82 bc d7 ef ......*.g-? U.... 0350 - 25 30 79 06 08 2b 06 01-05 05 07 01 01 04 6d 30 %0y.. +........m0 0360 - 6b 30 24 06 08 2b 06 01-05 05 07 30 01 86 18 68 k0$..+..... 0...h 0370 - 74 74 70 3a 2f 2f 6f 63-73 70 2e 76 65 72 69 73 ttp:// ocsp.veris 0380 - 69 67 6e 2e 63 6f 6d 30-43 06 08 2b 06 01 05 05 ign.com0C.. +.... 0390 - 07 30 02 86 37 68 74 74-70 3a 2f 2f 53 56 52 53 .0..7http:// *SVRS 03a0 - 65 63 75 72 65 2d 61 69-61 2e 76 65 72 69 73 69 ecure- aia.verisi 03b0 - 67 6e 2e 63 6f 6d 2f 53-56 52 53 65 63 75 72 65 gn.com/ SVRSecure 03c0 - 32 30 30 35 2d 61 69 61-2e 63 65 72 30 6e 06 08 2005- aia.cer0n.. 03d0 - 2b 06 01 05 05 07 01 0c-04 62 30 60 a1 5e a0 5c +........b0`.^.\ 03e0 - 30 5a 30 58 30 56 16 09-69 6d 61 67 65 2f 67 69 0Z0X0V..image/gi 03f0 - 66 30 21 30 1f 30 07 06-05 2b 0e 03 02 1a 04 14 f0! 0.0...+...... 0400 - 4b 6b b9 28 96 06 0c bb-d0 52 38 9b 29 ac 4b 07 Kk. (.....R8.).K. 0410 - 8b 21 05 18 30 26 16 24-68 74 74 70 3a 2f 2f 6c .!..0&. $http://*l 0420 - 6f 67 6f 2e 76 65 72 69-73 69 67 6e 2e 63 6f 6d ogo.verisign.com 0430 - 2f 76 73 6c 6f 67 6f 31-2e 67 69 66 30 0d 06 09 / vslogo1.gif0... 0440 - 2a 86 48 86 f7 0d 01 01-05 05 00 03 82 01 01 00 *.H............. 0450 - 5d 15 58 3b 10 4e d0 ae-59 96 cb 08 23 fe 2b 4b ].X;.N..Y...#.+K 0460 - 88 52 93 0f 9e 86 3b 30-eb 3d bc 33 c7 e9 f9 e0 .R....;0.=. 3.... 0470 - 6c 4f df 0d 78 6a 1d 4b-fc 74 9f 4a 3e c0 5d 14 lO..xj.K.t.J>.]. 0480 - 8c 13 61 f8 f2 69 95 b5-b7 f4 b6 ed b6 26 d4 69 ..a..i.......&.i 0490 - 93 e4 52 b7 09 5e 2d 4a-21 d1 f3 5a 3b 78 19 99 ..R..^- J!..Z;x.. 04a0 - ee 5f 40 f7 1a fa 2d 60-9c 6a 1b ad c7 aa d7 7f ._@...- `.j...... 04b0 - 87 4e ca 80 d9 bd 22 4d-b9 20 ad ff 43 74 4e 01 .N...."M. ..CtN. 04c0 - e6 f1 69 18 2b d8 13 65-ea 1c 6b e0 4c ae 05 ac ..i. +..e..k.L... 04d0 - 05 fd f0 79 6c fd 40 ec-c9 ad 22 36 8f a7 32 d4 ...yl.@..."6..2. 04e0 - 2c 54 71 f6 bf f3 76 46-ae 8f 66 98 8d 0d 98 8c ,Tq...vF..f..... 04f0 - f8 05 87 4c e7 2a fe fc-dd 58 e4 0f af 28 f4 4c ...L.*...X...(.L 0500 - b3 29 f3 94 1a 42 0c 60-a4 30 2e 38 8d 01 43 2b .)...B.`. 0.8..C+ 0510 - 77 96 86 a7 9a af 76 db-84 63 dc 53 9b ee ae 5a w.....v..c.S...Z 0520 - 7b 3c 9c e7 b7 da bd 1c-a2 a3 23 a2 36 7c db a6 {<........#. 6|.. 0530 - b9 9b be 35 89 24 42 cf-c4 63 25 e8 9f 91 45 60 ...5.$B..c %...E` 0540 - 8e 5b 6b 72 fd 35 56 4c-c1 c1 e5 17 99 81 45 61 .[kr. 5VL......Ea 0550 - 00 04 a0 30 82 04 9c 30-82 04 05 a0 03 02 01 02 ... 0...0........ 0560 - 02 10 75 33 7d 9a b0 e1-23 3b ae 2d 7d e4 46 91 ..u3}...#;.-}.F. 0570 - 62 d4 30 0d 06 09 2a 86-48 86 f7 0d 01 01 05 05 b. 0...*.H....... 0580 - 00 30 5f 31 0b 30 09 06-03 55 04 06 13 02 55 53 . 0_1.0...U....US 0590 - 31 17 30 15 06 03 55 04-0a 13 0e 56 65 72 69 53 1.0...U....VeriS 05a0 - 69 67 6e 2c 20 49 6e 63-2e 31 37 30 35 06 03 55 ign, Inc. 1705..U 05b0 - 04 0b 13 2e 43 6c 61 73-73 20 33 20 50 75 62 6c ....Class 3 Publ 05c0 - 69 63 20 50 72 69 6d 61-72 79 20 43 65 72 74 69 ic Primary Certi 05d0 - 66 69 63 61 74 69 6f 6e-20 41 75 74 68 6f 72 69 fication Authori 05e0 - 74 79 30 1e 17 0d 30 35-30 31 31 39 30 30 30 30 ty0...0501190000 05f0 - 30 30 5a 17 0d 31 35 30-31 31 38 32 33 35 39 35 00Z.. 15011823595 0600 - 39 5a 30 81 b0 31 0b 30-09 06 03 55 04 06 13 02 9Z0..1.0...U.... 0610 - 55 53 31 17 30 15 06 03-55 04 0a 13 0e 56 65 72 US1.0...U....Ver 0620 - 69 53 69 67 6e 2c 20 49-6e 63 2e 31 1f 30 1d 06 iSign, Inc. 1.0.. 0630 - 03 55 04 0b 13 16 56 65-72 69 53 69 67 6e 20 54 .U....VeriSign T 0640 - 72 75 73 74 20 4e 65 74-77 6f 72 6b 31 3b 30 39 rust Network1;09 0650 - 06 03 55 04 0b 13 32 54-65 72 6d 73 20 6f 66 20 ..U... 2Terms of0660 - 75 73 65 20 61 74 20 68-74 74 70 73 3a 2f 2f 77 use at https://*w0670 - 77 77 2e 76 65 72 69 73-69 67 6e 2e 63 6f 6d 2f ww.verisign.com/ 0680 - 72 70 61 20 28 63 29 30-35 31 2a 30 28 06 03 55 rpa (c)051*0(..U 0690 - 04 03 13 21 56 65 72 69-53 69 67 6e 20 43 6c 61 ...! VeriSign Cla 06a0 - 73 73 20 33 20 53 65 63-75 72 65 20 53 65 72 76 ss 3 Secure Serv 06b0 - 65 72 20 43 41 30 82 01-22 30 0d 06 09 2a 86 48 er CA0.."0...*.H 06c0 - 86 f7 0d 01 01 01 05 00-03 82 01 0f 00 30 82 01 .............0.. 06d0 - 0a 02 82 01 01 00 95 c3-21 12 8e 40 c5 0d 01 5f ........!..@..._ 06e0 - 76 5e 66 94 d9 73 2c 58-19 22 b8 c9 fc 7a 39 90 v^f..s,X."...z9. 06f0 - 2a 77 72 7c 1d 3e f7 d8-55 e3 af 42 cb 87 30 02 *wr|.>..U..B..0. 0700 - dc 5b ac 70 e6 b8 44 b4-2b 35 eb 93 d2 17 05 7e .[.p..D. +5.....~ 0710 - cb 46 d6 5c 53 a0 32 51-9d 74 64 58 f9 0c 9a 00 .F.\S. 2Q.tdX.... 0720 - ea 5e 44 49 64 72 f4 cd-10 e2 85 0a f9 34 ee b3 .^DIdr.......4.. 0730 - 88 66 a9 a5 a4 5a d0 0e-98 7f 58 0d 2b 52 bb 86 .f...Z....X. +R.. 0740 - a9 7e 2e fa b2 48 7c 8d-db 2d 5f 01 75 a2 8d 06 .~...H|..- _.u... 0750 - 3b 8b b4 61 07 c9 be 22-99 f8 1b d1 b5 57 66 04 ;..a...".....Wf. 0760 - 4d 35 f4 91 71 96 b5 99-08 25 9b 97 c8 3a f3 20 M5..q.... %...:. 0770 - b1 dd 9e 98 0c 4a 63 b7-a6 ce b0 01 ce f8 93 6a .....Jc........j 0780 - f3 0c 6e 9f b1 e9 84 7b-81 98 41 e6 81 dc 3d 2c ..n.... {..A...=, 0790 - e7 b4 6b e3 9e fc 08 16-d7 b3 d5 b9 66 12 99 7c ..k.........f..| 07a0 - 6d 71 c8 4d be c7 0f e3-fb 37 ad d5 75 87 21 6b mq.M..... 7..u.!k 07b0 - 86 d0 44 14 5a 54 79 39-96 69 56 c9 b9 31 cd 89 ..D.ZTy9.iV..1.. 07c0 - 61 58 e1 d9 76 05 05 ad-f7 b9 02 af a7 fd 47 91 aX..v.........G. 07d0 - a2 22 34 5a 31 d1 02 03-01 00 01 a3 82 01 81 30 ."4Z1..........0 07e0 - 82 01 7d 30 12 06 03 55-1d 13 01 01 ff 04 08 30 ..}0...U.......0 07f0 - 06 01 01 ff 02 01 00 30-44 06 03 55 1d 20 04 3d ....... 0D..U. .= 0800 - 30 3b 30 39 06 0b 60 86-48 01 86 f8 45 01 07 17 0;09..`.H...E... 0810 - 03 30 2a 30 28 06 08 2b-06 01 05 05 07 02 01 16 .0*0(.. +........0820 - 1c 68 74 74 70 73 3a 2f-2f 77 77 77 2e 76 65 72 .https://*www.*ver0830 - 69 73 69 67 6e 2e 63 6f-6d 2f 72 70 61 30 31 06 isign.com/ rpa01. 0840 - 03 55 1d 1f 04 2a 30 28-30 26 a0 24 a0 22 86 20 .U...*0(0&. $.". 0850 - 68 74 74 70 3a 2f 2f 63-72 6c 2e 76 65 72 69 73 http:// *crl.veris 0860 - 69 67 6e 2e 63 6f 6d 2f-70 63 61 33 2e 63 72 6c ign.com/ pca3.crl 0870 - 30 0e 06 03 55 1d 0f 01-01 ff 04 04 03 02 01 06 0...U........... 0880 - 30 11 06 09 60 86 48 01-86 f8 42 01 01 04 04 03 0...`.H...B..... 0890 - 02 01 06 30 29 06 03 55-1d 11 04 22 30 20 a4 1e ... 0)..U..."0 .. 08a0 - 30 1c 31 1a 30 18 06 03-55 04 03 13 11 43 6c 61 0.1.0...U....Cla 08b0 - 73 73 33 43 41 32 30 34-38 2d 31 2d 34 35 30 1d ss3CA2048-1-450. 08c0 - 06 03 55 1d 0e 04 16 04-14 6f ec af a0 dd 8a a4 ..U......o...... 08d0 - ef f5 2a 10 67 2d 3f 55-82 bc d7 ef 25 30 81 80 ..*.g-?U.... %0.. 08e0 - 06 03 55 1d 23 04 79 30-77 a1 63 a4 61 30 5f 31 ..U.#.y0w.c.a0_1 08f0 - 0b 30 09 06 03 55 04 06-13 02 55 53 31 17 30 15 . 0...U....US1.0. 0900 - 06 03 55 04 0a 13 0e 56-65 72 69 53 69 67 6e 2c ..U....VeriSign, 0910 - 20 49 6e 63 2e 31 37 30-35 06 03 55 04 0b 13 2e Inc. 1705..U.... 0920 - 43 6c 61 73 73 20 33 20-50 75 62 6c 69 63 20 50 Class 3 Public P 0930 - 72 69 6d 61 72 79 20 43-65 72 74 69 66 69 63 61 rimary Certifica 0940 - 74 69 6f 6e 20 41 75 74-68 6f 72 69 74 79 82 10 tion Authority.. 0950 - 70 ba e4 1d 10 d9 29 34-b6 38 ca 7b 03 cc ba bf p.....)4.8. {.... 0960 - 30 0d 06 09 2a 86 48 86-f7 0d 01 01 05 05 00 03 0...*.H......... 0970 - 81 81 00 c3 7e 08 46 5d-91 36 cf 67 dc d7 a7 af ....~.F]. 6.g.... 0980 - af b8 22 c3 8b 04 74 d3-b1 60 bc e6 fe b7 44 12 .."...t..`....D. 0990 - 81 5b 31 73 14 63 56 c6-72 2e d1 1a 03 43 5c 38 . [1s.cV.r....C\8 09a0 - 0a 50 4a 4d cd da b6 19-a8 f4 99 0d af e3 f7 d8 .PJM............ 09b0 - f1 75 28 65 f6 6a fe 9b-f4 bd 52 d9 3f cb da 16 .u(e.j....R.?... 09c0 - cb a5 9e 2e 8e 66 52 78-3d 26 fa fe 94 36 88 4a .....fRx=&...6.J 09d0 - 95 5e 2a 4c 19 ef 6e fa-82 3f 2d 03 ef d6 28 b3 .^*L..n..?-...(. 09e0 - 37 18 cf 42 b2 34 21 64-47 d3 20 6b 3a 4c dc e6 7..B.4!dG. k:L..09f0 - 03 90 0c ...depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CAverify error:num=20:unable to get local issuer certificate verify return:0 read from 0x20fdd0 [0x215940] (5 bytes => 5 (0x5)) 0000 - 16 03 01 01 8d ..... read from 0x20fdd0 [0x215945] (397 bytes => 397 (0x18D))0000 - 0c 00 01 89 00 80 d6 7d-e4 40 cb bb dc 19 36 d6 .......}.@....6. 0010 - 93 d3 4a fd 0a d5 0c 84-d2 39 a4 5f 52 0b b8 81 ..J...... 9._R... 0020 - 74 cb 98 bc e9 51 84 9f-91 2e 63 9c 72 fb 13 b4 t....Q....c.r... 0030 - b4 d7 17 7e 16 d5 5a c1-79 ba 42 0b 2a 29 fe 32 ...~..Z.y.B.*).2 0040 - 4a 46 7a 63 5e 81 ff 59-01 37 7b ed dc fd 33 16 JFzc^..Y. 7{...3. 0050 - 8a 46 1a ad 3b 72 da e8-86 00 78 04 5b 07 a7 db .F..;r....x. [... 0060 - ca 78 74 08 7d 15 10 ea-9f cc 9d dd 33 05 07 dd .xt.}....... 3... 0070 - 62 db 88 ae aa 74 7d e0-f4 d6 e2 bd 68 b0 e7 39 b....t}.....h..9 0080 - 3e 0f 24 21 8e b3 00 01-02 00 80 40 49 1b 47 d6 >. $!.......@xxxx 0090 - 77 b3 be 40 cd 21 fe b9-c9 c8 a2 cd f5 f7 bd cd w..@.!.......... 00a0 - 2b db 3a 87 8e 16 5a fe-e4 40 94 f6 70 6e ea cd +.:...Z..@..pn.. 00b0 - ee a0 56 14 3b 30 b8 e9-6e 47 15 9b ca fb 05 70 ..V.; 0..nG.....p 00c0 - d9 93 b4 d4 7a 9d 05 05-b5 21 88 7a 86 d7 1a 1e ....z....!.z.... 00d0 - 1e 5f 1f 71 0a 5d bb 96-93 0c 10 01 5f 4c 14 b9 ._.q.]......_L.. 00e0 - b5 c9 97 11 f4 8d a7 5c-b8 01 d6 bb fb bd 63 65 ....... \......ce 00f0 - 23 da 63 d3 ca 00 fe 64-c7 c0 8b 83 da a9 63 b1 #.c....d......c. 0100 - 5b 79 58 62 73 fd c6 df-2f 56 a3 00 80 45 1e 00 [yXbs.../ V...E.. 0110 - 99 60 2f 40 62 34 c9 16-d2 c3 6b 79 6f c7 df 3e .`/ @b4....kyo..> 0120 - 1e a3 a2 47 a9 bd 5b 59-3b 28 b8 21 cd a4 1d c8 ...G..[Y; (.!.... 0130 - 83 a9 5f 66 3e ed d8 a4-e1 cb 11 8b 78 0d bd da .._f>.......x... 0140 - 86 a3 7d 41 1c ce 2c 08-94 bb 04 a5 27 96 fe 41 ..}A..,.....'..A 0150 - 30 17 f1 cc 57 65 4f 6e-e6 e4 e6 8b 72 ed 8a f9 0...WeOn....r... 0160 - fa 96 50 2a b7 c3 5d b6-da d1 71 74 01 95 e6 fe ..P*..]...qt.... 0170 - e1 fe 1a 98 10 b0 cc e6-76 06 83 15 93 d0 25 8b ........v.....%.0180 - 01 d2 aa af 29 fd 46 00-21 11 4b 8e ed ....).F.!.K.. read from 0x20fdd0 [0x215940] (5 bytes => 5 (0x5)) 0000 - 16 03 01 00 04 ..... read from 0x20fdd0 [0x215945] (4 bytes => 4 (0x4)) 0000 - 0e . 0004 - <SPACES/NULS> write to 0x20fdd0 [0x21fa70] (139 bytes => 139 (0x8B))0000 - 16 03 01 00 86 10 00 00-82 00 80 6f 9d 96 80 40 ...........o...@ 0010 - 98 62 18 e4 a4 a8 d3 30-a4 cd 82 eb 2c d5 73 49 .b..... 0....,.sI 0020 - b0 68 8f f5 fc 7d 1a 21-e2 f9 98 03 26 a9 c7 3a .h...}.!....&..: 0030 - ed bf 02 c5 a2 f9 7a 39-c7 f9 0b 84 bf 7c a9 f2 ......z9.....|.. 0040 - eb b8 1c 69 82 e3 df af-76 48 ab 21 a9 3e 63 10 ...i....vH.!.>c. 0050 - dc 7d e9 bd 30 e9 9d 33-da 93 4e f2 18 a0 a0 8a .}.. 0..3..N..... 0060 - d9 65 a2 8c 8f 72 09 aa-31 38 ed 30 c7 6c ec f9 .e...r.. 18.0.l.. 0070 - c2 68 e5 db e3 cd 6f ac-71 8d 54 a0 d0 57 84 00 .h....o.q.T..W..0080 - ce c3 81 05 a3 2d 8e c3-1f 3c 7a .....-...<z write to 0x20fdd0 [0x21fa70] (6 bytes => 6 (0x6)) 0000 - 14 03 01 00 01 01 ...... write to 0x20fdd0 [0x21fa70] (53 bytes => 53 (0x35))0000 - 16 03 01 00 30 ed 82 85-ac 7e aa 1a 26 8a 7d 66 .... 0....~..&.}f 0010 - 42 6e a2 91 ea b0 c3 01-98 c5 89 e5 a0 9e fd da Bn.............. 0020 - 8d 8c a5 2a 48 bc e6 5e-ad e5 c2 5a 03 6c d1 5d ...*H..^...Z.l.]0030 - c0 b5 bb 39 65 ...9e read from 0x20fdd0 [0x215940] (5 bytes => 5 (0x5)) 0000 - 14 03 01 00 01 ..... read from 0x20fdd0 [0x215945] (1 bytes => 1 (0x1)) 0000 - 01 . read from 0x20fdd0 [0x215940] (5 bytes => 5 (0x5)) 0000 - 16 03 01 00 30 ....0 read from 0x20fdd0 [0x215945] (48 bytes => 48 (0x30))0000 - ad c0 8f 14 01 bd 4a a3-cf 28 31 d9 16 c7 9a 4a ......J.. (1....J 0010 - 7e 71 ac 3b 6c ce 1f 08-84 c6 44 f7 1e d0 3d 02 ~q.;l.....D...=. 0020 - e0 3a cb bd d4 0d 4a aa-60 4b a3 a2 f7 15 81 0f .:....J.`K......--- Certificate chain0 s:/C=US/ST=California/L=Livermore/O=Lawrence Livermore National Laboratory/OU=Environmental Restoration Division erdc/CN=www- erdc.llnl.gov i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority--- Server certificate -----BEGIN CERTIFICATE----- MIIFQjCCBCqgAwIBAgIQOTfsFyL0qPkISY+/krG24DANBgkqhkiG9w0BAQUFADCB sDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMh VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBMB4XDTA5MDUwNDAwMDAw MFoXDTEwMDUwNDIzNTk1OVowgbUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp Zm9ybmlhMRIwEAYDVQQHFAlMaXZlcm1vcmUxLzAtBgNVBAoUJkxhd3JlbmNlIExp dmVybW9yZSBOYXRpb25hbCBMYWJvcmF0b3J5MTAwLgYDVQQLFCdFbnZpcm9ubWVu dGFsIFJlc3RvcmF0aW9uIERpdmlzaW9uIGVyZGMxGjAYBgNVBAMUEXd3dy1lcmRj LmxsbmwuZ292MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC10Bdgh7FnLGaI 225a+wNQHGSILjWEr5Ik2NB9uyBDpwDkgUJ1fOnv00KfIi1DJpd1ayl+Z0PHmTdN CVNZSXuu3ftm96GcdmfAOeeahCyiqdMpUV8l6YUDXZblRDwuWclcrKtQckyyw0aD 1W1TrH5bjaSTYBWFTvWUx/SRb+YvHwIDAQABo4IB0zCCAc8wCQYDVR0TBAIwADAL BgNVHQ8EBAMCBaAwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL1NWUlNlY3VyZS1j cmwudmVyaXNpZ24uY29tL1NWUlNlY3VyZTIwMDUuY3JsMEQGA1UdIAQ9MDswOQYL YIZIAYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24u Y29tL3JwYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgw FoAUb+yvoN2KpO/1KhBnLT9VgrzX7yUweQYIKwYBBQUHAQEEbTBrMCQGCCsGAQUF BzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wQwYIKwYBBQUHMAKGN2h0dHA6 Ly9TVlJTZWN1cmUtYWlhLnZlcmlzaWduLmNvbS9TVlJTZWN1cmUyMDA1LWFpYS5j ZXIwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJaW1hZ2UvZ2lmMCEwHzAHBgUr DgMCGgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYkaHR0cDovL2xvZ28udmVyaXNp Z24uY29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEBBQUAA4IBAQBdFVg7EE7QrlmW ywgj/itLiFKTD56GOzDrPbwzx+n54GxP3w14ah1L/HSfSj7AXRSME2H48mmVtbf0 tu22JtRpk+RStwleLUoh0fNaO3gZme5fQPca+i1gnGobrceq13+HTsqA2b0iTbkg rf9DdE4B5vFpGCvYE2XqHGvgTK4FrAX98Hls/UDsya0iNo+nMtQsVHH2v/N2Rq6P ZpiNDZiM+AWHTOcq/vzdWOQPryj0TLMp85QaQgxgpDAuOI0BQyt3loanmq9224Rj 3FOb7q5aezyc57favRyioyOiNnzbprmbvjWJJELPxGMl6J+RRWCOW2ty/TVWTMHB 5ReZgUVh -----END CERTIFICATE-----subject=/C=US/ST=California/L=Livermore/O=Lawrence Livermore National Laboratory/OU=Environmental Restoration Division erdc/ CN=www-erdc.llnl.gov issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA--- No client certificate CA names sent --- SSL handshake has read 3069 bytes and written 322 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: Session-ID-ctx:Master-Key: 9E8941488E9BA08703CB9C00624F98AC4E61511A1B9CA009ACA20EEBAFE5416F21959237C1F50AB11B083B893F4AB0C9Key-Arg : None Start Time: 1259597048 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- read from 0x20fdd0 [0x215940] (5 bytes => 0 (0x0)) read:errno=0 write to 0x20fdd0 [0x21a150] (37 bytes => 37 (0x25))0000 - 15 03 01 00 20 af e1 ab-10 6a 3e 70 e2 4f ee 1a .... ....j>p.O.. 0010 - fb 51 20 ac 62 74 99 71-d7 7c 29 72 54 ee 62 3d .Q .bt.q.|)rT.b=0020 - cf 82 c4 bc 73 Thanks again, John On Nov 27, 2009, at 11:42 AM, Sander Temme wrote:On Nov 25, 2009, at 2:24 PM, John J. Consolati wrote:Here are the build commands I've tried:./configure --prefix=/home/consolati1/apache/httpd-2.2.14/ installed --enable-static-support --enable-ssl --with-ssl=/home/ consolati1/openssl/openssl-0.9.8l/installed --with-mpm=prefork./configure --prefix=/home/consolati1/apache/httpd-2.2.14/ installed/ --enable-ssl --with-ssl=/home/consolati1/openssl/ openssl-0.9.8g/installed/ (currently using this one)One remark about your build: your earlier ldd output had some /usr/ ucb stuff in it, which may be the result of your having /usr/ucb in your PATH. You might try building with /usr/ccs/bin in your PATH before /usr/ucb to take advantage of some utilities a little more modern.I ran into this when building Subversion on a new VM:http://**www.**temme.net/sander/2009/04/28/building-subversion-with- sun-workshop/No idea how this would impact your build. S.Both of them result in the same thing, and were the commands my predecessor used.I will try building it with the configure command you sent. I haven't personally tried gcc, but my coworkers have left extensive notes of errors that gcc throws. It couldn't hurt to try again.It is odd that libssl and libcrypt aren't in there -- I tried building statically, as you can see, but the httpd -l that I posted was from the second one (which should be dynamic). Any ideas why they're missing?Thanks, John On Nov 25, 2009, at 2:14 PM, Dan_Mitton@xxxxxxx wrote:We are only at Apache 2.2.9, but don't have any problems. The command I use to build apache with is:./configure --prefix=/usr/local/apache-2.2.9 --with-ssl=/usr/ local/ssl --with-z=/usr/local/lib --enable-ssl --enable-cache -- enable-disk-cache --enable-mem-cache --enable-autoindex --enable- mods-shared="rewrite ssl dav dav-fs proxy"of course, this is building a shared mod_ssl.so, and a few other things. We use gcc instead of Sun's. Can you try it with gcc? I can't image that is the problem, but it might be worth a test.We have changed both Apache and OpenSSL versions, several times, and never had any certificate problems.Here is one thing to look into... Looking back at your 'ldd httpd' output, there is no mention of libssl or libcrypt, so I assume that you are statically linking them in. Are you sure that you are picking up the OpenSSL version and not Sun's default installed version in /lib ? Can you post your build command? Personally, I like dynamic linking, so that you can upgrade to a new OpenSSL, without having to redo everything that uses it.Dan Please respond to users@xxxxxxxxxxxxxxxx To: users@xxxxxxxxxxxxxxxx cc: (bcc: Dan Mitton/YD/RWDOE) Subject: Re: SSL on Apache 2.2.14 LSN: Not Relevant User Filed as: Not a Record Dan, The error occurs on both Safari and Firefox on Apache 2.2.14. We don't have IE in our environment. Both Safari and Firefox work as they should with 2.0.47.It looks like mod_ssl.c is compiled in -- it shows up with httpd - l.I've checked the links you sent me. The description doesn't provide awhole lot of detail, and, according to the other one, I checked tomake sure I am using prefork instead of MPM -- it seems to default to prefork anyway, but I specified it in the /config before compilation.I've Googled to my wit's end for several days without finding anythingconclusive. Some pages hint at compilation options, others at compilers (I'm using Sun's cc, not gcc), but nothing conclusive. Here is one question I couldn't find the answer to, though: if I requested a server certificate using a specific version of OpenSSL,can I use that same certificate in a different version of Apache witha different version of OpenSSL? Or do I have to re-request if Iupgrade OpenSSL? A long shot I know, but I'm running out of options...Thank you for the help, John On Nov 25, 2009, at 12:07 PM, Dan_Mitton@xxxxxxx wrote:John,You should not need to upgrade Solaris. I've got apache running ona solaris 9 box just fine. Your "wrong path" shouldn't be a problem either. Those are just "the last place to look" for an .so. Solaris will use what is in the 'crle' command and the LD_LIBRARY_PATH environment variable first (I'm not sure of the order).You may or may not have a mod_ssl.so, depending on how you compiledapache. If you run: httpd -l (that's an el) It will list out which modules are compiled in. If you see mod_ssl.c, you will not have a mod_ssl.so. Otherwise, mod_ssl.so should normally be in your apache's modules subdirectory. Do you only get the error on Firefox and not IE? Dan Please respond to users@xxxxxxxxxxxxxxxx To: users@xxxxxxxxxxxxxxxx cc: (bcc: Dan Mitton/YD/RWDOE) Subject: Re: SSL on Apache 2.2.14 LSN: Not Relevant User Filed as: Not a Record Here is the complete command: openssl s_server -cert /erd/www/erd/server/apache/httpd-2.2.14/installed/conf/ssl.crt/www-erdc.crt -key /erd/www/erd/server/ apache/httpd-2.2.14/installed/conf/ssl.key/www-erdc.secureprivate.key -CAfile /erd/www/erd/server/apache/httpd-2.2.14/installed/conf/ ssl.crt/intermediate.crt -www Your suggested 'GET / HTTP/1.0\r\r' was successful.However, I found something interesting doing an ldd -- a few of themhave wrong paths: bash-2.05# ldd httpd libm.so.1 => /usr/lib/libm.so.1 libaprutil-1.so.0 => /wrong/path libexpat.so.0 => /wrong/path libapr-1.so.0 => /wrong/path libuuid.so.1 => /usr/lib/libuuid.so.1 libsendfile.so.1 => /usr/lib/libsendfile.so.1 librt.so.1 => /usr/lib/librt.so.1 libsocket.so.1 => /usr/lib/libsocket.so.1 libnsl.so.1 => /usr/lib/libnsl.so.1 libpthread.so.1 => /usr/lib/libpthread.so.1 libdl.so.1 => /usr/lib/libdl.so.1 libthread.so.1 => /usr/lib/libthread.so.1 libc.so.1 => /usr/lib/libc.so.1 libucb.so.1 => (file not found) libresolv.so.2 => /usr/lib/libresolv.so.2 libelf.so.1 => /usr/lib/libelf.so.1 libucb.so.1 => /usr/ucblib/libucb.so.1 libaio.so.1 => /usr/lib/libaio.so.1 libmd5.so.1 => /usr/lib/libmd5.so.1 libmp.so.2 => /usr/lib/libmp.so.2 /usr/platform/SUNW,Sun-Fire-V250/lib/libc_psr.so.1 /usr/platform/SUNW,Sun-Fire-V250/lib/libmd5_psr.so.1I wasn't sure where to find mod_ssl.so -- I could only find mod_ssl.h.Is there a way to change the links without rebuilding? Thank you, John On Nov 25, 2009, at 11:21 AM, Sander Temme wrote:On Nov 25, 2009, at 10:17 AM, John J. Consolati wrote:Thank you for the reply. Unfortunately, upgrading Solaris isn't an option. Here is the version I have to work with (quite old..): bash-2.05# cat /etc/release Solaris 9 4/04 s9s_u6wos_08a SPARC Copyright 2004 Sun Microsystems, Inc. All RightsReserved.Use is subject to license terms. Assembled 22 March 2004 bash-2.05# uname -a SunOS lucky 5.9 Generic_118558-17 sun4u sparc SUNW,Sun-Fire-V250 I've been using the Sun cc, not gcc, to compile everything. Here is the output from the openSSL commands: openssl -certs....etc etcWhat is your complete command line here?Using default temp DH parameters Using default temp ECDH parameters ACCEPT -----BEGIN SSL SESSION PARAMETERS----- MHUCAQECAgMBBAIAOQQgXdTo4sJayMnyXJOOV7YI1JLumr7lqj4Sj+kZZTIeX2wE MO2ne8Ry2DUppChW6xz01mi4gMU+WsyaH6SPREMHpFcSCBYmpX5sD+VVBS3F/Ajy V6EGAgRLDXPAogQCAgEspAYEBAAAAAE= -----END SSL SESSION PARAMETERS----- Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA- AES128- SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4- MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5 CIPHER is DHE-RSA-AES256-SHA And on the other terminal: bash-2.05$ openssl s_client -connect localhost:4433 CONNECTED(00000003)depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/ OU=Terms of use at https://*****www.*****verisign.com/rpa (c)05/ CN=VeriSignClass 3Secure Server CA verify error:num=20:unable to get local issuer certificate verify return:0That's not a problem, just OpenSSL complaining it can't find theVerisign root cert. If you happen to have a copy of that (like yourbrowser does) and point openssl s_client to it, it can verify all the way to the top. This does not impact the connection itself.--- Certificate chain0 s:/C=US/ST=California/L=Livermore/O=Lawrence Livermore NationalLaboratory/OU=Environmental Restoration Division erdc/CN=www- erdc.llnl.govi:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://*****www.*****verisign.com/rpa (c)05/CN=VeriSign Class 3SecureServer CA 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms ofuse at https://*****www.*****verisign.com/rpa (c)05/ CN=VeriSign Class 3Secure Server CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- certificate hash... -----END CERTIFICATE----- subject=/C=US/ST=California/L=Livermore/O=Lawrence Livermore National Laboratory/OU=Environmental Restoration Division erdc/ CN=www-erdc.llnl.govissuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/ OU=Terms of use at https://*****www.*****verisign.com/rpa (c)05/ CN=VeriSign Class 3Secure Server CA --- No client certificate CA names sent --- SSL handshake has read 2973 bytes and written 258 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 5DD4E8E2C25AC8C9F25C938E57B608D492EE9ABEE5AA3E128FE91965321E5F6C Session-ID-ctx: Master-Key:EDA77BC472D83529A42856EB1CF4D668B880C53E5ACC9A1FA48F444307A45712081626A57E6C0FE555052DC5FC08F257Key-Arg : None Start Time: 1259172800 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) ---Looks like there is a problem with one of the certificates, but I'mnot sure how to proceed...At this point, you have a valid handshake, and the client and server have exchanged data encrypted and MACed with the session keys. Allis well. You could type on the command line 'GET / HTTP/1.0\r \r' (two returns) and you'll get the status page generated by openssl s_server -www.*****This means you have a configuration problem with Apache. Make sure you're using the ssl and crypto libraries that you think you are byrunning ldd on the httpd binary and the mod_ssl.so binary. Whilethe Solaris build environment usually gets this right by hardcoding the path to the libraries at link time, make sure this is ok at runtime.Then, make sure your server is configured correctly, and that yourSSL virtual host(s) use the correct combination of SSLCertificateFile and SSLCertificateKeyFile. S.Again, thank you for your help, I appreciate it. Regards, John On Nov 25, 2009, at 10:00 AM, daniel.goulder@xxxxxxxxx wrote:This sounds like a Solaris bug. Make sure you have a recent version of Solaris or the latestpatchesinstalled... What release/patch level are you using? Danny ________________________________From: "John J. Consolati" <consolati1@xxxxxxxx> [mailto:"John J.Consolati" <consolati1@xxxxxxxx>] Sent: 25 November 2009 17:23 To: users@xxxxxxxxxxxxxxxx Subject: SSL on Apache 2.2.14 Hello, Hopefully someone will be able to help, as I've been working onthisproblem for quite a while and have hit a wall. I'm trying toupgradeApache 2.0.47 to 2.2.14, and I need SSL support. Everythingseems tobuild and compile okay, but when I try to access my site runningon2.2.14, I get a strange error from Firefox: "Secure connectionfailed. An error occurred during a connection to xxxxxx. SSL peerreports incorrect Message Authentication Code. (Error code: ssl_error_bad_mac_alert)."I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the sameresults. This is hosted on a Solaris sparc box. The 2.2.14server isutilizing all the same files and SSL certificates as the 2.0.47 server. I've called Verisign; I have valid certificates, butthey'venever heard of this error before. If I self-sign a certificate and test it with the 2.2.14 server, it seems to work (except for theexpected error message regarding self-signed certificates). Searching on Google has led me to try forcing Apache to compilewithprefork enabled (but it seems to default to that anyway onSolaris).I've also tried statically linking Apache during compile with thesame results.If anyone has any ideas or suggestions, I'd very much appreciatethem... Thank you, John---------------------------------------------------------------------The official User-To-User support forum of the Apache HTTP ServerProject.See < URL:http://******httpd.apache.org/userslist.html> for moreinfo.To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx______________________________________________________________________This email has been scanned by the MessageLabs Email Security System. For more information please visit http://******www.******messagelabs.com/____________________________________________________________________________________________________________________________________________This e-mail and any attached files are intended for the namedaddressee only. It contains information, which may be confidential and legally privileged and also protected by copyright. Unless youare the named addressee (or authorised to receive for the addressee) you may not copy or use it, or disclose it to anyone else. If you received it in error please notify the senderimmediately and then delete it from your system. Please be advisedthat the views and opinions expressed in this e-mail may notreflect the views and opinions of Associated Newspapers Limited or any of its subsidiary companies. We make every effort to keep our network free from viruses. However, you do need to check this e-mail and any attachments to it for viruses as we can take noresponsibility for any computer virus which may be transferred byway of this e-mail. Use of this or any other e-mail facilitysignifies consent to any interception we might lawfully carry outto prevent abuse of these faciliti es.Associated Newspapers Ltd. Registered Office: Northcliffe House, 2 Derry St, Kensington, London, W8 5TT. Registered No 84121 England.---------------------------------------------------------------------The official User-To-User support forum of the Apache HTTP ServerProject.See <URL:http://*****httpd.apache.org/userslist.html> for more info.To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx-- Sander Temme sctemme@xxxxxxxxxx PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project.See <URL:http://****httpd.apache.org/userslist.html> for more info.To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx---------------------------------------------------------------------The official User-To-User support forum of the Apache HTTP Server Project.See <URL:http://***httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx---------------------------------------------------------------------The official User-To-User support forum of the Apache HTTP Server Project.See <URL:http://**httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx-- Sander Temme sctemme@xxxxxxxxxx PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF---------------------------------------------------------------------The official User-To-User support forum of the Apache HTTP Server Project.See <URL:http://*httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx