Date: Sun, 07 May 2000 12:36:15 -0700 From: Doug Barton <DougB@gorean.org> To: Steve Price <sprice@hiwaay.net> Cc: Kris Kennaway <kris@FreeBSD.org>, Forrest Aldrich <forrie@navipath.com>, current@FreeBSD.org Subject: Re: RSA decrypt problems Message-ID: <3915C5AF.9DE22474@gorean.org> References: <Pine.OSF.4.21.0005052333470.19519-100000@fly.HiWAAY.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------8905D405759B85C77D2D8BD2 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Steve Price wrote: > > On Fri, 5 May 2000, Kris Kennaway wrote: > > # I'm suspecting it might be something missing in the ASN.1 encoding of the > # certificate, which netscape requires but IE permits. This would be > # consistent with a missing openssl.cnf file at the time of certificate > # generation. Could one of you try copying the openssl.cnf file from > # crypto/openssl/apps/ to /etc/ssl (editing as appropriate) and see if that > # fixes it (i.e. make a new certificate and test it in the same way)? > > It didn't help here. I rebuilt the port and re-installed from > a clean WRKDIR and I get the same error message. If I do a > 'make certificate', copy those files over, and try to start > apache it just hangs definitely until I ^C it. After I kill > it I see this in the apache error logs. > > [error] mod_ssl: Init: Private key not found (OpenSSL library > error follows) > [error] OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object: > header too long > > Methinks it has something to do with key generation as well, but > I'll be darned if I know what. Ok, here are some silly questions. Did you create a private key for this server, did you encrypt your cert with it, and is that .key file pointed to in your httpd.conf config file? SSLCertificateKeyFile is what you're looking for. http://www.modssl.org/related/ has some really good resources for this, and their FAQ has step by step instructions for creating and testing keys and certs that may help you track down where in the process it's getting lost. Also, did you install the openssl port, or are you using the openssl that is part of the base in 4.0+? I vaguely remember you saying that you were using the port. If so, cd to /usr/local/openssl and cp openssl.cnf.sample to openssl.cnf. I'm currently hip deep in certificate generation problems myself, so I sympathize with your plight there Steve. Kris, I was going to let you know about the openssl.cnf problem, but I wanted to wait till I had more data. But, since the cat's out of the bag here, yes, we do need an openssl.cnf file in /etc/ssl for the system version. I attached a patch (not that you couldn't have done it yourself...). The only problem with this is that from the mergemaster standpoint, there is no $FreeBSD/$Id tag in that file. mm will still work (doing a complete comparison with diff) but it speeds things up and hides local mods if there is a CVS tag. HTH, Doug -- "Live free or die" - State motto of my ancestral homeland, New Hampshire Do YOU Yahoo!? --------------8905D405759B85C77D2D8BD2 Content-Type: text/plain; charset=us-ascii; name="sslcnf.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="sslcnf.diff" Index: Makefile =================================================================== RCS file: /usr/ncvs/src/etc/Makefile,v retrieving revision 1.221 diff -u -r1.221 Makefile --- Makefile 2000/04/15 16:48:41 1.221 +++ Makefile 2000/05/07 19:20:41 @@ -26,6 +26,10 @@ ${.CURDIR}/../crypto/openssh/sshd_config .endif +.if exists(${.CURDIR}/../crypto) && !defined(NO_OPENSSL) +SSL= ${.CURDIR}/../crypto/openssl/apps/openssl.cnf +.endif + # -rwxr-xr-x root.wheel, for the new cron root.wheel BIN2= netstart pccard_ether rc.suspend rc.resume @@ -76,6 +80,10 @@ .if exists(${.CURDIR}/../crypto) && !defined(NO_OPENSSH) (cd ${.CURDIR}; ${INSTALL} -c -o ${BINOWN} -g ${BINGRP} -m 644 ${SSH} \ ${DESTDIR}/etc/ssh ) +.endif +.if exists(${.CURDIR}/../crypto) && !defined(NO_OPENSSL) + (cd ${.CURDIR}; ${INSTALL} -c -o ${BINOWN} -g ${BINGRP} -m 644 ${SSL} \ + ${DESTDIR}/etc/ssl ) .endif .if !defined(NO_MAKEDEV) (cd ${DESTDIR}/dev; sh MAKEDEV all) --------------8905D405759B85C77D2D8BD2-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3915C5AF.9DE22474>