httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John J. Consolati" <consola...@llnl.gov>
Subject Re: [users@httpd] SSL on Apache 2.2.14
Date Mon, 30 Nov 2009 19:59:36 GMT
Hi All,

I'll try to squeeze everyone's suggestions into this mail.  Sorry for  
the delay -- was busy eating turkey for a couple of days :)

Dan:

When I built OpenSSL, I only specified --openssldir in the ./config.   
The libraries are in .../installed/lib.

Daniel:

bash-2.05# pldd 14100
14100:  /erd/www/erd/server/apache/httpd-2.2.14/installed/bin/httpd - 
f /erd/ww
/usr/lib/libm.so.1
/erd/www/erd/server/apache/httpd-2.2.14/installed/lib/libaprutil-1.so.0
/erd/www/erd/server/apache/httpd-2.2.14/installed/lib/libexpat.so.0
/erd/www/erd/server/apache/httpd-2.2.14/installed/lib/libapr-1.so.0
/usr/lib/libuuid.so.1
/usr/lib/libsendfile.so.1
/usr/lib/librt.so.1
/usr/lib/libsocket.so.1
/usr/lib/libnsl.so.1
/usr/lib/libpthread.so.1
/usr/lib/libdl.so.1
/usr/lib/libthread.so.1
/usr/lib/libc.so.1
/usr/ucblib/libucb.so.1
/usr/lib/libresolv.so.2
/usr/lib/libelf.so.1
/usr/lib/libaio.so.1
/usr/lib/libmd5.so.1
/usr/lib/libmp.so.2
/usr/platform/sun4u-us3/lib/libc_psr.so.1
/usr/lib/nss_files.so.1
/usr/lib/nss_nisplus.so.1
/usr/lib/libdoor.so.1

Crypto:

Yes, I will be using client authentication.

Sander:

OpenSSL was built with Sun CC.

I'm currently trying the build with the new PATH.

Here the output of the openssl s_client:

CONNECTED(00000004)
write to 0x20fdd0 [0x2103e0] (124 bytes => 124 (0x7C))
0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00   .z....Q... .. 
9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0    
8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03   .. 
3..2../.......
0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00  
00   ................
0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00  
08   ......@.........
0050 - 00 00 06 04 00 80 00 00-03 02 00 80 81 2b f6 0f   ............. 
+..
0060 - 23 aa 7d 2e 5c ae 1b 8c-3e 95 78 65 ef 22 b7 54   #.}. 
\...>.xe.".T
0070 - a2 8e d9 dd 39 26 b6 e7-03 6c f4 42               ....9&...l.B
read from 0x20fdd0 [0x215940] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 2a 02                                 ....*.
0007 - <SPACES/NULS>
read from 0x20fdd0 [0x215947] (40 bytes => 40 (0x28))
0000 - 00 26 03 01 4b 13 ec f7-25 b2 46 61 86 86 ba 6f   .&..K... 
%.Fa...o
0010 - 72 8e d3 f7 a4 e9 21 79-c5 2f 4c 86 4c 54 14 42   r.....!y./ 
L.LT.B
0020 - 31 41 a1 b9 00 00 39                              1A....9
0028 - <SPACES/NULS>
read from 0x20fdd0 [0x215940] (5 bytes => 5 (0x5))
0000 - 16 03 01 09 f3                                    .....
read from 0x20fdd0 [0x215945] (2547 bytes => 2547 (0x9F3))
0000 - 0b 00 09 ef 00 09 ec 00-05 46 30 82 05 42 30  
82   .........F0..B0.
0010 - 04 2a a0 03 02 01 02 02-10 39 37 ec 17 22 f4 a8   .*....... 
97.."..
0020 - f9 08 49 8f bf 92 b1 b6-e0 30 0d 06 09 2a 86 48   ..I...... 
0...*.H
0030 - 86 f7 0d 01 01 05 05 00-30 81 b0 31 0b 30 09 06   ........ 
0..1.0..
0040 - 03 55 04 06 13 02 55 53-31 17 30 15 06 03 55  
04   .U....US1.0...U.
0050 - 0a 13 0e 56 65 72 69 53-69 67 6e 2c 20 49 6e 63   ...VeriSign,  
Inc
0060 - 2e 31 1f 30 1d 06 03 55-04 0b 13 16 56 65 72 69   . 
1.0...U....Veri
0070 - 53 69 67 6e 20 54 72 75-73 74 20 4e 65 74 77 6f   Sign Trust  
Netwo
0080 - 72 6b 31 3b 30 39 06 03-55 04 0b 13 32 54 65 72   rk1;09..U... 
2Ter
0090 - 6d 73 20 6f 66 20 75 73-65 20 61 74 20 68 74 74   ms of use at  
htt
00a0 - 70 73 3a 2f 2f 77 77 77-2e 76 65 72 69 73 69 67   ps:// 
www.verisig
00b0 - 6e 2e 63 6f 6d 2f 72 70-61 20 28 63 29 30 35 31   n.com/rpa  
(c)051
00c0 - 2a 30 28 06 03 55 04 03-13 21 56 65 72 69 53 69   *0(..U...! 
VeriSi
00d0 - 67 6e 20 43 6c 61 73 73-20 33 20 53 65 63 75 72   gn Class 3  
Secur
00e0 - 65 20 53 65 72 76 65 72-20 43 41 30 1e 17 0d 30   e Server  
CA0...0
00f0 - 39 30 35 30 34 30 30 30-30 30 30 5a 17 0d 31 30   90504000000Z.. 
10
0100 - 30 35 30 34 32 33 35 39-35 39 5a 30 81 b5 31 0b    
0504235959Z0..1.
0110 - 30 09 06 03 55 04 06 13-02 55 53 31 13 30 11 06    
0...U....US1.0..
0120 - 03 55 04 08 13 0a 43 61-6c 69 66 6f 72 6e 69  
61   .U....California
0130 - 31 12 30 10 06 03 55 04-07 14 09 4c 69 76 65 72    
1.0...U....Liver
0140 - 6d 6f 72 65 31 2f 30 2d-06 03 55 04 0a 14 26 4c    
more1/0-..U...&L
0150 - 61 77 72 65 6e 63 65 20-4c 69 76 65 72 6d 6f 72   awrence  
Livermor
0160 - 65 20 4e 61 74 69 6f 6e-61 6c 20 4c 61 62 6f 72   e National  
Labor
0170 - 61 74 6f 72 79 31 30 30-2e 06 03 55 04 0b 14 27    
atory100...U...'
0180 - 45 6e 76 69 72 6f 6e 6d-65 6e 74 61 6c 20 52 65   Environmental  
Re
0190 - 73 74 6f 72 61 74 69 6f-6e 20 44 69 76 69 73 69   storation  
Divisi
01a0 - 6f 6e 20 65 72 64 63 31-1a 30 18 06 03 55 04 03   on  
erdc1.0...U..
01b0 - 14 11 77 77 77 2d 65 72-64 63 2e 6c 6c 6e 6c 2e   ..www- 
erdc.llnl.
01c0 - 67 6f 76 30 81 9f 30 0d-06 09 2a 86 48 86 f7 0d    
gov0..0...*.H...
01d0 - 01 01 01 05 00 03 81 8d-00 30 81 89 02 81 81 00   ......... 
0......
01e0 - b5 d0 17 60 87 b1 67 2c-66 88 db 6e 5a fb 03  
50   ...`..g,f..nZ..P
01f0 - 1c 64 88 2e 35 84 af 92-24 d8 d0 7d bb 20 43 a7   .d..5...$..}.  
C.
0200 - 00 e4 81 42 75 7c e9 ef-d3 42 9f 22 2d 43 26 97   ...Bu|...B."- 
C&.
0210 - 75 6b 29 7e 67 43 c7 99-37 4d 09 53 59 49 7b ae   uk)~gC.. 
7M.SYI{.
0220 - dd fb 66 f7 a1 9c 76 67-c0 39 e7 9a 84 2c a2 a9   ..f...vg. 
9...,..
0230 - d3 29 51 5f 25 e9 85 03-5d 96 e5 44 3c 2e 59 c9   .)Q_ 
%...]..D<.Y.
0240 - 5c ac ab 50 72 4c b2 c3-46 83 d5 6d 53 ac 7e 5b    
\..PrL..F..mS.~[
0250 - 8d a4 93 60 15 85 4e f5-94 c7 f4 91 6f e6 2f  
1f   ...`..N.....o./.
0260 - 02 03 01 00 01 a3 82 01-d3 30 82 01 cf 30 09 06   ......... 
0...0..
0270 - 03 55 1d 13 04 02 30 00-30 0b 06 03 55 1d 0f 04   .U.... 
0.0...U...
0280 - 04 03 02 05 a0 30 44 06-03 55 1d 1f 04 3d 30 3b   ..... 
0D..U...=0;
0290 - 30 39 a0 37 a0 35 86 33-68 74 74 70 3a 2f 2f 53    
09.7.5.3http://S
02a0 - 56 52 53 65 63 75 72 65-2d 63 72 6c 2e 76 65 72   VRSecure- 
crl.ver
02b0 - 69 73 69 67 6e 2e 63 6f-6d 2f 53 56 52 53 65 63   isign.com/ 
SVRSec
02c0 - 75 72 65 32 30 30 35 2e-63 72 6c 30 44 06 03 55    
ure2005.crl0D..U
02d0 - 1d 20 04 3d 30 3b 30 39-06 0b 60 86 48 01 86  
f8   . .=0;09..`.H...
02e0 - 45 01 07 17 03 30 2a 30-28 06 08 2b 06 01 05 05   E....0*0(.. 
+....
02f0 - 07 02 01 16 1c 68 74 74-70 73 3a 2f 2f 77 77 77   .....https://www
0300 - 2e 76 65 72 69 73 69 67-6e 2e 63 6f 6d 2f 72 70   .verisign.com/ 
rp
0310 - 61 30 1d 06 03 55 1d 25-04 16 30 14 06 08 2b 06   a0...U.%.. 
0...+.
0320 - 01 05 05 07 03 01 06 08-2b 06 01 05 05 07 03 02   ........ 
+.......
0330 - 30 1f 06 03 55 1d 23 04-18 30 16 80 14 6f ec af   0...U.#.. 
0...o..
0340 - a0 dd 8a a4 ef f5 2a 10-67 2d 3f 55 82 bc d7 ef   ......*.g-? 
U....
0350 - 25 30 79 06 08 2b 06 01-05 05 07 01 01 04 6d 30   %0y.. 
+........m0
0360 - 6b 30 24 06 08 2b 06 01-05 05 07 30 01 86 18 68   k0$..+..... 
0...h
0370 - 74 74 70 3a 2f 2f 6f 63-73 70 2e 76 65 72 69 73   ttp:// 
ocsp.veris
0380 - 69 67 6e 2e 63 6f 6d 30-43 06 08 2b 06 01 05 05   ign.com0C.. 
+....
0390 - 07 30 02 86 37 68 74 74-70 3a 2f 2f 53 56 52 53   .0..7http://SVRS
03a0 - 65 63 75 72 65 2d 61 69-61 2e 76 65 72 69 73 69   ecure- 
aia.verisi
03b0 - 67 6e 2e 63 6f 6d 2f 53-56 52 53 65 63 75 72 65   gn.com/ 
SVRSecure
03c0 - 32 30 30 35 2d 61 69 61-2e 63 65 72 30 6e 06 08   2005- 
aia.cer0n..
03d0 - 2b 06 01 05 05 07 01 0c-04 62 30 60 a1 5e a0 5c    
+........b0`.^.\
03e0 - 30 5a 30 58 30 56 16 09-69 6d 61 67 65 2f 67 69   0Z0X0V..image/ 
gi
03f0 - 66 30 21 30 1f 30 07 06-05 2b 0e 03 02 1a 04 14   f0! 
0.0...+......
0400 - 4b 6b b9 28 96 06 0c bb-d0 52 38 9b 29 ac 4b 07   Kk. 
(.....R8.).K.
0410 - 8b 21 05 18 30 26 16 24-68 74 74 70 3a 2f 2f 6c   .!..0&. 
$http://l
0420 - 6f 67 6f 2e 76 65 72 69-73 69 67 6e 2e 63 6f 6d    
ogo.verisign.com
0430 - 2f 76 73 6c 6f 67 6f 31-2e 67 69 66 30 0d 06 09   / 
vslogo1.gif0...
0440 - 2a 86 48 86 f7 0d 01 01-05 05 00 03 82 01 01 00    
*.H.............
0450 - 5d 15 58 3b 10 4e d0 ae-59 96 cb 08 23 fe 2b 4b   ].X;.N..Y...#. 
+K
0460 - 88 52 93 0f 9e 86 3b 30-eb 3d bc 33 c7 e9 f9 e0   .R....;0.=. 
3....
0470 - 6c 4f df 0d 78 6a 1d 4b-fc 74 9f 4a 3e c0 5d 14    
lO..xj.K.t.J>.].
0480 - 8c 13 61 f8 f2 69 95 b5-b7 f4 b6 ed b6 26 d4  
69   ..a..i.......&.i
0490 - 93 e4 52 b7 09 5e 2d 4a-21 d1 f3 5a 3b 78 19 99   ..R..^- 
J!..Z;x..
04a0 - ee 5f 40 f7 1a fa 2d 60-9c 6a 1b ad c7 aa d7 7f   ._@...- 
`.j......
04b0 - 87 4e ca 80 d9 bd 22 4d-b9 20 ad ff 43 74 4e  
01   .N...."M. ..CtN.
04c0 - e6 f1 69 18 2b d8 13 65-ea 1c 6b e0 4c ae 05 ac   ..i. 
+..e..k.L...
04d0 - 05 fd f0 79 6c fd 40 ec-c9 ad 22 36 8f a7 32  
d4   ...yl.@..."6..2.
04e0 - 2c 54 71 f6 bf f3 76 46-ae 8f 66 98 8d 0d 98  
8c   ,Tq...vF..f.....
04f0 - f8 05 87 4c e7 2a fe fc-dd 58 e4 0f af 28 f4 4c   ...L.*...X... 
(.L
0500 - b3 29 f3 94 1a 42 0c 60-a4 30 2e 38 8d 01 43 2b   .)...B.`. 
0.8..C+
0510 - 77 96 86 a7 9a af 76 db-84 63 dc 53 9b ee ae 5a    
w.....v..c.S...Z
0520 - 7b 3c 9c e7 b7 da bd 1c-a2 a3 23 a2 36 7c db a6   {<........#. 
6|..
0530 - b9 9b be 35 89 24 42 cf-c4 63 25 e8 9f 91 45 60   ...5.$B..c 
%...E`
0540 - 8e 5b 6b 72 fd 35 56 4c-c1 c1 e5 17 99 81 45 61   .[kr. 
5VL......Ea
0550 - 00 04 a0 30 82 04 9c 30-82 04 05 a0 03 02 01 02   ... 
0...0........
0560 - 02 10 75 33 7d 9a b0 e1-23 3b ae 2d 7d e4 46  
91   ..u3}...#;.-}.F.
0570 - 62 d4 30 0d 06 09 2a 86-48 86 f7 0d 01 01 05 05   b. 
0...*.H.......
0580 - 00 30 5f 31 0b 30 09 06-03 55 04 06 13 02 55 53   . 
0_1.0...U....US
0590 - 31 17 30 15 06 03 55 04-0a 13 0e 56 65 72 69 53    
1.0...U....VeriS
05a0 - 69 67 6e 2c 20 49 6e 63-2e 31 37 30 35 06 03 55   ign, Inc. 
1705..U
05b0 - 04 0b 13 2e 43 6c 61 73-73 20 33 20 50 75 62 6c   ....Class 3  
Publ
05c0 - 69 63 20 50 72 69 6d 61-72 79 20 43 65 72 74 69   ic Primary  
Certi
05d0 - 66 69 63 61 74 69 6f 6e-20 41 75 74 68 6f 72 69   fication  
Authori
05e0 - 74 79 30 1e 17 0d 30 35-30 31 31 39 30 30 30 30    
ty0...0501190000
05f0 - 30 30 5a 17 0d 31 35 30-31 31 38 32 33 35 39 35   00Z.. 
15011823595
0600 - 39 5a 30 81 b0 31 0b 30-09 06 03 55 04 06 13 02    
9Z0..1.0...U....
0610 - 55 53 31 17 30 15 06 03-55 04 0a 13 0e 56 65 72    
US1.0...U....Ver
0620 - 69 53 69 67 6e 2c 20 49-6e 63 2e 31 1f 30 1d 06   iSign, Inc. 
1.0..
0630 - 03 55 04 0b 13 16 56 65-72 69 53 69 67 6e 20  
54   .U....VeriSign T
0640 - 72 75 73 74 20 4e 65 74-77 6f 72 6b 31 3b 30 39   rust  
Network1;09
0650 - 06 03 55 04 0b 13 32 54-65 72 6d 73 20 6f 66 20   ..U...2Terms of
0660 - 75 73 65 20 61 74 20 68-74 74 70 73 3a 2f 2f 77   use at https://w
0670 - 77 77 2e 76 65 72 69 73-69 67 6e 2e 63 6f 6d 2f    
ww.verisign.com/
0680 - 72 70 61 20 28 63 29 30-35 31 2a 30 28 06 03 55   rpa  
(c)051*0(..U
0690 - 04 03 13 21 56 65 72 69-53 69 67 6e 20 43 6c 61   ...!VeriSign  
Cla
06a0 - 73 73 20 33 20 53 65 63-75 72 65 20 53 65 72 76   ss 3 Secure  
Serv
06b0 - 65 72 20 43 41 30 82 01-22 30 0d 06 09 2a 86 48   er  
CA0.."0...*.H
06c0 - 86 f7 0d 01 01 01 05 00-03 82 01 0f 00 30 82 01   ............. 
0..
06d0 - 0a 02 82 01 01 00 95 c3-21 12 8e 40 c5 0d 01  
5f   ........!..@..._
06e0 - 76 5e 66 94 d9 73 2c 58-19 22 b8 c9 fc 7a 39 90    
v^f..s,X."...z9.
06f0 - 2a 77 72 7c 1d 3e f7 d8-55 e3 af 42 cb 87 30 02   *wr|.>..U..B.. 
0.
0700 - dc 5b ac 70 e6 b8 44 b4-2b 35 eb 93 d2 17 05 7e   .[.p..D. 
+5.....~
0710 - cb 46 d6 5c 53 a0 32 51-9d 74 64 58 f9 0c 9a 00   .F.\S. 
2Q.tdX....
0720 - ea 5e 44 49 64 72 f4 cd-10 e2 85 0a f9 34 ee b3   .^DIdr....... 
4..
0730 - 88 66 a9 a5 a4 5a d0 0e-98 7f 58 0d 2b 52 bb 86   .f...Z....X. 
+R..
0740 - a9 7e 2e fa b2 48 7c 8d-db 2d 5f 01 75 a2 8d 06   .~...H|..- 
_.u...
0750 - 3b 8b b4 61 07 c9 be 22-99 f8 1b d1 b5 57 66  
04   ;..a...".....Wf.
0760 - 4d 35 f4 91 71 96 b5 99-08 25 9b 97 c8 3a f3 20   M5..q....%...:.
0770 - b1 dd 9e 98 0c 4a 63 b7-a6 ce b0 01 ce f8 93  
6a   .....Jc........j
0780 - f3 0c 6e 9f b1 e9 84 7b-81 98 41 e6 81 dc 3d 2c   ..n.... 
{..A...=,
0790 - e7 b4 6b e3 9e fc 08 16-d7 b3 d5 b9 66 12 99  
7c   ..k.........f..|
07a0 - 6d 71 c8 4d be c7 0f e3-fb 37 ad d5 75 87 21 6b   mq.M..... 
7..u.!k
07b0 - 86 d0 44 14 5a 54 79 39-96 69 56 c9 b9 31 cd 89   ..D.ZTy9.iV.. 
1..
07c0 - 61 58 e1 d9 76 05 05 ad-f7 b9 02 af a7 fd 47 91    
aX..v.........G.
07d0 - a2 22 34 5a 31 d1 02 03-01 00 01 a3 82 01 81  
30   ."4Z1..........0
07e0 - 82 01 7d 30 12 06 03 55-1d 13 01 01 ff 04 08  
30   ..}0...U.......0
07f0 - 06 01 01 ff 02 01 00 30-44 06 03 55 1d 20 04 3d   ....... 
0D..U. .=
0800 - 30 3b 30 39 06 0b 60 86-48 01 86 f8 45 01 07 17    
0;09..`.H...E...
0810 - 03 30 2a 30 28 06 08 2b-06 01 05 05 07 02 01 16   .0*0(.. 
+........
0820 - 1c 68 74 74 70 73 3a 2f-2f 77 77 77 2e 76 65 72   .https://www.ver
0830 - 69 73 69 67 6e 2e 63 6f-6d 2f 72 70 61 30 31 06   isign.com/ 
rpa01.
0840 - 03 55 1d 1f 04 2a 30 28-30 26 a0 24 a0 22 86 20   .U...*0(0&.$.".
0850 - 68 74 74 70 3a 2f 2f 63-72 6c 2e 76 65 72 69 73   http://crl.veris
0860 - 69 67 6e 2e 63 6f 6d 2f-70 63 61 33 2e 63 72 6c   ign.com/ 
pca3.crl
0870 - 30 0e 06 03 55 1d 0f 01-01 ff 04 04 03 02 01 06    
0...U...........
0880 - 30 11 06 09 60 86 48 01-86 f8 42 01 01 04 04 03    
0...`.H...B.....
0890 - 02 01 06 30 29 06 03 55-1d 11 04 22 30 20 a4 1e   ... 
0)..U..."0 ..
08a0 - 30 1c 31 1a 30 18 06 03-55 04 03 13 11 43 6c 61    
0.1.0...U....Cla
08b0 - 73 73 33 43 41 32 30 34-38 2d 31 2d 34 35 30 1d    
ss3CA2048-1-450.
08c0 - 06 03 55 1d 0e 04 16 04-14 6f ec af a0 dd 8a  
a4   ..U......o......
08d0 - ef f5 2a 10 67 2d 3f 55-82 bc d7 ef 25 30 81 80   ..*.g-?U.... 
%0..
08e0 - 06 03 55 1d 23 04 79 30-77 a1 63 a4 61 30 5f  
31   ..U.#.y0w.c.a0_1
08f0 - 0b 30 09 06 03 55 04 06-13 02 55 53 31 17 30 15   . 
0...U....US1.0.
0900 - 06 03 55 04 0a 13 0e 56-65 72 69 53 69 67 6e  
2c   ..U....VeriSign,
0910 - 20 49 6e 63 2e 31 37 30-35 06 03 55 04 0b 13 2e    Inc. 
1705..U....
0920 - 43 6c 61 73 73 20 33 20-50 75 62 6c 69 63 20 50   Class 3  
Public P
0930 - 72 69 6d 61 72 79 20 43-65 72 74 69 66 69 63 61   rimary  
Certifica
0940 - 74 69 6f 6e 20 41 75 74-68 6f 72 69 74 79 82 10   tion  
Authority..
0950 - 70 ba e4 1d 10 d9 29 34-b6 38 ca 7b 03 cc ba bf   p.....)4.8. 
{....
0960 - 30 0d 06 09 2a 86 48 86-f7 0d 01 01 05 05 00 03    
0...*.H.........
0970 - 81 81 00 c3 7e 08 46 5d-91 36 cf 67 dc d7 a7 af   ....~.F]. 
6.g....
0980 - af b8 22 c3 8b 04 74 d3-b1 60 bc e6 fe b7 44  
12   .."...t..`....D.
0990 - 81 5b 31 73 14 63 56 c6-72 2e d1 1a 03 43 5c 38   .[1s.cV.r....C 
\8
09a0 - 0a 50 4a 4d cd da b6 19-a8 f4 99 0d af e3 f7  
d8   .PJM............
09b0 - f1 75 28 65 f6 6a fe 9b-f4 bd 52 d9 3f cb da  
16   .u(e.j....R.?...
09c0 - cb a5 9e 2e 8e 66 52 78-3d 26 fa fe 94 36 88 4a   .....fRx=&... 
6.J
09d0 - 95 5e 2a 4c 19 ef 6e fa-82 3f 2d 03 ef d6 28 b3   .^*L..n..?-... 
(.
09e0 - 37 18 cf 42 b2 34 21 64-47 d3 20 6b 3a 4c dc e6   7..B.4!dG.  
k:L..
09f0 - 03 90 0c                                          ...
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of  
use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure  
Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
read from 0x20fdd0 [0x215940] (5 bytes => 5 (0x5))
0000 - 16 03 01 01 8d                                    .....
read from 0x20fdd0 [0x215945] (397 bytes => 397 (0x18D))
0000 - 0c 00 01 89 00 80 d6 7d-e4 40 cb bb dc 19 36 d6   .......}.@.... 
6.
0010 - 93 d3 4a fd 0a d5 0c 84-d2 39 a4 5f 52 0b b8 81   ..J...... 
9._R...
0020 - 74 cb 98 bc e9 51 84 9f-91 2e 63 9c 72 fb 13 b4    
t....Q....c.r...
0030 - b4 d7 17 7e 16 d5 5a c1-79 ba 42 0b 2a 29 fe  
32   ...~..Z.y.B.*).2
0040 - 4a 46 7a 63 5e 81 ff 59-01 37 7b ed dc fd 33 16   JFzc^..Y.7{... 
3.
0050 - 8a 46 1a ad 3b 72 da e8-86 00 78 04 5b 07 a7 db   .F..;r....x. 
[...
0060 - ca 78 74 08 7d 15 10 ea-9f cc 9d dd 33 05 07 dd   .xt.}....... 
3...
0070 - 62 db 88 ae aa 74 7d e0-f4 d6 e2 bd 68 b0 e7 39    
b....t}.....h..9
0080 - 3e 0f 24 21 8e b3 00 01-02 00 80 40 49 1b 47 d6   >. 
$!.......@I.G.
0090 - 77 b3 be 40 cd 21 fe b9-c9 c8 a2 cd f5 f7 bd cd    
w..@.!..........
00a0 - 2b db 3a 87 8e 16 5a fe-e4 40 94 f6 70 6e ea cd    
+.:...Z..@..pn..
00b0 - ee a0 56 14 3b 30 b8 e9-6e 47 15 9b ca fb 05 70   ..V.; 
0..nG.....p
00c0 - d9 93 b4 d4 7a 9d 05 05-b5 21 88 7a 86 d7 1a  
1e   ....z....!.z....
00d0 - 1e 5f 1f 71 0a 5d bb 96-93 0c 10 01 5f 4c 14  
b9   ._.q.]......_L..
00e0 - b5 c9 97 11 f4 8d a7 5c-b8 01 d6 bb fb bd 63 65   ....... 
\......ce
00f0 - 23 da 63 d3 ca 00 fe 64-c7 c0 8b 83 da a9 63 b1    
#.c....d......c.
0100 - 5b 79 58 62 73 fd c6 df-2f 56 a3 00 80 45 1e 00   [yXbs.../ 
V...E..
0110 - 99 60 2f 40 62 34 c9 16-d2 c3 6b 79 6f c7 df 3e   .`/ 
@b4....kyo..>
0120 - 1e a3 a2 47 a9 bd 5b 59-3b 28 b8 21 cd a4 1d c8   ...G..[Y; 
(.!....
0130 - 83 a9 5f 66 3e ed d8 a4-e1 cb 11 8b 78 0d bd  
da   .._f>.......x...
0140 - 86 a3 7d 41 1c ce 2c 08-94 bb 04 a5 27 96 fe  
41   ..}A..,.....'..A
0150 - 30 17 f1 cc 57 65 4f 6e-e6 e4 e6 8b 72 ed 8a f9    
0...WeOn....r...
0160 - fa 96 50 2a b7 c3 5d b6-da d1 71 74 01 95 e6  
fe   ..P*..]...qt....
0170 - e1 fe 1a 98 10 b0 cc e6-76 06 83 15 93 d0 25 8b   ........v..... 
%.
0180 - 01 d2 aa af 29 fd 46 00-21 11 4b 8e ed            ....).F.!.K..
read from 0x20fdd0 [0x215940] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 04                                    .....
read from 0x20fdd0 [0x215945] (4 bytes => 4 (0x4))
0000 - 0e                                                .
0004 - <SPACES/NULS>
write to 0x20fdd0 [0x21fa70] (139 bytes => 139 (0x8B))
0000 - 16 03 01 00 86 10 00 00-82 00 80 6f 9d 96 80  
40   ...........o...@
0010 - 98 62 18 e4 a4 a8 d3 30-a4 cd 82 eb 2c d5 73 49   .b..... 
0....,.sI
0020 - b0 68 8f f5 fc 7d 1a 21-e2 f9 98 03 26 a9 c7  
3a   .h...}.!....&..:
0030 - ed bf 02 c5 a2 f9 7a 39-c7 f9 0b 84 bf 7c a9  
f2   ......z9.....|..
0040 - eb b8 1c 69 82 e3 df af-76 48 ab 21 a9 3e 63  
10   ...i....vH.!.>c.
0050 - dc 7d e9 bd 30 e9 9d 33-da 93 4e f2 18 a0 a0 8a   .}.. 
0..3..N.....
0060 - d9 65 a2 8c 8f 72 09 aa-31 38 ed 30 c7 6c ec f9   .e...r.. 
18.0.l..
0070 - c2 68 e5 db e3 cd 6f ac-71 8d 54 a0 d0 57 84  
00   .h....o.q.T..W..
0080 - ce c3 81 05 a3 2d 8e c3-1f 3c 7a                  .....-...<z
write to 0x20fdd0 [0x21fa70] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01                                 ......
write to 0x20fdd0 [0x21fa70] (53 bytes => 53 (0x35))
0000 - 16 03 01 00 30 ed 82 85-ac 7e aa 1a 26 8a 7d 66   .... 
0....~..&.}f
0010 - 42 6e a2 91 ea b0 c3 01-98 c5 89 e5 a0 9e fd da    
Bn..............
0020 - 8d 8c a5 2a 48 bc e6 5e-ad e5 c2 5a 03 6c d1  
5d   ...*H..^...Z.l.]
0030 - c0 b5 bb 39 65                                    ...9e
read from 0x20fdd0 [0x215940] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01                                    .....
read from 0x20fdd0 [0x215945] (1 bytes => 1 (0x1))
0000 - 01                                                .
read from 0x20fdd0 [0x215940] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30                                    ....0
read from 0x20fdd0 [0x215945] (48 bytes => 48 (0x30))
0000 - ad c0 8f 14 01 bd 4a a3-cf 28 31 d9 16 c7 9a 4a   ......J.. 
(1....J
0010 - 7e 71 ac 3b 6c ce 1f 08-84 c6 44 f7 1e d0 3d 02    
~q.;l.....D...=.
0020 - e0 3a cb bd d4 0d 4a aa-60 4b a3 a2 f7 15 81  
0f   .:....J.`K......
---
Certificate chain
  0 s:/C=US/ST=California/L=Livermore/O=Lawrence Livermore National  
Laboratory/OU=Environmental Restoration Division erdc/CN=www- 
erdc.llnl.gov
    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use  
at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure  
Server CA
  1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use  
at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure  
Server CA
    i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification  
Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFQjCCBCqgAwIBAgIQOTfsFyL0qPkISY+/krG24DANBgkqhkiG9w0BAQUFADCB
sDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMh
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBMB4XDTA5MDUwNDAwMDAw
MFoXDTEwMDUwNDIzNTk1OVowgbUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp
Zm9ybmlhMRIwEAYDVQQHFAlMaXZlcm1vcmUxLzAtBgNVBAoUJkxhd3JlbmNlIExp
dmVybW9yZSBOYXRpb25hbCBMYWJvcmF0b3J5MTAwLgYDVQQLFCdFbnZpcm9ubWVu
dGFsIFJlc3RvcmF0aW9uIERpdmlzaW9uIGVyZGMxGjAYBgNVBAMUEXd3dy1lcmRj
LmxsbmwuZ292MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC10Bdgh7FnLGaI
225a+wNQHGSILjWEr5Ik2NB9uyBDpwDkgUJ1fOnv00KfIi1DJpd1ayl+Z0PHmTdN
CVNZSXuu3ftm96GcdmfAOeeahCyiqdMpUV8l6YUDXZblRDwuWclcrKtQckyyw0aD
1W1TrH5bjaSTYBWFTvWUx/SRb+YvHwIDAQABo4IB0zCCAc8wCQYDVR0TBAIwADAL
BgNVHQ8EBAMCBaAwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL1NWUlNlY3VyZS1j
cmwudmVyaXNpZ24uY29tL1NWUlNlY3VyZTIwMDUuY3JsMEQGA1UdIAQ9MDswOQYL
YIZIAYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24u
Y29tL3JwYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgw
FoAUb+yvoN2KpO/1KhBnLT9VgrzX7yUweQYIKwYBBQUHAQEEbTBrMCQGCCsGAQUF
BzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wQwYIKwYBBQUHMAKGN2h0dHA6
Ly9TVlJTZWN1cmUtYWlhLnZlcmlzaWduLmNvbS9TVlJTZWN1cmUyMDA1LWFpYS5j
ZXIwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJaW1hZ2UvZ2lmMCEwHzAHBgUr
DgMCGgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYkaHR0cDovL2xvZ28udmVyaXNp
Z24uY29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEBBQUAA4IBAQBdFVg7EE7QrlmW
ywgj/itLiFKTD56GOzDrPbwzx+n54GxP3w14ah1L/HSfSj7AXRSME2H48mmVtbf0
tu22JtRpk+RStwleLUoh0fNaO3gZme5fQPca+i1gnGobrceq13+HTsqA2b0iTbkg
rf9DdE4B5vFpGCvYE2XqHGvgTK4FrAX98Hls/UDsya0iNo+nMtQsVHH2v/N2Rq6P
ZpiNDZiM+AWHTOcq/vzdWOQPryj0TLMp85QaQgxgpDAuOI0BQyt3loanmq9224Rj
3FOb7q5aezyc57favRyioyOiNnzbprmbvjWJJELPxGMl6J+RRWCOW2ty/TVWTMHB
5ReZgUVh
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Livermore/O=Lawrence Livermore National  
Laboratory/OU=Environmental Restoration Division erdc/CN=www- 
erdc.llnl.gov
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of  
use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure  
Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3069 bytes and written 322 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1
     Cipher    : DHE-RSA-AES256-SHA
     Session-ID:
     Session-ID-ctx:
     Master-Key:  
9E8941488E9BA08703CB9C00624F98AC4E61511A1B9CA009ACA20EEBAFE5416F21959237C1F50AB11B083B893F4AB0C9
     Key-Arg   : None
     Start Time: 1259597048
     Timeout   : 300 (sec)
     Verify return code: 20 (unable to get local issuer certificate)
---
read from 0x20fdd0 [0x215940] (5 bytes => 0 (0x0))
read:errno=0
write to 0x20fdd0 [0x21a150] (37 bytes => 37 (0x25))
0000 - 15 03 01 00 20 af e1 ab-10 6a 3e 70 e2 4f ee  
1a   .... ....j>p.O..
0010 - fb 51 20 ac 62 74 99 71-d7 7c 29 72 54 ee 62  
3d   .Q .bt.q.|)rT.b=
0020 - cf 82 c4 bc 73


Thanks again,
John


On Nov 27, 2009, at 11:42 AM, Sander Temme wrote:

> On Nov 25, 2009, at 2:24 PM, John J. Consolati wrote:
>
>> Here are the build commands I've tried:
>>
>> ./configure --prefix=/home/consolati1/apache/httpd-2.2.14/installed  
>> --enable-static-support --enable-ssl --with-ssl=/home/consolati1/ 
>> openssl/openssl-0.9.8l/installed --with-mpm=prefork
>>
>> ./configure --prefix=/home/consolati1/apache/httpd-2.2.14/ 
>> installed/ --enable-ssl --with-ssl=/home/consolati1/openssl/ 
>> openssl-0.9.8g/installed/   (currently using this one)
>
> One remark about your build: your earlier ldd output had some /usr/ 
> ucb stuff in it, which may be the result of your having /usr/ucb in  
> your PATH.  You might try building with /usr/ccs/bin in your PATH  
> before /usr/ucb to take advantage of some utilities a little more  
> modern.
>
> I ran into this when building Subversion on a new VM:
>
> http://*www.*temme.net/sander/2009/04/28/building-subversion-with- 
> sun-workshop/
>
> No idea how this would impact your build.
>
> S.
>
>> Both of them result in the same thing, and were the commands my  
>> predecessor used.
>>
>> I will try building it with the configure command you sent.  I  
>> haven't personally tried gcc, but my coworkers have left extensive  
>> notes of errors that gcc throws.  It couldn't hurt to try again.
>>
>> It is odd that libssl and libcrypt aren't in there -- I tried  
>> building statically, as you can see, but the httpd -l that I posted  
>> was from the second one (which should be dynamic).  Any ideas why  
>> they're missing?
>>
>> Thanks,
>> John
>>
>> On Nov 25, 2009, at 2:14 PM, Dan_Mitton@YMP.GOV wrote:
>>
>>>
>>> We are only at Apache 2.2.9, but don't have any problems.  The  
>>> command I use to build apache with is:
>>>
>>> ./configure --prefix=/usr/local/apache-2.2.9 --with-ssl=/usr/local/ 
>>> ssl --with-z=/usr/local/lib --enable-ssl --enable-cache --enable- 
>>> disk-cache --enable-mem-cache --enable-autoindex --enable-mods- 
>>> shared="rewrite ssl dav dav-fs proxy"
>>>
>>> of course, this is building a shared mod_ssl.so, and a few other  
>>> things.  We use gcc instead of Sun's.  Can you try it with gcc?  I  
>>> can't image that is the problem, but it might be worth a test.
>>>
>>> We have changed both Apache and OpenSSL versions, several times,  
>>> and never had any certificate problems.
>>>
>>> Here is one thing to look into...  Looking back at your 'ldd  
>>> httpd' output, there is no mention of libssl or libcrypt, so I  
>>> assume that you are statically linking them in.  Are you sure that  
>>> you are picking up the OpenSSL version and not Sun's default  
>>> installed version in /lib ?  Can you post your build command?   
>>> Personally, I like dynamic linking, so that you can upgrade to a  
>>> new OpenSSL, without having to redo everything that uses it.
>>>
>>> Dan
>>>
>>>
>>> Please respond to users@httpd.apache.org
>>>
>>>
>>> To:        users@httpd.apache.org
>>> cc:         (bcc: Dan Mitton/YD/RWDOE)
>>> Subject:        Re: [users@httpd] SSL on Apache 2.2.14
>>>
>>>
>>> LSN: Not Relevant
>>> User Filed as: Not a Record
>>>
>>> Dan,
>>>
>>> The error occurs on both Safari and Firefox on Apache 2.2.14.  We
>>> don't have IE in our environment.  Both Safari and Firefox work as
>>> they should with 2.0.47.
>>>
>>> It looks like mod_ssl.c is compiled in -- it shows up with httpd -l.
>>>
>>> I've checked the links you sent me.  The description doesn't  
>>> provide a
>>> whole lot of detail, and, according to the other one, I checked to
>>> make sure I am using prefork instead of MPM -- it seems to default  
>>> to
>>> prefork anyway, but I specified it in the /config before  
>>> compilation.
>>>
>>> I've Googled to my wit's end for several days without finding  
>>> anything
>>> conclusive.  Some pages hint at compilation options, others at
>>> compilers (I'm using Sun's cc, not gcc), but nothing conclusive.
>>>
>>> Here is one question I couldn't find the answer to, though: if I
>>> requested a server certificate using a specific version of OpenSSL,
>>> can I use that same certificate in a different version of Apache  
>>> with
>>> a different version of OpenSSL?  Or do I have to re-request if I
>>> upgrade OpenSSL?  A long shot I know, but I'm running out of  
>>> options...
>>>
>>> Thank you for the help,
>>> John
>>>
>>> On Nov 25, 2009, at 12:07 PM, Dan_Mitton@YMP.GOV wrote:
>>>
>>>>
>>>> John,
>>>>
>>>> You should not need to upgrade Solaris.  I've got apache running on
>>>> a solaris 9 box just fine.
>>>>
>>>> Your "wrong path" shouldn't be a problem either.  Those are just
>>>> "the last place to look" for an .so.  Solaris will use what is in
>>>> the 'crle' command and the LD_LIBRARY_PATH environment variable
>>>> first (I'm not sure of the order).
>>>>
>>>> You may or may not have a mod_ssl.so, depending on how you compiled
>>>> apache.  If you run:
>>>>
>>>> httpd -l (that's an el)
>>>>
>>>> It will list out which modules are compiled in.  If you see
>>>> mod_ssl.c, you will not have a mod_ssl.so.  Otherwise, mod_ssl.so
>>>> should normally be in your apache's modules subdirectory.
>>>>
>>>> Do you only get the error on Firefox and not IE?
>>>>
>>>> Dan
>>>>
>>>>
>>>> Please respond to users@httpd.apache.org
>>>>
>>>>
>>>> To:        users@httpd.apache.org
>>>> cc:         (bcc: Dan Mitton/YD/RWDOE)
>>>> Subject:        Re: [users@httpd] SSL on Apache 2.2.14
>>>>
>>>>
>>>> LSN: Not Relevant
>>>> User Filed as: Not a Record
>>>>
>>>> Here is the complete command:
>>>>
>>>> openssl s_server -cert /erd/www/erd/server/apache/httpd-2.2.14/
>>>> installed/conf/ssl.crt/www-erdc.crt -key /erd/www/erd/server/ 
>>>> apache/
>>>> httpd-2.2.14/installed/conf/ssl.key/www-erdc.secureprivate.key -
>>>> CAfile /erd/www/erd/server/apache/httpd-2.2.14/installed/conf/ 
>>>> ssl.crt/
>>>> intermediate.crt -www
>>>>
>>>> Your suggested 'GET / HTTP/1.0\r\r' was successful.
>>>>
>>>> However, I found something interesting doing an ldd -- a few of  
>>>> them
>>>> have wrong paths:
>>>>
>>>> bash-2.05# ldd httpd
>>>>        libm.so.1 =>     /usr/lib/libm.so.1
>>>>        libaprutil-1.so.0 =>     /wrong/path
>>>>        libexpat.so.0 =>         /wrong/path
>>>>        libapr-1.so.0 =>         /wrong/path
>>>>        libuuid.so.1 =>  /usr/lib/libuuid.so.1
>>>>        libsendfile.so.1 =>      /usr/lib/libsendfile.so.1
>>>>        librt.so.1 =>    /usr/lib/librt.so.1
>>>>        libsocket.so.1 =>        /usr/lib/libsocket.so.1
>>>>        libnsl.so.1 =>   /usr/lib/libnsl.so.1
>>>>        libpthread.so.1 =>       /usr/lib/libpthread.so.1
>>>>        libdl.so.1 =>    /usr/lib/libdl.so.1
>>>>        libthread.so.1 =>        /usr/lib/libthread.so.1
>>>>        libc.so.1 =>     /usr/lib/libc.so.1
>>>>        libucb.so.1 =>   (file not found)
>>>>        libresolv.so.2 =>        /usr/lib/libresolv.so.2
>>>>        libelf.so.1 =>   /usr/lib/libelf.so.1
>>>>        libucb.so.1 =>   /usr/ucblib/libucb.so.1
>>>>        libaio.so.1 =>   /usr/lib/libaio.so.1
>>>>        libmd5.so.1 =>   /usr/lib/libmd5.so.1
>>>>        libmp.so.2 =>    /usr/lib/libmp.so.2
>>>>        /usr/platform/SUNW,Sun-Fire-V250/lib/libc_psr.so.1
>>>>        /usr/platform/SUNW,Sun-Fire-V250/lib/libmd5_psr.so.1
>>>>
>>>> I wasn't sure where to find mod_ssl.so -- I could only find  
>>>> mod_ssl.h.
>>>>
>>>> Is there a way to change the links without rebuilding?
>>>>
>>>> Thank you,
>>>> John
>>>>
>>>> On Nov 25, 2009, at 11:21 AM, Sander Temme wrote:
>>>>
>>>>>
>>>>> On Nov 25, 2009, at 10:17 AM, John J. Consolati wrote:
>>>>>
>>>>>> Thank you for the reply.
>>>>>>
>>>>>> Unfortunately, upgrading Solaris isn't an option.  Here is the
>>>>>> version I have to work with (quite old..):
>>>>>>
>>>>>> bash-2.05# cat /etc/release
>>>>>>                      Solaris 9 4/04 s9s_u6wos_08a SPARC
>>>>>>         Copyright 2004 Sun Microsystems, Inc.  All Rights
>>>> Reserved.
>>>>>>                      Use is subject to license terms.
>>>>>>                           Assembled 22 March 2004
>>>>>> bash-2.05# uname -a
>>>>>> SunOS lucky 5.9 Generic_118558-17 sun4u sparc SUNW,Sun-Fire-V250
>>>>>>
>>>>>> I've been using the Sun cc, not gcc, to compile everything.
>>>>>>
>>>>>>
>>>>>> Here is the output from the openSSL commands:
>>>>>>
>>>>>> openssl -certs....etc etc
>>>>>
>>>>> What is your complete command line here?
>>>>>
>>>>>> Using default temp DH parameters
>>>>>> Using default temp ECDH parameters
>>>>>> ACCEPT
>>>>>> -----BEGIN SSL SESSION PARAMETERS-----
>>>>>> MHUCAQECAgMBBAIAOQQgXdTo4sJayMnyXJOOV7YI1JLumr7lqj4Sj+kZZTIeX2wE
>>>>>> MO2ne8Ry2DUppChW6xz01mi4gMU+WsyaH6SPREMHpFcSCBYmpX5sD+VVBS3F/Ajy
>>>>>> V6EGAgRLDXPAogQCAgEspAYEBAAAAAE=
>>>>>> -----END SSL SESSION PARAMETERS-----
>>>>>> Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-
>>>> SHA:EDH-
>>>>>> RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA- 
>>>>>> AES128-
>>>>>> SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4- 
>>>>>> MD5:EDH-
>>>>>> RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-
>>>> CBC-
>>>>>> SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-
>>>> RC4-
>>>>>> MD5
>>>>>> CIPHER is DHE-RSA-AES256-SHA
>>>>>>
>>>>>>
>>>>>>
>>>>>> And on the other terminal:
>>>>>>
>>>>>> bash-2.05$ openssl s_client -connect localhost:4433
>>>>>> CONNECTED(00000003)
>>>>>> depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms
>>>>>> of use at https://****www.****verisign.com/rpa (c)05/CN=VeriSign
>>>> Class 3
>>>>>> Secure Server CA
>>>>>> verify error:num=20:unable to get local issuer certificate
>>>>>> verify return:0
>>>>>
>>>>> That's not a problem, just OpenSSL complaining it can't find the
>>>>> Verisign root cert.  If you happen to have a copy of that (like  
>>>>> your
>>>>> browser does) and point openssl s_client to it, it can verify all
>>>>> the way to the top.  This does not impact the connection itself.
>>>>>
>>>>>> ---
>>>>>> Certificate chain
>>>>>> 0 s:/C=US/ST=California/L=Livermore/O=Lawrence Livermore National
>>>>>> Laboratory/OU=Environmental Restoration Division erdc/CN=www-
>>>>>> erdc.llnl.gov
>>>>>> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of  
>>>>>> use
>>>>>> at https://****www.****verisign.com/rpa (c)05/CN=VeriSign Class 3
>>>> Secure
>>>>>> Server CA
>>>>>> 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
>>>>>> use at https://****www.****verisign.com/rpa (c)05/CN=VeriSign  
>>>>>> Class 3
>>>>>> Secure Server CA
>>>>>> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
>>>>>> Authority
>>>>>> ---
>>>>>> Server certificate
>>>>>> -----BEGIN CERTIFICATE-----
>>>>>> certificate hash...
>>>>>> -----END CERTIFICATE-----
>>>>>> subject=/C=US/ST=California/L=Livermore/O=Lawrence Livermore
>>>>>> National Laboratory/OU=Environmental Restoration Division erdc/
>>>>>> CN=www-erdc.llnl.gov
>>>>>> issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/ 
>>>>>> OU=Terms of
>>>>>> use at https://****www.****verisign.com/rpa (c)05/CN=VeriSign  
>>>>>> Class 3
>>>>>> Secure Server CA
>>>>>> ---
>>>>>> No client certificate CA names sent
>>>>>> ---
>>>>>> SSL handshake has read 2973 bytes and written 258 bytes
>>>>>> ---
>>>>>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>>>>>> Server public key is 1024 bit
>>>>>> Compression: NONE
>>>>>> Expansion: NONE
>>>>>> SSL-Session:
>>>>>>  Protocol  : TLSv1
>>>>>>  Cipher    : DHE-RSA-AES256-SHA
>>>>>>  Session-ID:
>>>>>> 5DD4E8E2C25AC8C9F25C938E57B608D492EE9ABEE5AA3E128FE91965321E5F6C
>>>>>>  Session-ID-ctx:
>>>>>>  Master-Key:
>>>>>>
>>>> EDA77BC472D83529A42856EB1CF4D668B880C53E5ACC9A1FA48F444307A45712081626A57E6C0FE555052DC5FC08F257
>>>>>>  Key-Arg   : None
>>>>>>  Start Time: 1259172800
>>>>>>  Timeout   : 300 (sec)
>>>>>>  Verify return code: 20 (unable to get local issuer certificate)
>>>>>> ---
>>>>>>
>>>>>> Looks like there is a problem with one of the certificates, but  
>>>>>> I'm
>>>>>> not sure how to proceed...
>>>>>
>>>>> At this point, you have a valid handshake, and the client and  
>>>>> server
>>>>> have exchanged data encrypted and MACed with the session keys.   
>>>>> All
>>>>> is well.  You could type on the command line 'GET / HTTP/1.0\r
>>>>> \r' (two returns) and you'll get the status page generated by
>>>>> openssl s_server -www.****
>>>>>
>>>>> This means you have a configuration problem with Apache.  Make  
>>>>> sure
>>>>> you're using the ssl and crypto libraries that you think you are  
>>>>> by
>>>>> running ldd on the httpd binary and the mod_ssl.so binary.  While
>>>>> the Solaris build environment usually gets this right by  
>>>>> hardcoding
>>>>> the path to the libraries at link time, make sure this is ok at  
>>>>> run
>>>>> time.
>>>>>
>>>>> Then, make sure your server is configured correctly, and that your
>>>>> SSL virtual host(s) use the correct combination of
>>>>> SSLCertificateFile and SSLCertificateKeyFile.
>>>>>
>>>>> S.
>>>>>
>>>>>> Again, thank you for your help, I appreciate it.
>>>>>>
>>>>>> Regards,
>>>>>> John
>>>>>>
>>>>>>
>>>>>> On Nov 25, 2009, at 10:00 AM, daniel.goulder@and.co.uk wrote:
>>>>>>
>>>>>>> This sounds like a Solaris bug.
>>>>>>>
>>>>>>> Make sure you have a recent version of Solaris or the latest
>>>> patches
>>>>>>> installed...
>>>>>>>
>>>>>>> What release/patch level are you using?
>>>>>>>
>>>>>>> Danny
>>>>>>>
>>>>>>> ________________________________
>>>>>>>
>>>>>>> From: "John J. Consolati" <consolati1@llnl.gov> [mailto:"John J.
>>>>>>> Consolati" <consolati1@llnl.gov>]
>>>>>>> Sent: 25 November 2009 17:23
>>>>>>> To: users@httpd.apache.org
>>>>>>> Subject: [users@httpd] SSL on Apache 2.2.14
>>>>>>>
>>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> Hopefully someone will be able to help, as I've been working on
>>>> this
>>>>>>> problem for quite a while and have hit a wall. I'm trying to
>>>> upgrade
>>>>>>> Apache 2.0.47 to 2.2.14, and I need SSL support. Everything
>>>> seems to
>>>>>>> build and compile okay, but when I try to access my site running
>>>> on
>>>>>>> 2.2.14, I get a strange error from Firefox: "Secure connection
>>>>>>> failed. An error occurred during a connection to xxxxxx. SSL  
>>>>>>> peer
>>>>>>> reports incorrect Message Authentication Code. (Error code:
>>>>>>> ssl_error_bad_mac_alert)."
>>>>>>>
>>>>>>> I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the  
>>>>>>> same
>>>>>>> results. This is hosted on a Solaris sparc box. The 2.2.14
>>>> server is
>>>>>>> utilizing all the same files and SSL certificates as the 2.0.47
>>>>>>> server. I've called Verisign; I have valid certificates, but
>>>> they've
>>>>>>> never heard of this error before. If I self-sign a certificate  
>>>>>>> and
>>>>>>> test it with the 2.2.14 server, it seems to work (except for the
>>>>>>> expected error message regarding self-signed certificates).
>>>>>>>
>>>>>>> Searching on Google has led me to try forcing Apache to compile
>>>> with
>>>>>>> prefork enabled (but it seems to default to that anyway on
>>>> Solaris).
>>>>>>> I've also tried statically linking Apache during compile with  
>>>>>>> the
>>>>>>> same
>>>>>>> results.
>>>>>>>
>>>>>>> If anyone has any ideas or suggestions, I'd very much appreciate
>>>>>>> them...
>>>>>>> Thank you,
>>>>>>> John
>>>>>>>
>>>>>>>
>>>> ---------------------------------------------------------------------
>>>>>>> The official User-To-User support forum of the Apache HTTP  
>>>>>>> Server
>>>>>>> Project.
>>>>>>> See < URL:http://*****httpd.apache.org/userslist.html> for more
>>>> info.
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>>>>
>>>>>>>
>>>>>>>
>>>> ______________________________________________________________________
>>>>>>> This email has been scanned by the MessageLabs Email Security
>>>>>>> System.
>>>>>>> For more information please visit http://**
>>>> ***www.*****messagelabs.com/
>>>>>>> email
>>>>>>>
>>>> ______________________________________________________________________
>>>>>>>
>>>>>>>
>>>>>>>
>>>> ______________________________________________________________________
>>>>>>> This e-mail and any attached files are intended for the named
>>>>>>> addressee only. It contains information, which may be  
>>>>>>> confidential
>>>>>>> and legally privileged and also protected by copyright. Unless  
>>>>>>> you
>>>>>>> are the named addressee (or authorised to receive for the
>>>>>>> addressee) you may not copy or use it, or disclose it to anyone
>>>>>>> else. If you received it in error please notify the sender
>>>>>>> immediately and then delete it from your system. Please be  
>>>>>>> advised
>>>>>>> that the views and opinions expressed in this e-mail may not
>>>>>>> reflect the views and opinions of Associated Newspapers  
>>>>>>> Limited or
>>>>>>> any of its subsidiary companies. We make every effort to keep  
>>>>>>> our
>>>>>>> network free from viruses. However, you do need to check this e-
>>>>>>> mail and any attachments to it for viruses as we can take no
>>>>>>> responsibility for any computer virus which may be transferred  
>>>>>>> by
>>>>>>> way of this e-mail. Use of this or any other e-mail facility
>>>>>>> signifies consent to any interception we might lawfully carry  
>>>>>>> out
>>>>>>> to prevent abuse of these faciliti
>>>>>>> es.
>>>>>>> Associated Newspapers Ltd. Registered Office: Northcliffe  
>>>>>>> House, 2
>>>>>>> Derry St, Kensington, London, W8 5TT. Registered No 84121  
>>>>>>> England.
>>>>>>
>>>>>>
>>>>>>
>>>> ---------------------------------------------------------------------
>>>>>> The official User-To-User support forum of the Apache HTTP Server
>>>>>> Project.
>>>>>> See <URL:http://****httpd.apache.org/userslist.html> for more  
>>>>>> info.
>>>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>>> "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Sander Temme
>>>>> sctemme@apache.org
>>>>> PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> The official User-To-User support forum of the Apache HTTP Server
>>>> Project.
>>>> See <URL:http://***httpd.apache.org/userslist.html> for more info.
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>>
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server  
>>> Project.
>>> See <URL:http://**httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server  
>> Project.
>> See <URL:http://*httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
>
> -- 
> Sander Temme
> sctemme@apache.org
> PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF
>
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message