OpenSSL Tips

rs79.vrx.palo-alto.ca.us

books

camera

certs

interests
   alt-energy
   animals
   art
   clocks
   colbert
   college
   computers
     books
     camera
     certs
     fonts
     history
     hw
     net
     openssl
     RAID
     speakers
     stylus
     sw
     thinkpad
     esb
     usb
   documentaries
   food
   form letters
   free books
   glasses
   house
   law
   logic
   math
   movies
   music
   plants
   plastics
   recipes
   shellshock
   toronto
   transpo
   usb
   wales
   watches
   wtf
   linguistics
me
opinions
works

OpenSSL Tips

1) What version of opsnssl do you have?

% openssl version
OpenSSL 0.9.6m 17 Mar 2004
% openssl version -p
platform: solaris64-sparcv9-gcc31

2) Make sure the problem is with OpenSSL

The first thing to do if something to do with SSL doesn't work is use OpenSSL to test the site manually:

openssl c_client -connect www.paypal.com:443

3) Local issuer certificate

One of the more common errors is when openssl s_client -connect gives you:

verify error:num=20:unable to get local issuer certificate
verify return:1
verify error:num=27:certificate not trusted
verify return:1
verify error:num=21:unable to verify the first certificate

This means it can't find the trusted CA store where you should have certs from root CA's you choose to trust. Either it can't find where they are or you don't have any. They are usually found in someting like /use/local/ssl/certs. If you try the above openssl s_client commans pointing to a valid certs directory it should work, ie

openssl s_client -connect www.paypal.com:443 -CApath /usr/local/ssl/certs

NOTE: s_client, because of a bug in at least (maybe others) 0.9.6m, must be explicitly told where the trusted certificate store is per above. It does not read openssl.cnf.

4) Don't use an old version.

There are bugs and security holes, patents, and all sorts of things you want to avoid. The last version of OpenSSL in the 0.9.6 branch is "m" or 0.9.6m. Some ancient versions of OpenSSL have bad ciphers due to a compiler bug. Try disabling them:

   openssl s_client -connect hostname:443 -cipher RC4:@STRENGTH

and if that fixes it a workaorund for httpd.conf is:

SSLCipherSuite DEFAULT:!DES:!3DES:!IDEA:@STRENGTH

5) Don't mix versions of the libraries.

Openssl 0.96 and 0.97 are not backward compatible. If you have an ancient version of 0.9.6 you should install the last good version of 0.9.6. Otherwise you have to recompile things like Apache to know about 0.9.7.

6) Installation error ?

While trying to make openssl if you get:

  syntax error at line 1: `;' unexpected

then is a known problem in 0.9.7e. Don't use it. Use a later or earlier version.

7) No shared libraries?

If you don't get any shared libraries upon compilation, force it with:

  ./config shared;make clean;make;make install

If OpenSSL is correctly configured it should make and install properly. If not poke around and make sure your recently compiler openssl binary is in the place you're executing it from and make sure libcrypto.a and libssl.a are the ones you just comopiled and in the right place.

8) Check installation

By default when you call 'make install' it should install headers in /usr/local/ssl/include (under a directory 'openssl') the static libraries under /usr/local/ssl/lib and the openssl binary under /usr/local/ssl/bin.

You can override these defaults with the --prefix and --openssldir in ./Configure so they can end up in different places.