rs79.vrx.palo-alto.ca.us
INTERESTS|Me|Opinions|Works
Alt.energy|Animals|Art|Biology|Blogroll|Clocks|College|COMPUTERS|Fonts|Formulas|House|Law|Math|Movies|Music|Plants|Plastics|Recipes|Toronto|Transpo|Watches|Wtf
RAID|Books|History|Hw|Net|Speakers|Stylus|SW|Thinkpad|Thinkpads
Js|Certs|Graphics|Http|If|OPENSSL|Shellshock|Www-browsers|Xp
OpenSSL Tips


OpenSSL Tips

    1) What version of opsnssl do you have?
    % openssl version
    OpenSSL 0.9.6m 17 Mar 2004
    % openssl version -p
    platform: solaris64-sparcv9-gcc31
    
    
    2) Make sure the problem is with OpenSSL

    The first thing to do if something to do with SSL doesn't work is use OpenSSL to test the site manually:

    openssl c_client -connect www.paypal.com:443


3) Local issuer certificate

One of the more common errors is when openssl s_client -connect gives you:

verify error:num=20:unable to get local issuer certificate
verify return:1
verify error:num=27:certificate not trusted
verify return:1
verify error:num=21:unable to verify the first certificate
This means it can't find the trusted CA store where you should have certs from root CA's you choose to trust. Either it can't find where they are or you don't have any. They are usually found in someting like /use/local/ssl/certs. If you try the above openssl s_client commans pointing to a valid certs directory it should work, ie

openssl s_client -connect www.paypal.com:443 -CApath /usr/local/ssl/certs
NOTE: s_client, because of a bug in at least (maybe others) 0.9.6m, must be explicitly told where the trusted certificate store is per above. It does not read openssl.cnf.


4) Don't use an old version.

There are bugs and security holes, patents, and all sorts of things you want to avoid. The last version of OpenSSL in the 0.9.6 branch is "m" or 0.9.6m. Some ancient versions of OpenSSL have bad ciphers due to a compiler bug. Try disabling them:

   openssl s_client -connect hostname:443 -cipher RC4:@STRENGTH
and if that fixes it a workaorund for httpd.conf is:
SSLCipherSuite DEFAULT:!DES:!3DES:!IDEA:@STRENGTH

5)  Don't mix versions of the libraries.

Openssl 0.96 and 0.97 are not backward compatible. If you have an ancient version of 0.9.6 you should install the last good version of 0.9.6. Otherwise you have to recompile things like Apache to know about 0.9.7.


6)  Installation error ?

While trying to make openssl if you get:

  syntax error at line 1: `;' unexpected
then is a known problem in 0.9.7e. Don't use it. Use a later or earlier version.


7) No shared libraries?

If you don't get any shared libraries upon compilation, force it with:

  ./config shared;make clean;make;make install
If OpenSSL is correctly configured it should make and install properly. If not poke around and make sure your recently compiler openssl binary is in the place you're executing it from and make sure libcrypto.a and libssl.a are the ones you just comopiled and in the right place.


8) Check installation

By default when you call 'make install' it should install headers in /usr/local/ssl/include (under a directory 'openssl') the static libraries under /usr/local/ssl/lib and the openssl binary under /usr/local/ssl/bin.

You can override these defaults with the --prefix and --openssldir in ./Configure so they can end up in different places.



Search Site With Google
KillifishAlternative DNSTropical FishMercedesMercedes parts