Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: conserver: users

SSL, certs, and conserver (fix included)

 

 

conserver users RSS feed   Index | Next | Previous | View Threaded


bryan at conserver

Jun 1, 2005, 11:29 PM

Post #1 of 13 (5352 views)
Permalink
SSL, certs, and conserver (fix included)

it all started with an innocent enough question:

On Thu, May 26, 2005 at 11:00:35PM +0100, Michael Doyle wrote:
> Can anyone give me an example of using conserver with generated ssl cert's
> (i.e. -c file) for both the server and client. I've compiled conserver with
> openssl support and a tcpdump confirms that traffic is encrypted between
> server and client but when I start the daemon with a ' -c' pointing to a
> self signed certificate file I created, the client happily connects to
> consoles even though I've not specified the equivalent on the client side.
> My understanding is that if I use a cert then the server and client need to
> be using the same. Any pointers appreciated.

and in looking into it, i notice certs weren't working right. the good
news is, being on a plane gave me time enough to really dig into this
and i found the problem (pretty simple, actually). i've included the
patch below, for those who'd actually like to use certs before the next
release.

here's a description of how things are coded to work (once you apply the
patch)....

- neither side uses -c

the ssl bits are allowed to use an unauthenticated cipher to set up
the encryption. that just works.

now, if you use the -c option on either side, that side disables the
unauthenticated ciphers and requires a valid cert handshake. so if...

- server side uses -c

since the anonymous ciphers are not allowed, the client *must*
validate/accept the server's certificate for the handshake to
complete. the servers does *not* require a certificate from the
client. if the client provides a certificate, however, the server
*must* validate it as well.

- client side uses -c

again, since the anonymous ciphers are not allowed (on the client,
this time), a valid handshake has to happen. apparently this can
only happen (at least with the code the way it is) if the server
provides a certficate. therefore, you *must* give the server a cert
if you use -c on the client, in which case you're in the boat above.

crazy stuff, no? i think for the most common cases, this behavior is
correct. you want the client to validate a server cert. and if you
give the client a cert, you want the server to validate it.

if anyone is still having issues after applying the patch below, let me
know. it was working well for me and the certs generated with the
contrib/maketestcerts script.

Bryan

===================================

diff -c -r conserver-8.1.11-orig/conserver/main.c conserver-8.1.11/conserver/main.c
*** conserver-8.1.11-orig/conserver/main.c Tue Jul 13 22:28:42 2004
--- conserver-8.1.11/conserver/main.c Wed Jun 1 22:50:35 2005
***************
*** 323,328 ****
--- 323,329 ----
#endif
{
if (ctx == (SSL_CTX *)0) {
+ char *ciphers;
SSL_load_error_strings();
if (!SSL_library_init()) {
Error("SetupSSL(): SSL_library_init() failed");
***************
*** 352,357 ****
--- 353,361 ----
config->sslcredentials);
Bye(EX_SOFTWARE);
}
+ ciphers = "ALL:!LOW:!EXP:!MD5:!aNULL:@STRENGTH";
+ } else {
+ ciphers = "ALL:!LOW:!EXP:!MD5:@STRENGTH";
}
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
SSL_CTX_set_options(ctx,
***************
*** 362,368 ****
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
SSL_MODE_AUTO_RETRY);
SSL_CTX_set_tmp_dh_callback(ctx, TmpDHCallback);
! if (SSL_CTX_set_cipher_list(ctx, "ALL:!LOW:!EXP:!MD5:@STRENGTH") !=
1) {
Error("SetupSSL(): setting SSL cipher list failed");
Bye(EX_SOFTWARE);
--- 366,372 ----
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
SSL_MODE_AUTO_RETRY);
SSL_CTX_set_tmp_dh_callback(ctx, TmpDHCallback);
! if (SSL_CTX_set_cipher_list(ctx, ciphers) !=
1) {
Error("SetupSSL(): setting SSL cipher list failed");
Bye(EX_SOFTWARE);
diff -c -r conserver-8.1.11-orig/console/console.c conserver-8.1.11/console/console.c
*** conserver-8.1.11-orig/console/console.c Mon Oct 25 00:18:20 2004
--- conserver-8.1.11/console/console.c Wed Jun 1 22:50:13 2005
***************
*** 69,74 ****
--- 69,75 ----
#endif
{
if (ctx == (SSL_CTX *)0) {
+ char *ciphers;
SSL_load_error_strings();
if (!SSL_library_init()) {
Error("SSL library initialization failed");
***************
*** 95,100 ****
--- 96,104 ----
config->sslcredentials);
Bye(EX_UNAVAILABLE);
}
+ ciphers = "ALL:!LOW:!EXP:!MD5:!aNULL:@STRENGTH";
+ } else {
+ ciphers = "ALL:!LOW:!EXP:!MD5:@STRENGTH";
}
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
SSL_CTX_set_options(ctx,
***************
*** 104,110 ****
SSL_MODE_ENABLE_PARTIAL_WRITE |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
SSL_MODE_AUTO_RETRY);
! if (SSL_CTX_set_cipher_list(ctx, "ALL:!LOW:!EXP:!MD5:@STRENGTH") !=
1) {
Error("Setting SSL cipher list failed");
Bye(EX_UNAVAILABLE);
--- 108,114 ----
SSL_MODE_ENABLE_PARTIAL_WRITE |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
SSL_MODE_AUTO_RETRY);
! if (SSL_CTX_set_cipher_list(ctx, ciphers) !=
1) {
Error("Setting SSL cipher list failed");
Bye(EX_UNAVAILABLE);
_______________________________________________
users mailing list
users [at] conserver
https://www.conserver.com/mailman/listinfo/users


phil at usc

Jun 1, 2005, 11:45 PM

Post #2 of 13 (5215 views)
Permalink
Re: SSL, certs, and conserver (fix included) [In reply to]

On Wed, Jun 01, 2005 at 11:29:18PM -0700, Bryan Stansell wrote:
> it all started with an innocent enough question:
>
> On Thu, May 26, 2005 at 11:00:35PM +0100, Michael Doyle wrote:
> > Can anyone give me an example of using conserver with generated ssl cert's
> > (i.e. -c file) for both the server and client. I've compiled conserver with
> > openssl support and a tcpdump confirms that traffic is encrypted between
> > server and client but when I start the daemon with a ' -c' pointing to a
> > self signed certificate file I created, the client happily connects to
> > consoles even though I've not specified the equivalent on the client side.
> > My understanding is that if I use a cert then the server and client need to
> > be using the same. Any pointers appreciated.
>
> and in looking into it, i notice certs weren't working right. the good
> news is, being on a plane gave me time enough to really dig into this
> and i found the problem (pretty simple, actually). i've included the
> patch below, for those who'd actually like to use certs before the next
> release.

Oh - that explains why it "worked" for me - I was allowing unauthenticated
ciphers.... I assume that was the part that _wasn't_ broken.

OK. Cool.

--
Phil Dibowitz
Systems Architect and Administrator
Enterprise Infrastructure / ISD / USC
UCC 174 - 213-821-5427


cross+conserver at distal

Oct 4, 2005, 1:16 PM

Post #3 of 13 (5065 views)
Permalink
Re: SSL, certs, and conserver (fix included) [In reply to]

I'm having a problem with getting conserver (8.1.12) working
with an SSL connection. I presume 8.1.12 doesn't need the
patch that you posted to the list, as it's release date is
after the date of this email. :-)

Bryan Stansell wrote:
> here's a description of how things are coded to work (once you apply the
> patch)....
>
> - neither side uses -c
>
> the ssl bits are allowed to use an unauthenticated cipher to set up
> the encryption. that just works.

This is what I'm trying to do. I have my conserver.cf set
up so that ssl is required, and when I try running the client
to connect to it, I get:

% console -x -p 782
console: SSL negotiation failed
2173:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash
unavailable:../../../../common/openssl/ssl/t1_enc.c:449:
%

I'm not sure what that means. This is on a solaris 10
system, using the ssl libraries that are part of the
installed OS. These are OpenSSL as of about January
of 2005, but I can't see a version number in the package
info. The header suggests it is, or was, 0.9.7d.

Bryan, do you have any idea what I'm doing wrong
here? I'm running the client on the same machine
the server daemon is running on, and the name compiled
into the binaries is CNAME'd to this machines external
address. If I "-M localhost" I get the same error
message, however.

Thanks. Any help appreciated.

- Chris

_______________________________________________
users mailing list
users [at] conserver
https://www.conserver.com/mailman/listinfo/users


bryan at conserver

Oct 4, 2005, 4:07 PM

Post #4 of 13 (5073 views)
Permalink
Re: SSL, certs, and conserver (fix included) [In reply to]

On Tue, Oct 04, 2005 at 04:16:50PM -0400, Chris Ross wrote:
> I'm having a problem with getting conserver (8.1.12) working
> with an SSL connection. I presume 8.1.12 doesn't need the
> patch that you posted to the list, as it's release date is
> after the date of this email. :-)

correct...it's part of 8.1.12.

> console: SSL negotiation failed
> 2173:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash
> unavailable:../../../../common/openssl/ssl/t1_enc.c:449:
> %
>
> I'm not sure what that means. This is on a solaris 10
> system, using the ssl libraries that are part of the
> installed OS. These are OpenSSL as of about January
> of 2005, but I can't see a version number in the package
> info. The header suggests it is, or was, 0.9.7d.

my best guess, based on the "cipher or hash unavailable" is that however
solaris 10 has openssl configured, the anonymous ciphers aren't there.
at least, that's my best bet. i tried a solaris 10 x86 host with
openssl 0.9.7e (compiled from source) and it works just fine. if you
create certificates (installed appropriately, etc) and it works, then
that's probably it. it might be easier to just build openssl.

on my box, i do "strings /usr/local/lib/libssl.a |grep -i ADH" and get:

EXP-ADH-RC4-MD5
ADH-RC4-MD5
EXP-ADH-DES-CBC-SHA
ADH-DES-CBC-SHA
ADH-DES-CBC3-SHA
ADH-AES128-SHA
ADH-AES256-SHA
ALL:!ADH:+RC4:@STRENGTH
ALL:!ADH:+RC4:@STRENGTH

i'm not sure if those disappear if you compile openssl without the
anonymous ciphers. but if the library doesn't have references to them,
that's probably it.

hopefully something along those lines shed some light.

Bryan
_______________________________________________
users mailing list
users [at] conserver
https://www.conserver.com/mailman/listinfo/users


dj at gregor

Oct 4, 2005, 7:55 PM

Post #5 of 13 (5078 views)
Permalink
Re: SSL, certs, and conserver (fix included) [In reply to]

The OpenSSL libraries that ship in /usr/sfw on Solaris 10 are broken
and/or don't work with most of the clients out there. You might want
to check for a patch, install OpenSSL from Sun Freeware or Blastwave,
or compile OpenSSL yourself. I had similar problems when compiling SSL
apps a few months ago (in my case, an SSL-enabled version of WU-imapd).


- djg

On Oct 4, 2005, at 4:16 PM, Chris Ross wrote:

> % console -x -p 782
> console: SSL negotiation failed
> 2173:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash
> unavailable:../../../../common/openssl/ssl/t1_enc.c:449:
> %
>
> I'm not sure what that means. This is on a solaris 10
> system, using the ssl libraries that are part of the
> installed OS. These are OpenSSL as of about January
> of 2005, but I can't see a version number in the package
> info. The header suggests it is, or was, 0.9.7d.

_______________________________________________
users mailing list
users [at] conserver
https://www.conserver.com/mailman/listinfo/users


cross+conserver at distal

Oct 11, 2005, 2:50 PM

Post #6 of 13 (5036 views)
Permalink
Re: SSL, certs, and conserver (fix included) [In reply to]

Bryan Stansell wrote:
> on my box, i do "strings /usr/local/lib/libssl.a |grep -i ADH" and get:
>
> EXP-ADH-RC4-MD5
> ADH-RC4-MD5
> EXP-ADH-DES-CBC-SHA
> ADH-DES-CBC-SHA
> ADH-DES-CBC3-SHA
> ADH-AES128-SHA
> ADH-AES256-SHA
> ALL:!ADH:+RC4:@STRENGTH
> ALL:!ADH:+RC4:@STRENGTH
>
> i'm not sure if those disappear if you compile openssl without the
> anonymous ciphers. but if the library doesn't have references to them,
> that's probably it.


Sorry it took me so long to get back to this...

Sadly, that doesn't tell me much. I get:

% strings /usr/sfw/lib/libssl.so.0.9.7 |grep -i ADH
EXP-ADH-RC4-MD5
ADH-RC4-MD5
EXP-ADH-DES-CBC-SHA
ADH-DES-CBC-SHA
ADH-DES-CBC3-SHA
ADH-AES128-SHA
ADH-AES256-SHA
ALL:!DHE-RSA-AES256-SHA:!DHE-DSS-AES256-SHA:!AES256-SHA:!ADH:+RC4:@STRENGTH
ALL:!DHE-RSA-AES256-SHA:!DHE-DSS-AES256-SHA:!AES256-SHA:!ADH:+RC4:@STRENGTH
ALL:!DHE-RSA-AES256-SHA:!DHE-DSS-AES256-SHA:!AES256-SHA:!ADH:+RC4:@STRENGTH
%

So, about the same thing...

Anyone have any idea if I can compile a program against
the libraries to confirm or debate the suspicion that my
conserver SSL problems are based on the way OpenSSL
was modified and/or built? Or a suggestion as to what
calls I would use to write one myself...

Thanks...

- Chris
_______________________________________________
users mailing list
users [at] conserver
https://www.conserver.com/mailman/listinfo/users


cross+conserver at distal

Oct 13, 2005, 10:13 AM

Post #7 of 13 (5021 views)
Permalink
Re: SSL, certs, and conserver (fix included) [In reply to]

Okay. So I got back to this. It appears that even
with my own compiled OpenSSL, I'm still getting a
problem. I no longer get the error from within the
SSL library that I was getting with the OpenSSL
that solaris ships, but if I run conserver and
console compiled against static libssl and libcrypto
from either 0.9.7d or 0.9.7h, the server runs,
and the client exits saying:

% console -x
console: SSL negotiation failed
%

At this point, the server reports:

[Thu Oct 13 13:09:11 2005] conserver (4041): ERROR: FileSSLAccept(): SSL
error on fd 5

So. Even less debugging information. :-(

Anyone have any idea what's going on here?
Bryan?

- Chris

_______________________________________________
users mailing list
users [at] conserver
https://www.conserver.com/mailman/listinfo/users


bryan at conserver

Oct 13, 2005, 4:34 PM

Post #8 of 13 (5024 views)
Permalink
Re: SSL, certs, and conserver (fix included) [In reply to]

well, i'm seriously lacking on ideas. can you show me a 'conserver -V',
so i know how it was compiled, etc? and can you make sure that you're
using one version of conserver (not picking up the wrong binary because
of multiple installs or a $PATH issue or something)? and perhaps the
conserver.cf (with whatever you want made generic). or, better yet, if
you point conserver to the test/test1.cf config file and try things with
that, does it produce the same issue?

i can't reproduce the problem, so i'm fishin'...

Bryan
_______________________________________________
users mailing list
users [at] conserver
https://www.conserver.com/mailman/listinfo/users


cross+conserver at distal

Oct 19, 2005, 11:55 AM

Post #9 of 13 (5024 views)
Permalink
Re: SSL, certs, and conserver (fix included) [In reply to]

Bryan Stansell wrote:
> well, i'm seriously lacking on ideas. can you show me a 'conserver -V',
> so i know how it was compiled, etc? and can you make sure that you're
> using one version of conserver (not picking up the wrong binary because
> of multiple installs or a $PATH issue or something)? and perhaps the
> conserver.cf (with whatever you want made generic). or, better yet, if
> you point conserver to the test/test1.cf config file and try things with
> that, does it produce the same issue?

Okay. I did the latter. The conserver -V produces:

conserver: conserver.com version 8.1.12
conserver: default access type `r'
conserver: default escape sequence `^Ec'
conserver: default configuration in `/etc/conserver/conserver.cf'
conserver: default password in `/etc/conserver/conserver.passwd'
conserver: default logfile is `/var/log/conserver'
conserver: default pidfile is `/var/run/conserver.pid'
conserver: default limit is 16 members per group
conserver: default primary port referenced as `782'
conserver: default secondary base port referenced as `0'
conserver: options: libwrap, openssl, pam
conserver: openssl version: OpenSSL 0.9.7d 17 Mar 2004
conserver: built with `./configure --sysconfdir=/etc/conserver
--prefix=/usr/local --with-openssl=/usr/sfw --with-pam --with-libwrap
--with-port=782 --with-master=sesirm-console'

But, despite the --with-openssl, I whacked the makefile
so that it built with a libssl.a and libcrypto.a that I
built. ldd confirms it doesn't link with the Solaris
libssl.so and libcrypto.so (solaris doesn't ship .a
versions of those libs).

When I run it with test/test1.cf, it says:

# /usr/local/sbin/conserver -C /tmp/conserver-8.1.12/test/test1.cf
[Wed Oct 19 14:48:46 2005] conserver (6010): conserver.com version 8.1.12
[Wed Oct 19 14:48:46 2005] conserver (6010): started as `root' by `cross'
[Wed Oct 19 14:50:19 2005] conserver (6010): ERROR: FileSSLAccept(): SSL
error on fd 5
^C[Wed Oct 19 14:51:03 2005] conserver (6010): terminated
#


That ERROR line was produced when I ran the client, as
follows:

% /usr/local/bin/console -x
sesirm-console: access from your host refused
% /usr/local/bin/console -M 127.0.0.1 -x
console: SSL negotiation failed
%

Obviously, only the second one succeeded, and produced
the error listed above.

I don't know if this helps at all, or not. If
you can suggest to me where in the code I should
start debugging, I can do that. I'm pretty good
at code, but could use a pointer as to where to
start sticking in the debugging printf's. :-)

- Chris

_______________________________________________
users mailing list
users [at] conserver
https://www.conserver.com/mailman/listinfo/users


cross+conserver at distal

Oct 19, 2005, 12:16 PM

Post #10 of 13 (4997 views)
Permalink
Re: SSL, certs, and conserver (fix included) [In reply to]

Ah-ha. Okay, I'm still curious what was wrong.
But, I was a bit more careful about what include
files I used, and what libraries I used. I think
I had previously tried with both 0.9.7d, and 0.9.7h.
But, it appears I didn't try 0.9.7h *right*. I
made sure to *not* use the installed (0.9.7d)
include files, and use the 0.9.7h include files,
and static libraries. Now I get a binary that
works correctly. The same compilation process,
with 0.9.7d and the installed headers, yields
the same error...

# /usr/local/sbin/conserver -C /tmp/conserver-8.1.12/test/test1.cf -V
conserver: conserver.com version 8.1.12
conserver: default access type `r'
conserver: default escape sequence `^Ec'
conserver: default configuration in `/etc/conserver/conserver.cf'
conserver: default password in `/etc/conserver/conserver.passwd'
conserver: default logfile is `/var/log/conserver'
conserver: default pidfile is `/var/run/conserver.pid'
conserver: default limit is 16 members per group
conserver: default primary port referenced as `782'
conserver: default secondary base port referenced as `0'
conserver: options: libwrap, openssl, pam
conserver: openssl version: OpenSSL 0.9.7h 11 Oct 2005
conserver: built with `./configure --sysconfdir=/etc/conserver
--prefix=/usr/local --with-openssl=/tmp/conserver-8.1.12/openssl
--with-pam --with-libwrap --with-port=782 --with-master=sesirm-console'
#

> % /usr/local/bin/console -M 127.0.0.1 -x
> console: SSL negotiation failed
> %

% /usr/local/bin/console -M 127.0.0.1 -x
shell2 on /dev/pts/2 at Local
shell on /dev/pts/3 at Local
%


Tho, it now occurs to me, maybe it's the installed
header files. Could the installed header files be
messed up such that something fails, even if the
library itself isn't messed up? Hmm, let me test
that...

Hmm, no, even making sure to compile against the
headers that ship with openssl-0.9.7d, it still
fails in the same way.

So, I have a workaround now, but would like to
know if you knew that it required something above
0.9.7d? Thanks...

- Chris
_______________________________________________
users mailing list
users [at] conserver
https://www.conserver.com/mailman/listinfo/users


bryan at conserver

Oct 19, 2005, 3:20 PM

Post #11 of 13 (5017 views)
Permalink
Re: SSL, certs, and conserver (fix included) [In reply to]

> Hmm, no, even making sure to compile against the
> headers that ship with openssl-0.9.7d, it still
> fails in the same way.
>
> So, I have a workaround now, but would like to
> know if you knew that it required something above
> 0.9.7d? Thanks...

i didn't know (or expect) a requirement of using something newer than
0.9.7d. the code used to work with 0.9.6, etc. something could very
well have changed such that it's not backward compatible any more - in
some way.

surprisingly, i have openssl-0.9.7d (as well as a handful of other
versions on my box). here's two (0.9.7d and 0.9.7c):

underdog 9067:$ ./conserver/conserver -V
conserver: conserver.com version 8.1.12
conserver: default access type `r'
conserver: default escape sequence `^Ec'
conserver: default configuration in `/usr/local/etc/conserver.cf'
conserver: default password in `/usr/local/etc/conserver.passwd'
conserver: default logfile is `/var/log/conserver'
conserver: default pidfile is `/var/run/conserver.pid'
conserver: default limit is 16 members per group
conserver: default primary port referenced as `9999'
conserver: default secondary base port referenced as `0'
conserver: options: openssl, pam
conserver: openssl version: OpenSSL 0.9.7d 17 Mar 2004
conserver: built with `./configure --with-pam --with-openssl=/tools/openssl-0.9.7d --with-port=9999 --with-master=localhost'

underdog 9076:$ ./conserver/conserver -V
conserver: conserver.com version 8.1.12
conserver: default access type `r'
conserver: default escape sequence `^Ec'
conserver: default configuration in `/usr/local/etc/conserver.cf'
conserver: default password in `/usr/local/etc/conserver.passwd'
conserver: default logfile is `/var/log/conserver'
conserver: default pidfile is `/var/run/conserver.pid'
conserver: default limit is 16 members per group
conserver: default primary port referenced as `9999'
conserver: default secondary base port referenced as `0'
conserver: options: openssl, pam
conserver: openssl version: OpenSSL 0.9.7c 30 Sep 2003
conserver: built with `./configure --with-pam --with-openssl=/tools/openssl-0.9.7c --with-port=9999 --with-master=localhost'

both work just fine. so, i'm not sure if there's something with the
solaris distribution or what, but it's obviously not "happy". if
someone can point out some way in which the conserver code is bad,
cool...i'm more than happy to fix it. but right now, i'm going to just
assume the solaris distribution is broken/limited/disfunctional.

i'm glad it's working for you now!

Bryan
_______________________________________________
users mailing list
users [at] conserver
https://www.conserver.com/mailman/listinfo/users


cross+conserver at distal

Jun 29, 2006, 10:17 AM

Post #12 of 13 (4427 views)
Permalink
Re: SSL, certs, and conserver (fix included) [In reply to]

On Oct 19, 2005, at 6:20 PM, Bryan Stansell wrote:
>> So, I have a workaround now, but would like to
>> know if you knew that it required something above
>> 0.9.7d? Thanks...
>
> i didn't know (or expect) a requirement of using something newer than
> 0.9.7d. the code used to work with 0.9.6, etc. something could very
> well have changed such that it's not backward compatible any more - in
> some way.
>
> surprisingly, i have openssl-0.9.7d (as well as a handful of other
> versions on my box). here's two (0.9.7d and 0.9.7c):

So, time flies by, jobs change, and now I'm at a totally different
place
finding the same problem. It's still a sparc Solaris 10 machine, in
this
case Solaris 10 Update 1 (I think. We have update 2 boxes around, as
well, but this is an Update 1 box).

I have the aforementioned problem that when running with a
compilation against the Solaris 0.9.7d OpenSSL, I get:

[Thu Jun 29 12:51:37 2006] conserver (5930): ERROR: FileSSLAccept():
SSL error on fd 5

as output from conserver -v, and I get:

$ console -x
console: SSL negotiation failed
5932:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash
unavailable:../../../../common/openssl/ssl/t1_enc.c:449:
$

from the client command as shown.

:-/ I found the old conversation on the web (and later in my
mailbox. ;-)
and now know that with a fair amount of effort, I can work around this
problem, but it seems like we should try to figure out why this fails
on Solaris.

If you think you might have some time to help me with it s'more, I
can probably even make a solaris box available to you, given a
little bit of time.

Let me know if you have any other suggestions of things to try.
conserver -V output is attached, in case it's useful...

$ /usr/local/sbin/conserver -V
conserver: conserver.com version 8.1.14
conserver: default access type `r'
conserver: default escape sequence `^Ec'
conserver: default configuration in `/etc/conserver/conserver.cf'
conserver: default password in `/etc/conserver/conserver.passwd'
conserver: default logfile is `/var/log/conserver'
conserver: default pidfile is `/var/run/conserver.pid'
conserver: default limit is 16 members per group
conserver: default primary port referenced as `conserver'
conserver: default secondary base port referenced as `0'
conserver: options: openssl, pam
conserver: openssl version: OpenSSL 0.9.7d 17 Mar 2004
conserver: built with `./configure --prefix=/usr/local --sysconfdir=/
etc/conserver --with-extmsgs --with-rpath --with-openssl --with-pam'

_______________________________________________
users mailing list
users [at] conserver
https://www.conserver.com/mailman/listinfo/users


dj at gregor

Jun 29, 2006, 9:39 PM

Post #13 of 13 (4440 views)
Permalink
Re: SSL, certs, and conserver (fix included) [In reply to]

Here are references to this problem:

https://www.conserver.com/pipermail/users/2005-October/msg00002.html
http://www.google.com/search&q=%22cipher+or+hash+unavailable%22+%
22solaris+10%22

Note that it doesn't fail on Solaris in all cases--it fails with the
OpenSSL that *ships with Solaris 10*. If you compile OpenSSL
yourself and make sure that conserver links with the OpenSSL that you
compiled, it's fine.

This might have some insight:

http://cvs.opensolaris.org/source/xref/on/usr/src/common/openssl/
README.SUNW


- djg

On Jun 29, 2006, at 1:17 PM, Chris Ross wrote:

>
> On Oct 19, 2005, at 6:20 PM, Bryan Stansell wrote:
>>> So, I have a workaround now, but would like to
>>> know if you knew that it required something above
>>> 0.9.7d? Thanks...
>>
>> i didn't know (or expect) a requirement of using something newer than
>> 0.9.7d. the code used to work with 0.9.6, etc. something could very
>> well have changed such that it's not backward compatible any more
>> - in
>> some way.
>>
>> surprisingly, i have openssl-0.9.7d (as well as a handful of other
>> versions on my box). here's two (0.9.7d and 0.9.7c):
>
> So, time flies by, jobs change, and now I'm at a totally different
> place
> finding the same problem. It's still a sparc Solaris 10 machine, in
> this
> case Solaris 10 Update 1 (I think. We have update 2 boxes around, as
> well, but this is an Update 1 box).
>
> I have the aforementioned problem that when running with a
> compilation against the Solaris 0.9.7d OpenSSL, I get:
>
> [Thu Jun 29 12:51:37 2006] conserver (5930): ERROR: FileSSLAccept():
> SSL error on fd 5
>
> as output from conserver -v, and I get:
>
> $ console -x
> console: SSL negotiation failed
> 5932:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash
> unavailable:../../../../common/openssl/ssl/t1_enc.c:449:
> $
>
> from the client command as shown.
>
> :-/ I found the old conversation on the web (and later in my
> mailbox. ;-)
> and now know that with a fair amount of effort, I can work around this
> problem, but it seems like we should try to figure out why this fails
> on Solaris.
>
> If you think you might have some time to help me with it s'more, I
> can probably even make a solaris box available to you, given a
> little bit of time.
>
> Let me know if you have any other suggestions of things to try.
> conserver -V output is attached, in case it's useful...
>
> $ /usr/local/sbin/conserver -V
> conserver: conserver.com version 8.1.14
> conserver: default access type `r'
> conserver: default escape sequence `^Ec'
> conserver: default configuration in `/etc/conserver/conserver.cf'
> conserver: default password in `/etc/conserver/conserver.passwd'
> conserver: default logfile is `/var/log/conserver'
> conserver: default pidfile is `/var/run/conserver.pid'
> conserver: default limit is 16 members per group
> conserver: default primary port referenced as `conserver'
> conserver: default secondary base port referenced as `0'
> conserver: options: openssl, pam
> conserver: openssl version: OpenSSL 0.9.7d 17 Mar 2004
> conserver: built with `./configure --prefix=/usr/local --sysconfdir=/
> etc/conserver --with-extmsgs --with-rpath --with-openssl --with-pam'
_______________________________________________
users mailing list
users [at] conserver
https://www.conserver.com/mailman/listinfo/users

conserver users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.