You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "John J. Consolati" <co...@llnl.gov> on 2009/12/02 20:34:19 UTC
Re: [users@httpd] SSL on Apache 2.2.14
Finally figured this out and thought I'd put up the solution in case
anyone else encounters it...
Turns out the problem lies with SunStudio 11 on Solaris 9 -- there is
a compiler optimization bug that doesn't compile OpenSSL properly
(specifically, the AES algorithms fail the make test).
I went in and did the normal ./config to OpenSSL, but then edited the
Makefile. I changed CFLAG from
CFLAG= -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -
xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -
DBN_DIV2W
to
CFLAG= -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -
xstrconst -xdepend=no -Xa -DB_ENDIAN -DBN_DIV2W
Basically, just took out the optimization stuff and compiled for a
generic environment. You have to make sure to specify -xdepend=no
though, otherwise the compiler will automatically change optimization
to level 3 in order to support dependence based transformations.
Hope this helps someone. Thank you to everyone that offered
suggestions and support.
Regards,
John Consolati
Lawrence Livermore National Laboratory
On Nov 30, 2009, at 11:59 AM, John J. Consolati wrote:
> Hi All,
>
> I'll try to squeeze everyone's suggestions into this mail. Sorry
> for the delay -- was busy eating turkey for a couple of days :)
>
> Dan:
>
> When I built OpenSSL, I only specified --openssldir in the ./
> config. The libraries are in .../installed/lib.
>
> Daniel:
>
> bash-2.05# pldd 14100
> 14100: /erd/www/erd/server/apache/httpd-2.2.14/installed/bin/httpd -
> f /erd/ww
> /usr/lib/libm.so.1
> /erd/www/erd/server/apache/httpd-2.2.14/installed/lib/
> libaprutil-1.so.0
> /erd/www/erd/server/apache/httpd-2.2.14/installed/lib/libexpat.so.0
> /erd/www/erd/server/apache/httpd-2.2.14/installed/lib/libapr-1.so.0
> /usr/lib/libuuid.so.1
> /usr/lib/libsendfile.so.1
> /usr/lib/librt.so.1
> /usr/lib/libsocket.so.1
> /usr/lib/libnsl.so.1
> /usr/lib/libpthread.so.1
> /usr/lib/libdl.so.1
> /usr/lib/libthread.so.1
> /usr/lib/libc.so.1
> /usr/ucblib/libucb.so.1
> /usr/lib/libresolv.so.2
> /usr/lib/libelf.so.1
> /usr/lib/libaio.so.1
> /usr/lib/libmd5.so.1
> /usr/lib/libmp.so.2
> /usr/platform/sun4u-us3/lib/libc_psr.so.1
> /usr/lib/nss_files.so.1
> /usr/lib/nss_nisplus.so.1
> /usr/lib/libdoor.so.1
>
> Crypto:
>
> Yes, I will be using client authentication.
>
> Sander:
>
> OpenSSL was built with Sun CC.
>
> I'm currently trying the build with the new PATH.
>
> Here the output of the openssl s_client:
>
> CONNECTED(00000004)
> write to 0x20fdd0 [0x2103e0] (124 bytes => 124 (0x7C))
> 0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00
> 00 .z....Q... ..9..
> 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0
> 8..5............
> 0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03 ..
> 3..2../.......
> 0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00
> 00 ................
> 0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00
> 08 ......@.........
> 0050 - 00 00 06 04 00 80 00 00-03 02 00 80 81 2b f6
> 0f .............+..
> 0060 - 23 aa 7d 2e 5c ae 1b 8c-3e 95 78 65 ef 22 b7 54 #.}.
> \...>.xe.".T
> 0070 - a2 8e d9 dd 39 26 b6 e7-03 6c f4 42 ....9&...l.B
> read from 0x20fdd0 [0x215940] (7 bytes => 7 (0x7))
> 0000 - 16 03 01 00 2a 02 ....*.
> 0007 - <SPACES/NULS>
> read from 0x20fdd0 [0x215947] (40 bytes => 40 (0x28))
> 0000 - 00 26 03 01 4b 13 ec f7-25 b2 46 61 86 86 ba 6f .&..K...
> %.Fa...o
> 0010 - 72 8e d3 f7 a4 e9 21 79-c5 2f 4c 86 4c 54 14 42 r.....!y./
> L.LT.B
> 0020 - 31 41 a1 b9 00 00 39 1A....9
> 0028 - <SPACES/NULS>
> read from 0x20fdd0 [0x215940] (5 bytes => 5 (0x5))
> 0000 - 16 03 01 09 f3 .....
> read from 0x20fdd0 [0x215945] (2547 bytes => 2547 (0x9F3))
> 0000 - 0b 00 09 ef 00 09 ec 00-05 46 30 82 05 42 30
> 82 .........F0..B0.
> 0010 - 04 2a a0 03 02 01 02 02-10 39 37 ec 17 22 f4 a8 .*.......
> 97.."..
> 0020 - f9 08 49 8f bf 92 b1 b6-e0 30 0d 06 09 2a 86 48 ..I......
> 0...*.H
> 0030 - 86 f7 0d 01 01 05 05 00-30 81 b0 31 0b 30 09 06 ........
> 0..1.0..
> 0040 - 03 55 04 06 13 02 55 53-31 17 30 15 06 03 55
> 04 .U....US1.0...U.
> 0050 - 0a 13 0e 56 65 72 69 53-69 67 6e 2c 20 49 6e
> 63 ...VeriSign, Inc
> 0060 - 2e 31 1f 30 1d 06 03 55-04 0b 13 16 56 65 72 69 .
> 1.0...U....Veri
> 0070 - 53 69 67 6e 20 54 72 75-73 74 20 4e 65 74 77 6f Sign Trust
> Netwo
> 0080 - 72 6b 31 3b 30 39 06 03-55 04 0b 13 32 54 65 72 rk1;09..U...
> 2Ter
> 0090 - 6d 73 20 6f 66 20 75 73-65 20 61 74 20 68 74 74 ms of use
> at htt
> 00a0 - 70 73 3a 2f 2f 77 77 77-2e 76 65 72 69 73 69 67 ps://
> www.*verisig
> 00b0 - 6e 2e 63 6f 6d 2f 72 70-61 20 28 63 29 30 35 31 n.com/rpa
> (c)051
> 00c0 - 2a 30 28 06 03 55 04 03-13 21 56 65 72 69 53 69 *0(..U...!
> VeriSi
> 00d0 - 67 6e 20 43 6c 61 73 73-20 33 20 53 65 63 75 72 gn Class 3
> Secur
> 00e0 - 65 20 53 65 72 76 65 72-20 43 41 30 1e 17 0d 30 e Server
> CA0...0
> 00f0 - 39 30 35 30 34 30 30 30-30 30 30 5a 17 0d 31 30
> 90504000000Z..10
> 0100 - 30 35 30 34 32 33 35 39-35 39 5a 30 81 b5 31 0b
> 0504235959Z0..1.
> 0110 - 30 09 06 03 55 04 06 13-02 55 53 31 13 30 11 06
> 0...U....US1.0..
> 0120 - 03 55 04 08 13 0a 43 61-6c 69 66 6f 72 6e 69
> 61 .U....California
> 0130 - 31 12 30 10 06 03 55 04-07 14 09 4c 69 76 65 72
> 1.0...U....Liver
> 0140 - 6d 6f 72 65 31 2f 30 2d-06 03 55 04 0a 14 26 4c
> more1/0-..U...&L
> 0150 - 61 77 72 65 6e 63 65 20-4c 69 76 65 72 6d 6f 72 awrence
> Livermor
> 0160 - 65 20 4e 61 74 69 6f 6e-61 6c 20 4c 61 62 6f 72 e National
> Labor
> 0170 - 61 74 6f 72 79 31 30 30-2e 06 03 55 04 0b 14 27
> atory100...U...'
> 0180 - 45 6e 76 69 72 6f 6e 6d-65 6e 74 61 6c 20 52 65
> Environmental Re
> 0190 - 73 74 6f 72 61 74 69 6f-6e 20 44 69 76 69 73 69 storation
> Divisi
> 01a0 - 6f 6e 20 65 72 64 63 31-1a 30 18 06 03 55 04 03 on
> erdc1.0...U..
> 01b0 - 14 11 77 77 77 2d 65 72-64 63 2e 6c 6c 6e 6c 2e ..www-
> erdc.llnl.
> 01c0 - 67 6f 76 30 81 9f 30 0d-06 09 2a 86 48 86 f7 0d
> gov0..0...*.H...
> 01d0 - 01 01 01 05 00 03 81 8d-00 30 81 89 02 81 81 00 .........
> 0......
> 01e0 - b5 d0 17 60 87 b1 67 2c-66 88 db 6e 5a fb 03
> 50 ...`..g,f..nZ..P
> 01f0 - 1c 64 88 2e 35 84 af 92-24 d8 d0 7d bb 20 43 a7 .d..
> 5...$..}. C.
> 0200 - 00 e4 81 42 75 7c e9 ef-d3 42 9f 22 2d 43 26
> 97 ...Bu|...B."-C&.
> 0210 - 75 6b 29 7e 67 43 c7 99-37 4d 09 53 59 49 7b ae uk)~gC..
> 7M.SYI{.
> 0220 - dd fb 66 f7 a1 9c 76 67-c0 39 e7 9a 84 2c a2 a9 ..f...vg.
> 9...,..
> 0230 - d3 29 51 5f 25 e9 85 03-5d 96 e5 44 3c 2e 59 c9 .)Q_
> %...]..D<.Y.
> 0240 - 5c ac ab 50 72 4c b2 c3-46 83 d5 6d 53 ac 7e 5b
> \..PrL..F..mS.~[
> 0250 - 8d a4 93 60 15 85 4e f5-94 c7 f4 91 6f e6 2f
> 1f ...`..N.....o./.
> 0260 - 02 03 01 00 01 a3 82 01-d3 30 82 01 cf 30 09 06 .........
> 0...0..
> 0270 - 03 55 1d 13 04 02 30 00-30 0b 06 03 55 1d 0f 04 .U....
> 0.0...U...
> 0280 - 04 03 02 05 a0 30 44 06-03 55 1d 1f 04 3d 30 3b .....
> 0D..U...=0;
> 0290 - 30 39 a0 37 a0 35 86 33-68 74 74 70 3a 2f 2f 53
> 09.7.5.3http://*S
> 02a0 - 56 52 53 65 63 75 72 65-2d 63 72 6c 2e 76 65 72 VRSecure-
> crl.ver
> 02b0 - 69 73 69 67 6e 2e 63 6f-6d 2f 53 56 52 53 65 63 isign.com/
> SVRSec
> 02c0 - 75 72 65 32 30 30 35 2e-63 72 6c 30 44 06 03 55
> ure2005.crl0D..U
> 02d0 - 1d 20 04 3d 30 3b 30 39-06 0b 60 86 48 01 86
> f8 . .=0;09..`.H...
> 02e0 - 45 01 07 17 03 30 2a 30-28 06 08 2b 06 01 05 05 E....0*0(..
> +....
> 02f0 - 07 02 01 16 1c 68 74 74-70 73 3a 2f 2f 77 77 77 .....https://*www
> 0300 - 2e 76 65 72 69 73 69 67-6e 2e 63 6f 6d 2f 72
> 70 .verisign.com/rp
> 0310 - 61 30 1d 06 03 55 1d 25-04 16 30 14 06 08 2b 06 a0...U.%..
> 0...+.
> 0320 - 01 05 05 07 03 01 06 08-2b 06 01 05 05 07 03 02 ........
> +.......
> 0330 - 30 1f 06 03 55 1d 23 04-18 30 16 80 14 6f ec af 0...U.#..
> 0...o..
> 0340 - a0 dd 8a a4 ef f5 2a 10-67 2d 3f 55 82 bc d7 ef ......*.g-?
> U....
> 0350 - 25 30 79 06 08 2b 06 01-05 05 07 01 01 04 6d 30 %0y..
> +........m0
> 0360 - 6b 30 24 06 08 2b 06 01-05 05 07 30 01 86 18 68 k0$..+.....
> 0...h
> 0370 - 74 74 70 3a 2f 2f 6f 63-73 70 2e 76 65 72 69 73 ttp://
> ocsp.veris
> 0380 - 69 67 6e 2e 63 6f 6d 30-43 06 08 2b 06 01 05 05 ign.com0C..
> +....
> 0390 - 07 30 02 86 37 68 74 74-70 3a 2f 2f 53 56 52 53 .0..7http://
> *SVRS
> 03a0 - 65 63 75 72 65 2d 61 69-61 2e 76 65 72 69 73 69 ecure-
> aia.verisi
> 03b0 - 67 6e 2e 63 6f 6d 2f 53-56 52 53 65 63 75 72 65 gn.com/
> SVRSecure
> 03c0 - 32 30 30 35 2d 61 69 61-2e 63 65 72 30 6e 06 08 2005-
> aia.cer0n..
> 03d0 - 2b 06 01 05 05 07 01 0c-04 62 30 60 a1 5e a0 5c
> +........b0`.^.\
> 03e0 - 30 5a 30 58 30 56 16 09-69 6d 61 67 65 2f 67 69
> 0Z0X0V..image/gi
> 03f0 - 66 30 21 30 1f 30 07 06-05 2b 0e 03 02 1a 04 14 f0!
> 0.0...+......
> 0400 - 4b 6b b9 28 96 06 0c bb-d0 52 38 9b 29 ac 4b 07 Kk.
> (.....R8.).K.
> 0410 - 8b 21 05 18 30 26 16 24-68 74 74 70 3a 2f 2f 6c .!..0&.
> $http://*l
> 0420 - 6f 67 6f 2e 76 65 72 69-73 69 67 6e 2e 63 6f 6d
> ogo.verisign.com
> 0430 - 2f 76 73 6c 6f 67 6f 31-2e 67 69 66 30 0d 06 09 /
> vslogo1.gif0...
> 0440 - 2a 86 48 86 f7 0d 01 01-05 05 00 03 82 01 01 00
> *.H.............
> 0450 - 5d 15 58 3b 10 4e d0 ae-59 96 cb 08 23 fe 2b
> 4b ].X;.N..Y...#.+K
> 0460 - 88 52 93 0f 9e 86 3b 30-eb 3d bc 33 c7 e9 f9 e0 .R....;0.=.
> 3....
> 0470 - 6c 4f df 0d 78 6a 1d 4b-fc 74 9f 4a 3e c0 5d 14
> lO..xj.K.t.J>.].
> 0480 - 8c 13 61 f8 f2 69 95 b5-b7 f4 b6 ed b6 26 d4
> 69 ..a..i.......&.i
> 0490 - 93 e4 52 b7 09 5e 2d 4a-21 d1 f3 5a 3b 78 19 99 ..R..^-
> J!..Z;x..
> 04a0 - ee 5f 40 f7 1a fa 2d 60-9c 6a 1b ad c7 aa d7 7f ._@...-
> `.j......
> 04b0 - 87 4e ca 80 d9 bd 22 4d-b9 20 ad ff 43 74 4e
> 01 .N...."M. ..CtN.
> 04c0 - e6 f1 69 18 2b d8 13 65-ea 1c 6b e0 4c ae 05 ac ..i.
> +..e..k.L...
> 04d0 - 05 fd f0 79 6c fd 40 ec-c9 ad 22 36 8f a7 32
> d4 ...yl.@..."6..2.
> 04e0 - 2c 54 71 f6 bf f3 76 46-ae 8f 66 98 8d 0d 98
> 8c ,Tq...vF..f.....
> 04f0 - f8 05 87 4c e7 2a fe fc-dd 58 e4 0f af 28 f4
> 4c ...L.*...X...(.L
> 0500 - b3 29 f3 94 1a 42 0c 60-a4 30 2e 38 8d 01 43 2b .)...B.`.
> 0.8..C+
> 0510 - 77 96 86 a7 9a af 76 db-84 63 dc 53 9b ee ae 5a
> w.....v..c.S...Z
> 0520 - 7b 3c 9c e7 b7 da bd 1c-a2 a3 23 a2 36 7c db a6 {<........#.
> 6|..
> 0530 - b9 9b be 35 89 24 42 cf-c4 63 25 e8 9f 91 45 60 ...5.$B..c
> %...E`
> 0540 - 8e 5b 6b 72 fd 35 56 4c-c1 c1 e5 17 99 81 45 61 .[kr.
> 5VL......Ea
> 0550 - 00 04 a0 30 82 04 9c 30-82 04 05 a0 03 02 01 02 ...
> 0...0........
> 0560 - 02 10 75 33 7d 9a b0 e1-23 3b ae 2d 7d e4 46
> 91 ..u3}...#;.-}.F.
> 0570 - 62 d4 30 0d 06 09 2a 86-48 86 f7 0d 01 01 05 05 b.
> 0...*.H.......
> 0580 - 00 30 5f 31 0b 30 09 06-03 55 04 06 13 02 55 53 .
> 0_1.0...U....US
> 0590 - 31 17 30 15 06 03 55 04-0a 13 0e 56 65 72 69 53
> 1.0...U....VeriS
> 05a0 - 69 67 6e 2c 20 49 6e 63-2e 31 37 30 35 06 03 55 ign, Inc.
> 1705..U
> 05b0 - 04 0b 13 2e 43 6c 61 73-73 20 33 20 50 75 62 6c ....Class 3
> Publ
> 05c0 - 69 63 20 50 72 69 6d 61-72 79 20 43 65 72 74 69 ic Primary
> Certi
> 05d0 - 66 69 63 61 74 69 6f 6e-20 41 75 74 68 6f 72 69 fication
> Authori
> 05e0 - 74 79 30 1e 17 0d 30 35-30 31 31 39 30 30 30 30
> ty0...0501190000
> 05f0 - 30 30 5a 17 0d 31 35 30-31 31 38 32 33 35 39 35 00Z..
> 15011823595
> 0600 - 39 5a 30 81 b0 31 0b 30-09 06 03 55 04 06 13 02
> 9Z0..1.0...U....
> 0610 - 55 53 31 17 30 15 06 03-55 04 0a 13 0e 56 65 72
> US1.0...U....Ver
> 0620 - 69 53 69 67 6e 2c 20 49-6e 63 2e 31 1f 30 1d 06 iSign, Inc.
> 1.0..
> 0630 - 03 55 04 0b 13 16 56 65-72 69 53 69 67 6e 20
> 54 .U....VeriSign T
> 0640 - 72 75 73 74 20 4e 65 74-77 6f 72 6b 31 3b 30 39 rust
> Network1;09
> 0650 - 06 03 55 04 0b 13 32 54-65 72 6d 73 20 6f 66 20 ..U...
> 2Terms of
> 0660 - 75 73 65 20 61 74 20 68-74 74 70 73 3a 2f 2f 77 use at https://*w
> 0670 - 77 77 2e 76 65 72 69 73-69 67 6e 2e 63 6f 6d 2f
> ww.verisign.com/
> 0680 - 72 70 61 20 28 63 29 30-35 31 2a 30 28 06 03 55 rpa
> (c)051*0(..U
> 0690 - 04 03 13 21 56 65 72 69-53 69 67 6e 20 43 6c 61 ...!
> VeriSign Cla
> 06a0 - 73 73 20 33 20 53 65 63-75 72 65 20 53 65 72 76 ss 3 Secure
> Serv
> 06b0 - 65 72 20 43 41 30 82 01-22 30 0d 06 09 2a 86 48 er
> CA0.."0...*.H
> 06c0 - 86 f7 0d 01 01 01 05 00-03 82 01 0f 00 30 82
> 01 .............0..
> 06d0 - 0a 02 82 01 01 00 95 c3-21 12 8e 40 c5 0d 01
> 5f ........!..@..._
> 06e0 - 76 5e 66 94 d9 73 2c 58-19 22 b8 c9 fc 7a 39 90
> v^f..s,X."...z9.
> 06f0 - 2a 77 72 7c 1d 3e f7 d8-55 e3 af 42 cb 87 30 02
> *wr|.>..U..B..0.
> 0700 - dc 5b ac 70 e6 b8 44 b4-2b 35 eb 93 d2 17 05 7e .[.p..D.
> +5.....~
> 0710 - cb 46 d6 5c 53 a0 32 51-9d 74 64 58 f9 0c 9a 00 .F.\S.
> 2Q.tdX....
> 0720 - ea 5e 44 49 64 72 f4 cd-10 e2 85 0a f9 34 ee
> b3 .^DIdr.......4..
> 0730 - 88 66 a9 a5 a4 5a d0 0e-98 7f 58 0d 2b 52 bb 86 .f...Z....X.
> +R..
> 0740 - a9 7e 2e fa b2 48 7c 8d-db 2d 5f 01 75 a2 8d 06 .~...H|..-
> _.u...
> 0750 - 3b 8b b4 61 07 c9 be 22-99 f8 1b d1 b5 57 66
> 04 ;..a...".....Wf.
> 0760 - 4d 35 f4 91 71 96 b5 99-08 25 9b 97 c8 3a f3 20 M5..q....
> %...:.
> 0770 - b1 dd 9e 98 0c 4a 63 b7-a6 ce b0 01 ce f8 93
> 6a .....Jc........j
> 0780 - f3 0c 6e 9f b1 e9 84 7b-81 98 41 e6 81 dc 3d 2c ..n....
> {..A...=,
> 0790 - e7 b4 6b e3 9e fc 08 16-d7 b3 d5 b9 66 12 99
> 7c ..k.........f..|
> 07a0 - 6d 71 c8 4d be c7 0f e3-fb 37 ad d5 75 87 21 6b mq.M.....
> 7..u.!k
> 07b0 - 86 d0 44 14 5a 54 79 39-96 69 56 c9 b9 31 cd
> 89 ..D.ZTy9.iV..1..
> 07c0 - 61 58 e1 d9 76 05 05 ad-f7 b9 02 af a7 fd 47 91
> aX..v.........G.
> 07d0 - a2 22 34 5a 31 d1 02 03-01 00 01 a3 82 01 81
> 30 ."4Z1..........0
> 07e0 - 82 01 7d 30 12 06 03 55-1d 13 01 01 ff 04 08
> 30 ..}0...U.......0
> 07f0 - 06 01 01 ff 02 01 00 30-44 06 03 55 1d 20 04 3d .......
> 0D..U. .=
> 0800 - 30 3b 30 39 06 0b 60 86-48 01 86 f8 45 01 07 17
> 0;09..`.H...E...
> 0810 - 03 30 2a 30 28 06 08 2b-06 01 05 05 07 02 01 16 .0*0(..
> +........
> 0820 - 1c 68 74 74 70 73 3a 2f-2f 77 77 77 2e 76 65 72 .https://*www.*ver
> 0830 - 69 73 69 67 6e 2e 63 6f-6d 2f 72 70 61 30 31 06 isign.com/
> rpa01.
> 0840 - 03 55 1d 1f 04 2a 30 28-30 26 a0 24 a0 22 86 20 .U...*0(0&.
> $.".
> 0850 - 68 74 74 70 3a 2f 2f 63-72 6c 2e 76 65 72 69 73 http://
> *crl.veris
> 0860 - 69 67 6e 2e 63 6f 6d 2f-70 63 61 33 2e 63 72 6c ign.com/
> pca3.crl
> 0870 - 30 0e 06 03 55 1d 0f 01-01 ff 04 04 03 02 01 06
> 0...U...........
> 0880 - 30 11 06 09 60 86 48 01-86 f8 42 01 01 04 04 03
> 0...`.H...B.....
> 0890 - 02 01 06 30 29 06 03 55-1d 11 04 22 30 20 a4 1e ...
> 0)..U..."0 ..
> 08a0 - 30 1c 31 1a 30 18 06 03-55 04 03 13 11 43 6c 61
> 0.1.0...U....Cla
> 08b0 - 73 73 33 43 41 32 30 34-38 2d 31 2d 34 35 30 1d
> ss3CA2048-1-450.
> 08c0 - 06 03 55 1d 0e 04 16 04-14 6f ec af a0 dd 8a
> a4 ..U......o......
> 08d0 - ef f5 2a 10 67 2d 3f 55-82 bc d7 ef 25 30 81 80 ..*.g-?U....
> %0..
> 08e0 - 06 03 55 1d 23 04 79 30-77 a1 63 a4 61 30 5f
> 31 ..U.#.y0w.c.a0_1
> 08f0 - 0b 30 09 06 03 55 04 06-13 02 55 53 31 17 30 15 .
> 0...U....US1.0.
> 0900 - 06 03 55 04 0a 13 0e 56-65 72 69 53 69 67 6e
> 2c ..U....VeriSign,
> 0910 - 20 49 6e 63 2e 31 37 30-35 06 03 55 04 0b 13 2e Inc.
> 1705..U....
> 0920 - 43 6c 61 73 73 20 33 20-50 75 62 6c 69 63 20 50 Class 3
> Public P
> 0930 - 72 69 6d 61 72 79 20 43-65 72 74 69 66 69 63 61 rimary
> Certifica
> 0940 - 74 69 6f 6e 20 41 75 74-68 6f 72 69 74 79 82 10 tion
> Authority..
> 0950 - 70 ba e4 1d 10 d9 29 34-b6 38 ca 7b 03 cc ba bf p.....)4.8.
> {....
> 0960 - 30 0d 06 09 2a 86 48 86-f7 0d 01 01 05 05 00 03
> 0...*.H.........
> 0970 - 81 81 00 c3 7e 08 46 5d-91 36 cf 67 dc d7 a7 af ....~.F].
> 6.g....
> 0980 - af b8 22 c3 8b 04 74 d3-b1 60 bc e6 fe b7 44
> 12 .."...t..`....D.
> 0990 - 81 5b 31 73 14 63 56 c6-72 2e d1 1a 03 43 5c 38 .
> [1s.cV.r....C\8
> 09a0 - 0a 50 4a 4d cd da b6 19-a8 f4 99 0d af e3 f7
> d8 .PJM............
> 09b0 - f1 75 28 65 f6 6a fe 9b-f4 bd 52 d9 3f cb da
> 16 .u(e.j....R.?...
> 09c0 - cb a5 9e 2e 8e 66 52 78-3d 26 fa fe 94 36 88
> 4a .....fRx=&...6.J
> 09d0 - 95 5e 2a 4c 19 ef 6e fa-82 3f 2d 03 ef d6 28
> b3 .^*L..n..?-...(.
> 09e0 - 37 18 cf 42 b2 34 21 64-47 d3 20 6b 3a 4c dc e6 7..B.4!dG.
> k:L..
> 09f0 - 03 90 0c ...
> depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
> use at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3
> Secure Server CA
> verify error:num=20:unable to get local issuer certificate
> verify return:0
> read from 0x20fdd0 [0x215940] (5 bytes => 5 (0x5))
> 0000 - 16 03 01 01 8d .....
> read from 0x20fdd0 [0x215945] (397 bytes => 397 (0x18D))
> 0000 - 0c 00 01 89 00 80 d6 7d-e4 40 cb bb dc 19 36
> d6 .......}.@....6.
> 0010 - 93 d3 4a fd 0a d5 0c 84-d2 39 a4 5f 52 0b b8 81 ..J......
> 9._R...
> 0020 - 74 cb 98 bc e9 51 84 9f-91 2e 63 9c 72 fb 13 b4
> t....Q....c.r...
> 0030 - b4 d7 17 7e 16 d5 5a c1-79 ba 42 0b 2a 29 fe
> 32 ...~..Z.y.B.*).2
> 0040 - 4a 46 7a 63 5e 81 ff 59-01 37 7b ed dc fd 33 16 JFzc^..Y.
> 7{...3.
> 0050 - 8a 46 1a ad 3b 72 da e8-86 00 78 04 5b 07 a7 db .F..;r....x.
> [...
> 0060 - ca 78 74 08 7d 15 10 ea-9f cc 9d dd 33 05 07 dd .xt.}.......
> 3...
> 0070 - 62 db 88 ae aa 74 7d e0-f4 d6 e2 bd 68 b0 e7 39
> b....t}.....h..9
> 0080 - 3e 0f 24 21 8e b3 00 01-02 00 80 40 49 1b 47 d6 >.
> $!.......@I.G.
> 0090 - 77 b3 be 40 cd 21 fe b9-c9 c8 a2 cd f5 f7 bd cd
> w..@.!..........
> 00a0 - 2b db 3a 87 8e 16 5a fe-e4 40 94 f6 70 6e ea cd
> +.:...Z..@..pn..
> 00b0 - ee a0 56 14 3b 30 b8 e9-6e 47 15 9b ca fb 05 70 ..V.;
> 0..nG.....p
> 00c0 - d9 93 b4 d4 7a 9d 05 05-b5 21 88 7a 86 d7 1a
> 1e ....z....!.z....
> 00d0 - 1e 5f 1f 71 0a 5d bb 96-93 0c 10 01 5f 4c 14
> b9 ._.q.]......_L..
> 00e0 - b5 c9 97 11 f4 8d a7 5c-b8 01 d6 bb fb bd 63 65 .......
> \......ce
> 00f0 - 23 da 63 d3 ca 00 fe 64-c7 c0 8b 83 da a9 63 b1
> #.c....d......c.
> 0100 - 5b 79 58 62 73 fd c6 df-2f 56 a3 00 80 45 1e 00 [yXbs.../
> V...E..
> 0110 - 99 60 2f 40 62 34 c9 16-d2 c3 6b 79 6f c7 df 3e .`/
> @b4....kyo..>
> 0120 - 1e a3 a2 47 a9 bd 5b 59-3b 28 b8 21 cd a4 1d c8 ...G..[Y;
> (.!....
> 0130 - 83 a9 5f 66 3e ed d8 a4-e1 cb 11 8b 78 0d bd
> da .._f>.......x...
> 0140 - 86 a3 7d 41 1c ce 2c 08-94 bb 04 a5 27 96 fe
> 41 ..}A..,.....'..A
> 0150 - 30 17 f1 cc 57 65 4f 6e-e6 e4 e6 8b 72 ed 8a f9
> 0...WeOn....r...
> 0160 - fa 96 50 2a b7 c3 5d b6-da d1 71 74 01 95 e6
> fe ..P*..]...qt....
> 0170 - e1 fe 1a 98 10 b0 cc e6-76 06 83 15 93 d0 25
> 8b ........v.....%.
> 0180 - 01 d2 aa af 29 fd 46 00-21 11 4b 8e ed ....).F.!.K..
> read from 0x20fdd0 [0x215940] (5 bytes => 5 (0x5))
> 0000 - 16 03 01 00 04 .....
> read from 0x20fdd0 [0x215945] (4 bytes => 4 (0x4))
> 0000 - 0e .
> 0004 - <SPACES/NULS>
> write to 0x20fdd0 [0x21fa70] (139 bytes => 139 (0x8B))
> 0000 - 16 03 01 00 86 10 00 00-82 00 80 6f 9d 96 80
> 40 ...........o...@
> 0010 - 98 62 18 e4 a4 a8 d3 30-a4 cd 82 eb 2c d5 73 49 .b.....
> 0....,.sI
> 0020 - b0 68 8f f5 fc 7d 1a 21-e2 f9 98 03 26 a9 c7
> 3a .h...}.!....&..:
> 0030 - ed bf 02 c5 a2 f9 7a 39-c7 f9 0b 84 bf 7c a9
> f2 ......z9.....|..
> 0040 - eb b8 1c 69 82 e3 df af-76 48 ab 21 a9 3e 63
> 10 ...i....vH.!.>c.
> 0050 - dc 7d e9 bd 30 e9 9d 33-da 93 4e f2 18 a0 a0 8a .}..
> 0..3..N.....
> 0060 - d9 65 a2 8c 8f 72 09 aa-31 38 ed 30 c7 6c ec f9 .e...r..
> 18.0.l..
> 0070 - c2 68 e5 db e3 cd 6f ac-71 8d 54 a0 d0 57 84
> 00 .h....o.q.T..W..
> 0080 - ce c3 81 05 a3 2d 8e c3-1f 3c 7a .....-...<z
> write to 0x20fdd0 [0x21fa70] (6 bytes => 6 (0x6))
> 0000 - 14 03 01 00 01 01 ......
> write to 0x20fdd0 [0x21fa70] (53 bytes => 53 (0x35))
> 0000 - 16 03 01 00 30 ed 82 85-ac 7e aa 1a 26 8a 7d 66 ....
> 0....~..&.}f
> 0010 - 42 6e a2 91 ea b0 c3 01-98 c5 89 e5 a0 9e fd da
> Bn..............
> 0020 - 8d 8c a5 2a 48 bc e6 5e-ad e5 c2 5a 03 6c d1
> 5d ...*H..^...Z.l.]
> 0030 - c0 b5 bb 39 65 ...9e
> read from 0x20fdd0 [0x215940] (5 bytes => 5 (0x5))
> 0000 - 14 03 01 00 01 .....
> read from 0x20fdd0 [0x215945] (1 bytes => 1 (0x1))
> 0000 - 01 .
> read from 0x20fdd0 [0x215940] (5 bytes => 5 (0x5))
> 0000 - 16 03 01 00 30 ....0
> read from 0x20fdd0 [0x215945] (48 bytes => 48 (0x30))
> 0000 - ad c0 8f 14 01 bd 4a a3-cf 28 31 d9 16 c7 9a 4a ......J..
> (1....J
> 0010 - 7e 71 ac 3b 6c ce 1f 08-84 c6 44 f7 1e d0 3d 02
> ~q.;l.....D...=.
> 0020 - e0 3a cb bd d4 0d 4a aa-60 4b a3 a2 f7 15 81
> 0f .:....J.`K......
> ---
> Certificate chain
> 0 s:/C=US/ST=California/L=Livermore/O=Lawrence Livermore National
> Laboratory/OU=Environmental Restoration Division erdc/CN=www-
> erdc.llnl.gov
> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
> at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure
> Server CA
> 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
> at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure
> Server CA
> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> Authority
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIFQjCCBCqgAwIBAgIQOTfsFyL0qPkISY+/krG24DANBgkqhkiG9w0BAQUFADCB
> sDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
> ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
> YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMh
> VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBMB4XDTA5MDUwNDAwMDAw
> MFoXDTEwMDUwNDIzNTk1OVowgbUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp
> Zm9ybmlhMRIwEAYDVQQHFAlMaXZlcm1vcmUxLzAtBgNVBAoUJkxhd3JlbmNlIExp
> dmVybW9yZSBOYXRpb25hbCBMYWJvcmF0b3J5MTAwLgYDVQQLFCdFbnZpcm9ubWVu
> dGFsIFJlc3RvcmF0aW9uIERpdmlzaW9uIGVyZGMxGjAYBgNVBAMUEXd3dy1lcmRj
> LmxsbmwuZ292MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC10Bdgh7FnLGaI
> 225a+wNQHGSILjWEr5Ik2NB9uyBDpwDkgUJ1fOnv00KfIi1DJpd1ayl+Z0PHmTdN
> CVNZSXuu3ftm96GcdmfAOeeahCyiqdMpUV8l6YUDXZblRDwuWclcrKtQckyyw0aD
> 1W1TrH5bjaSTYBWFTvWUx/SRb+YvHwIDAQABo4IB0zCCAc8wCQYDVR0TBAIwADAL
> BgNVHQ8EBAMCBaAwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL1NWUlNlY3VyZS1j
> cmwudmVyaXNpZ24uY29tL1NWUlNlY3VyZTIwMDUuY3JsMEQGA1UdIAQ9MDswOQYL
> YIZIAYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24u
> Y29tL3JwYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgw
> FoAUb+yvoN2KpO/1KhBnLT9VgrzX7yUweQYIKwYBBQUHAQEEbTBrMCQGCCsGAQUF
> BzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wQwYIKwYBBQUHMAKGN2h0dHA6
> Ly9TVlJTZWN1cmUtYWlhLnZlcmlzaWduLmNvbS9TVlJTZWN1cmUyMDA1LWFpYS5j
> ZXIwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJaW1hZ2UvZ2lmMCEwHzAHBgUr
> DgMCGgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYkaHR0cDovL2xvZ28udmVyaXNp
> Z24uY29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEBBQUAA4IBAQBdFVg7EE7QrlmW
> ywgj/itLiFKTD56GOzDrPbwzx+n54GxP3w14ah1L/HSfSj7AXRSME2H48mmVtbf0
> tu22JtRpk+RStwleLUoh0fNaO3gZme5fQPca+i1gnGobrceq13+HTsqA2b0iTbkg
> rf9DdE4B5vFpGCvYE2XqHGvgTK4FrAX98Hls/UDsya0iNo+nMtQsVHH2v/N2Rq6P
> ZpiNDZiM+AWHTOcq/vzdWOQPryj0TLMp85QaQgxgpDAuOI0BQyt3loanmq9224Rj
> 3FOb7q5aezyc57favRyioyOiNnzbprmbvjWJJELPxGMl6J+RRWCOW2ty/TVWTMHB
> 5ReZgUVh
> -----END CERTIFICATE-----
> subject=/C=US/ST=California/L=Livermore/O=Lawrence Livermore
> National Laboratory/OU=Environmental Restoration Division erdc/
> CN=www-erdc.llnl.gov
> issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
> use at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3
> Secure Server CA
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 3069 bytes and written 322 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 1024 bit
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID:
> Session-ID-ctx:
> Master-Key:
> 9E8941488E9BA08703CB9C00624F98AC4E61511A1B9CA009ACA20EEBAFE5416F21959237C1F50AB11B083B893F4AB0C9
> Key-Arg : None
> Start Time: 1259597048
> Timeout : 300 (sec)
> Verify return code: 20 (unable to get local issuer certificate)
> ---
> read from 0x20fdd0 [0x215940] (5 bytes => 0 (0x0))
> read:errno=0
> write to 0x20fdd0 [0x21a150] (37 bytes => 37 (0x25))
> 0000 - 15 03 01 00 20 af e1 ab-10 6a 3e 70 e2 4f ee
> 1a .... ....j>p.O..
> 0010 - fb 51 20 ac 62 74 99 71-d7 7c 29 72 54 ee 62
> 3d .Q .bt.q.|)rT.b=
> 0020 - cf 82 c4 bc 73
>
>
> Thanks again,
> John
>
>
> On Nov 27, 2009, at 11:42 AM, Sander Temme wrote:
>
>> On Nov 25, 2009, at 2:24 PM, John J. Consolati wrote:
>>
>>> Here are the build commands I've tried:
>>>
>>> ./configure --prefix=/home/consolati1/apache/httpd-2.2.14/
>>> installed --enable-static-support --enable-ssl --with-ssl=/home/
>>> consolati1/openssl/openssl-0.9.8l/installed --with-mpm=prefork
>>>
>>> ./configure --prefix=/home/consolati1/apache/httpd-2.2.14/
>>> installed/ --enable-ssl --with-ssl=/home/consolati1/openssl/
>>> openssl-0.9.8g/installed/ (currently using this one)
>>
>> One remark about your build: your earlier ldd output had some /usr/
>> ucb stuff in it, which may be the result of your having /usr/ucb in
>> your PATH. You might try building with /usr/ccs/bin in your PATH
>> before /usr/ucb to take advantage of some utilities a little more
>> modern.
>>
>> I ran into this when building Subversion on a new VM:
>>
>> http://**www.**temme.net/sander/2009/04/28/building-subversion-with-
>> sun-workshop/
>>
>> No idea how this would impact your build.
>>
>> S.
>>
>>> Both of them result in the same thing, and were the commands my
>>> predecessor used.
>>>
>>> I will try building it with the configure command you sent. I
>>> haven't personally tried gcc, but my coworkers have left extensive
>>> notes of errors that gcc throws. It couldn't hurt to try again.
>>>
>>> It is odd that libssl and libcrypt aren't in there -- I tried
>>> building statically, as you can see, but the httpd -l that I
>>> posted was from the second one (which should be dynamic). Any
>>> ideas why they're missing?
>>>
>>> Thanks,
>>> John
>>>
>>> On Nov 25, 2009, at 2:14 PM, Dan_Mitton@YMP.GOV wrote:
>>>
>>>>
>>>> We are only at Apache 2.2.9, but don't have any problems. The
>>>> command I use to build apache with is:
>>>>
>>>> ./configure --prefix=/usr/local/apache-2.2.9 --with-ssl=/usr/
>>>> local/ssl --with-z=/usr/local/lib --enable-ssl --enable-cache --
>>>> enable-disk-cache --enable-mem-cache --enable-autoindex --enable-
>>>> mods-shared="rewrite ssl dav dav-fs proxy"
>>>>
>>>> of course, this is building a shared mod_ssl.so, and a few other
>>>> things. We use gcc instead of Sun's. Can you try it with gcc?
>>>> I can't image that is the problem, but it might be worth a test.
>>>>
>>>> We have changed both Apache and OpenSSL versions, several times,
>>>> and never had any certificate problems.
>>>>
>>>> Here is one thing to look into... Looking back at your 'ldd
>>>> httpd' output, there is no mention of libssl or libcrypt, so I
>>>> assume that you are statically linking them in. Are you sure
>>>> that you are picking up the OpenSSL version and not Sun's default
>>>> installed version in /lib ? Can you post your build command?
>>>> Personally, I like dynamic linking, so that you can upgrade to a
>>>> new OpenSSL, without having to redo everything that uses it.
>>>>
>>>> Dan
>>>>
>>>>
>>>> Please respond to users@httpd.apache.org
>>>>
>>>>
>>>> To: users@httpd.apache.org
>>>> cc: (bcc: Dan Mitton/YD/RWDOE)
>>>> Subject: Re: [users@httpd] SSL on Apache 2.2.14
>>>>
>>>>
>>>> LSN: Not Relevant
>>>> User Filed as: Not a Record
>>>>
>>>> Dan,
>>>>
>>>> The error occurs on both Safari and Firefox on Apache 2.2.14. We
>>>> don't have IE in our environment. Both Safari and Firefox work as
>>>> they should with 2.0.47.
>>>>
>>>> It looks like mod_ssl.c is compiled in -- it shows up with httpd -
>>>> l.
>>>>
>>>> I've checked the links you sent me. The description doesn't
>>>> provide a
>>>> whole lot of detail, and, according to the other one, I checked to
>>>> make sure I am using prefork instead of MPM -- it seems to
>>>> default to
>>>> prefork anyway, but I specified it in the /config before
>>>> compilation.
>>>>
>>>> I've Googled to my wit's end for several days without finding
>>>> anything
>>>> conclusive. Some pages hint at compilation options, others at
>>>> compilers (I'm using Sun's cc, not gcc), but nothing conclusive.
>>>>
>>>> Here is one question I couldn't find the answer to, though: if I
>>>> requested a server certificate using a specific version of OpenSSL,
>>>> can I use that same certificate in a different version of Apache
>>>> with
>>>> a different version of OpenSSL? Or do I have to re-request if I
>>>> upgrade OpenSSL? A long shot I know, but I'm running out of
>>>> options...
>>>>
>>>> Thank you for the help,
>>>> John
>>>>
>>>> On Nov 25, 2009, at 12:07 PM, Dan_Mitton@YMP.GOV wrote:
>>>>
>>>>>
>>>>> John,
>>>>>
>>>>> You should not need to upgrade Solaris. I've got apache running
>>>>> on
>>>>> a solaris 9 box just fine.
>>>>>
>>>>> Your "wrong path" shouldn't be a problem either. Those are just
>>>>> "the last place to look" for an .so. Solaris will use what is in
>>>>> the 'crle' command and the LD_LIBRARY_PATH environment variable
>>>>> first (I'm not sure of the order).
>>>>>
>>>>> You may or may not have a mod_ssl.so, depending on how you
>>>>> compiled
>>>>> apache. If you run:
>>>>>
>>>>> httpd -l (that's an el)
>>>>>
>>>>> It will list out which modules are compiled in. If you see
>>>>> mod_ssl.c, you will not have a mod_ssl.so. Otherwise, mod_ssl.so
>>>>> should normally be in your apache's modules subdirectory.
>>>>>
>>>>> Do you only get the error on Firefox and not IE?
>>>>>
>>>>> Dan
>>>>>
>>>>>
>>>>> Please respond to users@httpd.apache.org
>>>>>
>>>>>
>>>>> To: users@httpd.apache.org
>>>>> cc: (bcc: Dan Mitton/YD/RWDOE)
>>>>> Subject: Re: [users@httpd] SSL on Apache 2.2.14
>>>>>
>>>>>
>>>>> LSN: Not Relevant
>>>>> User Filed as: Not a Record
>>>>>
>>>>> Here is the complete command:
>>>>>
>>>>> openssl s_server -cert /erd/www/erd/server/apache/httpd-2.2.14/
>>>>> installed/conf/ssl.crt/www-erdc.crt -key /erd/www/erd/server/
>>>>> apache/
>>>>> httpd-2.2.14/installed/conf/ssl.key/www-erdc.secureprivate.key -
>>>>> CAfile /erd/www/erd/server/apache/httpd-2.2.14/installed/conf/
>>>>> ssl.crt/
>>>>> intermediate.crt -www
>>>>>
>>>>> Your suggested 'GET / HTTP/1.0\r\r' was successful.
>>>>>
>>>>> However, I found something interesting doing an ldd -- a few of
>>>>> them
>>>>> have wrong paths:
>>>>>
>>>>> bash-2.05# ldd httpd
>>>>> libm.so.1 => /usr/lib/libm.so.1
>>>>> libaprutil-1.so.0 => /wrong/path
>>>>> libexpat.so.0 => /wrong/path
>>>>> libapr-1.so.0 => /wrong/path
>>>>> libuuid.so.1 => /usr/lib/libuuid.so.1
>>>>> libsendfile.so.1 => /usr/lib/libsendfile.so.1
>>>>> librt.so.1 => /usr/lib/librt.so.1
>>>>> libsocket.so.1 => /usr/lib/libsocket.so.1
>>>>> libnsl.so.1 => /usr/lib/libnsl.so.1
>>>>> libpthread.so.1 => /usr/lib/libpthread.so.1
>>>>> libdl.so.1 => /usr/lib/libdl.so.1
>>>>> libthread.so.1 => /usr/lib/libthread.so.1
>>>>> libc.so.1 => /usr/lib/libc.so.1
>>>>> libucb.so.1 => (file not found)
>>>>> libresolv.so.2 => /usr/lib/libresolv.so.2
>>>>> libelf.so.1 => /usr/lib/libelf.so.1
>>>>> libucb.so.1 => /usr/ucblib/libucb.so.1
>>>>> libaio.so.1 => /usr/lib/libaio.so.1
>>>>> libmd5.so.1 => /usr/lib/libmd5.so.1
>>>>> libmp.so.2 => /usr/lib/libmp.so.2
>>>>> /usr/platform/SUNW,Sun-Fire-V250/lib/libc_psr.so.1
>>>>> /usr/platform/SUNW,Sun-Fire-V250/lib/libmd5_psr.so.1
>>>>>
>>>>> I wasn't sure where to find mod_ssl.so -- I could only find
>>>>> mod_ssl.h.
>>>>>
>>>>> Is there a way to change the links without rebuilding?
>>>>>
>>>>> Thank you,
>>>>> John
>>>>>
>>>>> On Nov 25, 2009, at 11:21 AM, Sander Temme wrote:
>>>>>
>>>>>>
>>>>>> On Nov 25, 2009, at 10:17 AM, John J. Consolati wrote:
>>>>>>
>>>>>>> Thank you for the reply.
>>>>>>>
>>>>>>> Unfortunately, upgrading Solaris isn't an option. Here is the
>>>>>>> version I have to work with (quite old..):
>>>>>>>
>>>>>>> bash-2.05# cat /etc/release
>>>>>>> Solaris 9 4/04 s9s_u6wos_08a SPARC
>>>>>>> Copyright 2004 Sun Microsystems, Inc. All Rights
>>>>> Reserved.
>>>>>>> Use is subject to license terms.
>>>>>>> Assembled 22 March 2004
>>>>>>> bash-2.05# uname -a
>>>>>>> SunOS lucky 5.9 Generic_118558-17 sun4u sparc SUNW,Sun-Fire-V250
>>>>>>>
>>>>>>> I've been using the Sun cc, not gcc, to compile everything.
>>>>>>>
>>>>>>>
>>>>>>> Here is the output from the openSSL commands:
>>>>>>>
>>>>>>> openssl -certs....etc etc
>>>>>>
>>>>>> What is your complete command line here?
>>>>>>
>>>>>>> Using default temp DH parameters
>>>>>>> Using default temp ECDH parameters
>>>>>>> ACCEPT
>>>>>>> -----BEGIN SSL SESSION PARAMETERS-----
>>>>>>> MHUCAQECAgMBBAIAOQQgXdTo4sJayMnyXJOOV7YI1JLumr7lqj4Sj+kZZTIeX2wE
>>>>>>> MO2ne8Ry2DUppChW6xz01mi4gMU+WsyaH6SPREMHpFcSCBYmpX5sD+VVBS3F/Ajy
>>>>>>> V6EGAgRLDXPAogQCAgEspAYEBAAAAAE=
>>>>>>> -----END SSL SESSION PARAMETERS-----
>>>>>>> Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-
>>>>> SHA:EDH-
>>>>>>> RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-
>>>>>>> AES128-
>>>>>>> SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-
>>>>>>> MD5:EDH-
>>>>>>> RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-
>>>>> CBC-
>>>>>>> SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-
>>>>> RC4-
>>>>>>> MD5
>>>>>>> CIPHER is DHE-RSA-AES256-SHA
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> And on the other terminal:
>>>>>>>
>>>>>>> bash-2.05$ openssl s_client -connect localhost:4433
>>>>>>> CONNECTED(00000003)
>>>>>>> depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/
>>>>>>> OU=Terms
>>>>>>> of use at https://*****www.*****verisign.com/rpa (c)05/
>>>>>>> CN=VeriSign
>>>>> Class 3
>>>>>>> Secure Server CA
>>>>>>> verify error:num=20:unable to get local issuer certificate
>>>>>>> verify return:0
>>>>>>
>>>>>> That's not a problem, just OpenSSL complaining it can't find the
>>>>>> Verisign root cert. If you happen to have a copy of that (like
>>>>>> your
>>>>>> browser does) and point openssl s_client to it, it can verify all
>>>>>> the way to the top. This does not impact the connection itself.
>>>>>>
>>>>>>> ---
>>>>>>> Certificate chain
>>>>>>> 0 s:/C=US/ST=California/L=Livermore/O=Lawrence Livermore
>>>>>>> National
>>>>>>> Laboratory/OU=Environmental Restoration Division erdc/CN=www-
>>>>>>> erdc.llnl.gov
>>>>>>> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
>>>>>>> use
>>>>>>> at https://*****www.*****verisign.com/rpa (c)05/CN=VeriSign
>>>>>>> Class 3
>>>>> Secure
>>>>>>> Server CA
>>>>>>> 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
>>>>>>> use at https://*****www.*****verisign.com/rpa (c)05/
>>>>>>> CN=VeriSign Class 3
>>>>>>> Secure Server CA
>>>>>>> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
>>>>>>> Authority
>>>>>>> ---
>>>>>>> Server certificate
>>>>>>> -----BEGIN CERTIFICATE-----
>>>>>>> certificate hash...
>>>>>>> -----END CERTIFICATE-----
>>>>>>> subject=/C=US/ST=California/L=Livermore/O=Lawrence Livermore
>>>>>>> National Laboratory/OU=Environmental Restoration Division erdc/
>>>>>>> CN=www-erdc.llnl.gov
>>>>>>> issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/
>>>>>>> OU=Terms of
>>>>>>> use at https://*****www.*****verisign.com/rpa (c)05/
>>>>>>> CN=VeriSign Class 3
>>>>>>> Secure Server CA
>>>>>>> ---
>>>>>>> No client certificate CA names sent
>>>>>>> ---
>>>>>>> SSL handshake has read 2973 bytes and written 258 bytes
>>>>>>> ---
>>>>>>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>>>>>>> Server public key is 1024 bit
>>>>>>> Compression: NONE
>>>>>>> Expansion: NONE
>>>>>>> SSL-Session:
>>>>>>> Protocol : TLSv1
>>>>>>> Cipher : DHE-RSA-AES256-SHA
>>>>>>> Session-ID:
>>>>>>> 5DD4E8E2C25AC8C9F25C938E57B608D492EE9ABEE5AA3E128FE91965321E5F6C
>>>>>>> Session-ID-ctx:
>>>>>>> Master-Key:
>>>>>>>
>>>>> EDA77BC472D83529A42856EB1CF4D668B880C53E5ACC9A1FA48F444307A45712081626A57E6C0FE555052DC5FC08F257
>>>>>>> Key-Arg : None
>>>>>>> Start Time: 1259172800
>>>>>>> Timeout : 300 (sec)
>>>>>>> Verify return code: 20 (unable to get local issuer certificate)
>>>>>>> ---
>>>>>>>
>>>>>>> Looks like there is a problem with one of the certificates,
>>>>>>> but I'm
>>>>>>> not sure how to proceed...
>>>>>>
>>>>>> At this point, you have a valid handshake, and the client and
>>>>>> server
>>>>>> have exchanged data encrypted and MACed with the session keys.
>>>>>> All
>>>>>> is well. You could type on the command line 'GET / HTTP/1.0\r
>>>>>> \r' (two returns) and you'll get the status page generated by
>>>>>> openssl s_server -www.*****
>>>>>>
>>>>>> This means you have a configuration problem with Apache. Make
>>>>>> sure
>>>>>> you're using the ssl and crypto libraries that you think you
>>>>>> are by
>>>>>> running ldd on the httpd binary and the mod_ssl.so binary. While
>>>>>> the Solaris build environment usually gets this right by
>>>>>> hardcoding
>>>>>> the path to the libraries at link time, make sure this is ok at
>>>>>> run
>>>>>> time.
>>>>>>
>>>>>> Then, make sure your server is configured correctly, and that
>>>>>> your
>>>>>> SSL virtual host(s) use the correct combination of
>>>>>> SSLCertificateFile and SSLCertificateKeyFile.
>>>>>>
>>>>>> S.
>>>>>>
>>>>>>> Again, thank you for your help, I appreciate it.
>>>>>>>
>>>>>>> Regards,
>>>>>>> John
>>>>>>>
>>>>>>>
>>>>>>> On Nov 25, 2009, at 10:00 AM, daniel.goulder@and.co.uk wrote:
>>>>>>>
>>>>>>>> This sounds like a Solaris bug.
>>>>>>>>
>>>>>>>> Make sure you have a recent version of Solaris or the latest
>>>>> patches
>>>>>>>> installed...
>>>>>>>>
>>>>>>>> What release/patch level are you using?
>>>>>>>>
>>>>>>>> Danny
>>>>>>>>
>>>>>>>> ________________________________
>>>>>>>>
>>>>>>>> From: "John J. Consolati" <co...@llnl.gov> [mailto:"John
>>>>>>>> J.
>>>>>>>> Consolati" <co...@llnl.gov>]
>>>>>>>> Sent: 25 November 2009 17:23
>>>>>>>> To: users@httpd.apache.org
>>>>>>>> Subject: [users@httpd] SSL on Apache 2.2.14
>>>>>>>>
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> Hopefully someone will be able to help, as I've been working on
>>>>> this
>>>>>>>> problem for quite a while and have hit a wall. I'm trying to
>>>>> upgrade
>>>>>>>> Apache 2.0.47 to 2.2.14, and I need SSL support. Everything
>>>>> seems to
>>>>>>>> build and compile okay, but when I try to access my site
>>>>>>>> running
>>>>> on
>>>>>>>> 2.2.14, I get a strange error from Firefox: "Secure connection
>>>>>>>> failed. An error occurred during a connection to xxxxxx. SSL
>>>>>>>> peer
>>>>>>>> reports incorrect Message Authentication Code. (Error code:
>>>>>>>> ssl_error_bad_mac_alert)."
>>>>>>>>
>>>>>>>> I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the
>>>>>>>> same
>>>>>>>> results. This is hosted on a Solaris sparc box. The 2.2.14
>>>>> server is
>>>>>>>> utilizing all the same files and SSL certificates as the 2.0.47
>>>>>>>> server. I've called Verisign; I have valid certificates, but
>>>>> they've
>>>>>>>> never heard of this error before. If I self-sign a
>>>>>>>> certificate and
>>>>>>>> test it with the 2.2.14 server, it seems to work (except for
>>>>>>>> the
>>>>>>>> expected error message regarding self-signed certificates).
>>>>>>>>
>>>>>>>> Searching on Google has led me to try forcing Apache to compile
>>>>> with
>>>>>>>> prefork enabled (but it seems to default to that anyway on
>>>>> Solaris).
>>>>>>>> I've also tried statically linking Apache during compile with
>>>>>>>> the
>>>>>>>> same
>>>>>>>> results.
>>>>>>>>
>>>>>>>> If anyone has any ideas or suggestions, I'd very much
>>>>>>>> appreciate
>>>>>>>> them...
>>>>>>>> Thank you,
>>>>>>>> John
>>>>>>>>
>>>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>>>>> The official User-To-User support forum of the Apache HTTP
>>>>>>>> Server
>>>>>>>> Project.
>>>>>>>> See < URL:http://******httpd.apache.org/userslist.html> for
>>>>>>>> more
>>>>> info.
>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>> ______________________________________________________________________
>>>>>>>> This email has been scanned by the MessageLabs Email Security
>>>>>>>> System.
>>>>>>>> For more information please visit http://***
>>>>> ***www.******messagelabs.com/
>>>>>>>> email
>>>>>>>>
>>>>> ______________________________________________________________________
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>> ______________________________________________________________________
>>>>>>>> This e-mail and any attached files are intended for the named
>>>>>>>> addressee only. It contains information, which may be
>>>>>>>> confidential
>>>>>>>> and legally privileged and also protected by copyright.
>>>>>>>> Unless you
>>>>>>>> are the named addressee (or authorised to receive for the
>>>>>>>> addressee) you may not copy or use it, or disclose it to anyone
>>>>>>>> else. If you received it in error please notify the sender
>>>>>>>> immediately and then delete it from your system. Please be
>>>>>>>> advised
>>>>>>>> that the views and opinions expressed in this e-mail may not
>>>>>>>> reflect the views and opinions of Associated Newspapers
>>>>>>>> Limited or
>>>>>>>> any of its subsidiary companies. We make every effort to keep
>>>>>>>> our
>>>>>>>> network free from viruses. However, you do need to check this
>>>>>>>> e-
>>>>>>>> mail and any attachments to it for viruses as we can take no
>>>>>>>> responsibility for any computer virus which may be
>>>>>>>> transferred by
>>>>>>>> way of this e-mail. Use of this or any other e-mail facility
>>>>>>>> signifies consent to any interception we might lawfully carry
>>>>>>>> out
>>>>>>>> to prevent abuse of these faciliti
>>>>>>>> es.
>>>>>>>> Associated Newspapers Ltd. Registered Office: Northcliffe
>>>>>>>> House, 2
>>>>>>>> Derry St, Kensington, London, W8 5TT. Registered No 84121
>>>>>>>> England.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>>>> The official User-To-User support forum of the Apache HTTP
>>>>>>> Server
>>>>>>> Project.
>>>>>>> See <URL:http://*****httpd.apache.org/userslist.html> for more
>>>>>>> info.
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Sander Temme
>>>>>> sctemme@apache.org
>>>>>> PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> The official User-To-User support forum of the Apache HTTP Server
>>>>> Project.
>>>>> See <URL:http://****httpd.apache.org/userslist.html> for more
>>>>> info.
>>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> The official User-To-User support forum of the Apache HTTP Server
>>>> Project.
>>>> See <URL:http://***httpd.apache.org/userslist.html> for more info.
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>>
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See <URL:http://**httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>
>>
>>
>> --
>> Sander Temme
>> sctemme@apache.org
>> PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://*httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org