-----BEGIN PGP SIGNED MESSAGE-----
I searched the SSLeay list, the Apache-SSL list, and there doesn't seem to
be an archive to openssl list yet, but I subscribed, and I haven't seen
anyone with this problem yet (aren't I special). I've got a system setup
to allow people with certificates from two CA's to be valid. The first CA
is my own which I have setup using SSLeay, MySQL, and Apache-SSL. Testing
with these certs works fine. I'm using the "hashing" method pointing
Apache-SSL to my path-with-pem-encoded-ca-certs. This seems to work fine
with any number of certs that aren't from Verisign. Here is my problem,
when I use a root CA cert that my company got from verisign's OnSite
program (yes, I hate Verisign too, this was done before I was hired), then
I try to connect using a browser certificate signed by the Verisign CA
cert, it gives the following errors (read on after these it gets worse):
[error] error:140760F8:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol
[error] verify error:num=7:certificate signature failure
[error] error:0406F06A:rsa routines:RSA_padding_check_PKCS1_type_1:block
type is not 01
[error] error:04066072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check
failed
[error] error:0D079006:asn1 encoding routines:ASN1_VERIFY:EVP lib
[error] SSL_accept failed
So as per Adam's advice I upgraded to the latest version of OpenSSL (from
the rsynced, CVS repository) and Apache 1.3.4 (with the latest apache-ssl
patch of course) then I installed the certs in the usual fashion, again
using the "hashing" path to certs method (and later the concatenated file
method as well). Then I tried again with the same results my CA certs
worked, Verisign's bombed, this time with no message in the error logs at
all (yes I'm at loglevel debug). Just crashed and burned, giving the
browser a "TCP/IP socket error: try again" and then causing a 5-10 second
hang in apache before it would respond to any more traffic.
Can anyone tell me what "block type is not 01" means? I get a
standard error if I remove the evil verisign cert, and the client gets the
standard "The server thinks you are lying" message from their browser, so
I'm going to assume then that the hash value is a match for this cert.
Can anyone help with this?
- --
_._._._._._._._._._._._._._._._._._._._.
SWiFT GRiGGS - <[EMAIL PROTECTED]>
PGP5/GPG KeyID 1024D/72AF071A NIC SG1991
finger [EMAIL PROTECTED] for public key
- ----------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNruGKBs4y5ZnY/WZAQFUBgQAkMQTIKdDHPqN0Fqef9pH3pujvG6Gg2Qt
4Rs/eBBpgX5ZOnn3puCI6YAE/+2QtQSe+TqJt3/0hHeqSXZJFWYmrXFg8yiy1C2K
31M4kXTzcsc6fZ65VgGs50DLkmp5NuGkw/HqKXGvUshJTPdcQzOzYNicHTsVALIU
D25Tg7znVlQ=
=qJGa
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
