Swift Griggs wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> I searched the SSLeay list, the Apache-SSL list, and there doesn't seem to
> be an archive to openssl list yet, but I subscribed, and I haven't seen
> anyone with this problem yet (aren't I special). I've got a system setup
> to allow people with certificates from two CA's to be valid. The first CA
> is my own which I have setup using SSLeay, MySQL, and Apache-SSL. Testing
> with these certs works fine. I'm using the "hashing" method pointing
> Apache-SSL to my path-with-pem-encoded-ca-certs. This seems to work fine
> with any number of certs that aren't from Verisign. Here is my problem,
> when I use a root CA cert that my company got from verisign's OnSite
I'm a little unclear what you mean here: if it came from Verisign the
how can it be a root CA cert? BTW, do you have the cert that issued the
CA cert, too?
> program (yes, I hate Verisign too, this was done before I was hired), then
> I try to connect using a browser certificate signed by the Verisign CA
> cert, it gives the following errors (read on after these it gets worse):
>
> [error] error:140760F8:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
> protocol
> [error] verify error:num=7:certificate signature failure
> [error] error:0406F06A:rsa routines:RSA_padding_check_PKCS1_type_1:block
> type is not 01
> [error] error:04066072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check
> failed
> [error] error:0D079006:asn1 encoding routines:ASN1_VERIFY:EVP lib
> [error] SSL_accept failed
>
> So as per Adam's advice I upgraded to the latest version of OpenSSL (from
> the rsynced, CVS repository) and Apache 1.3.4 (with the latest apache-ssl
> patch of course) then I installed the certs in the usual fashion, again
> using the "hashing" path to certs method (and later the concatenated file
> method as well). Then I tried again with the same results my CA certs
> worked, Verisign's bombed, this time with no message in the error logs at
> all (yes I'm at loglevel debug). Just crashed and burned, giving the
> browser a "TCP/IP socket error: try again" and then causing a 5-10 second
> hang in apache before it would respond to any more traffic.
> Can anyone tell me what "block type is not 01" means? I get a
> standard error if I remove the evil verisign cert, and the client gets the
> standard "The server thinks you are lying" message from their browser, so
> I'm going to assume then that the hash value is a match for this cert.
> Can anyone help with this?
There was a bug recently fixed in OpenSSL that gave the "block type is
not 01" error, so that may be a red herring. If Apache-SSL crashed, then
you should probably be able to get a coredump. If so, a backtrace would
be helpful.
Also, have you tried setting up with _just_ the Verisign cert, and not
using the other one at the same time?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
