It seems openssl-engine-0.9.6k resolved the issues below.
Below are excepts from the changes file -> One of these issues were mine. I
believe Dr. Henson would know. Thanks all.
-----------------------------------------------------------------------------
Changes between 0.9.6j and 0.9.6k [30 Sep 2003]
*) Fix various bugs revealed by running the NISCC test suite:
Stop out of bounds reads in the ASN1 code when presented with
invalid tags (CAN-2003-0543 and CAN-2003-0544).
If verify callback ignores invalid public key errors don't try to check
certificate signature with the NULL public key.
[Steve Henson]
*) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
if the server requested one: as stated in TLS 1.0 and SSL 3.0
specifications.
[Steve Henson]
------------------------------------------------------------------------------
Quoting [EMAIL PROTECTED]:
>
> Hello All
>
>
>
> As anyone actually gotten the Ncipher NFAST 800 SSL accelerator to work
> properly with Apache.
>
> Note: I replace actual host/IP with fictitious names.
>
> I've tried it with openssl 0.9.6j engine to 0.9.7 - when testing with openssl
>
> speed -engine, it doesn't perform decrypting for bits other than 4096.
>
> Now the dilemma, I initally used Apache 1.3.27 with openssl engine 0.9.6g, I
>
> was receiving 'bad mac error', did some troubleshooting, find out the server
>
> certificate was concat of the PEM and text form - as rsa_eay.c file checks
> for
> lengths of the contents read from cert and expected size of cert. After
> fixing
> the certificate - the error below is what I've gotten - I've moved a step
> further.
>
> I tried also try with openssl engine 0.9.6c - same error.
>
> Looking at the error below, I believe the ubsec driver couldn't decrypt the
> SSL
> data using the private key - either it doesn't have any reference to it.
>
> There are three errors (same time transaction) - 1 for ssl_engine with full
> debug, 1 for apache error_log, 1 for openssl s_client.
>
> I also testing using CA certs, server certs with openssl rsautl -engine
> ubsec,
> it worked pretty good; it was able to decrypt and verify everything. Also
> note, when I remove the SSLCryptoDevice ubsec line from Apache config, no
> errors.
>
> I'm gonna continue debugging, but I would like others' insight on this. By
> the
> way, I provided this to Ncipher, I don't think they've ever tested
> Nfast800/openssl/apache - unless I was dealing with a lesser knowledgeable
> person.
>
>
> Thanks.
>
>
> ******
> [ APACHE ERROR LOG ]
> [Sun Oct 5 22:41:45 2003] [notice] Apache/1.3.27 (Unix) mod_ssl/2.8.14
> OpenSSL/
> 0.9.6c configured -- resuming normal operations
> [Sun Oct 5 22:41:45 2003] [notice] Accept mutex: fcntl (Default: fcntl)
> [Sun Oct 5 22:42:32 2003] [error] mod_ssl: SSL handshake failed (server
> test.com:4433, client 172.25.48.102) (OpenSSL library error follow
> s)
> [Sun Oct 5 22:42:32 2003] [error] OpenSSL: error:1409441B:SSL
> routines:SSL3_REA
> D_BYTES:tlsv1 alert decrypt error
>
>
> ******
> [ APACHE SSL ENGINE LOG - DEBUG FULL ]
> ..
> [05/Oct/2003 22:42:32 07755] [trace] OpenSSL: Loop: SSLv3 write certificate
> A
> [05/Oct/2003 22:42:32 07755] [trace] OpenSSL: Loop: SSLv3 write key exchange
> A
> [05/Oct/2003 22:42:32 07755] [trace] OpenSSL: Loop: SSLv3 write server done
> A
> [05/Oct/2003 22:42:32 07755] [debug] OpenSSL: write 411/411 bytes to
> BIO#0022F2D
> ..
> [05/Oct/2003 22:42:32 07755] [trace] OpenSSL: Loop: SSLv3 flush data
> [05/Oct/2003 22:42:32 07755] [debug] OpenSSL: read 5/5 bytes from
> BIO#0022F2D8 [
> mem: 002445D8] (BIO dump follows)
> +-------------------------------------------------------------------------+
> | 0000: 15 03 01 00 02 ..... |
> +-------------------------------------------------------------------------+
> [05/Oct/2003 22:42:32 07755] [debug] OpenSSL: read 2/2 bytes from
> BIO#0022F2D8 [
> mem: 002445DD] (BIO dump follows)
> +-------------------------------------------------------------------------+
> | 0000: 02 33 .3 |
> +-------------------------------------------------------------------------+
> [05/Oct/2003 22:42:32 07755] [trace] OpenSSL: Read: SSLv3 read client
> certificat
> e A
> [05/Oct/2003 22:42:32 07755] [trace] OpenSSL: Exit: failed in SSLv3 read
> client
> certificate A
> [05/Oct/2003 22:42:32 07755] [error] SSL handshake failed (server
> test.com:4433, client aa.bb.cc.dd) (OpenSSL library error follows)
> [05/Oct/2003 22:42:32 07755] [error] OpenSSL: error:1409441B:SSL
> routines:SSL3_R
> EAD_BYTES:tlsv1 alert decrypt error
>
>
> ******
> # ./openssl s_client -connect test.com:4433 -state
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> SSL_connect:SSLv3 read server hello A
> depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> Authority
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> SSL_connect:SSLv3 read server certificate A
> SSL3 alert write:fatal:decrypt error
> SSL_connect:error in SSLv3 read server key exchange B
> SSL_connect:error in SSLv3 read server key exchange B
> 7780:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is
>
> not 01:rsa_pk1.c:100:
> 7780:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check
> failed:rsa_eay.c:468:
> 7780:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad
> signature:s3_clnt.c:1087:
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
