TLS: error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable ../../../../common/openssl/ssl/t1_enc.c:461
A little history I have compiled openssl version 0.9.8e on Sun v420 system running opensolaris (version 11). I used the gcc 3.4.3 compiler loaded in /usr/sfw/bin. I then compilied openldap the latest stable edition from openldap.org. using --L/usr/local/ssl/lib -R/usr/local/ssl/lib to link in the openssl libraries. I created a CA and self signed server certificates for TLS. using /usr/local/ssl/bin/openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3652 -config openssl.cnf /usr/local/ssl/bin/openssl req -new -x509 -nodes -keyout newreq.pem -out newreq.pem -days 3652 -config openssl.cnf /usr/local/ssl/bin/openssl -x509toreq -in newreq.pem -signkey newreq.pem-out tmp.req /usr/local/ssl/bin/openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem All works fine. I setup openldap properly with the certs by copying into the correct directory and with the correct permissions and set up slapd.conf with the following entries TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3 TLSCACertificateFile /usr/local/etc/openldap/cacert.pem TLSCertificateFile /usr/local/etc/openldap/server_cert.pem TLSCertificateKeyFile /usr/local/etc/openldap/server_key.pem Slapd starts up successfully ---- using /usr/local/libexec/slapd -d10 -u ldap -h "ldap:/// ldaps:///" now the openssl questios: I run /usr/local/ssl/bin/openssl s_client -connect localhost:636 -showcerts and get the error above TLS1_SETUP_KEY_BLOCK cipher or hash unavailable .... BUT ... If I use the openssl that came with Solaris 11 /usr/sfw/bin/openssl -connect localhost:636 this works properly.... without error... Question 1: is this a known issue with 0.9.8e ??? Question 2: Is there an official patch available that fixes this problem ??? Question 3: If not, is there an known workaround to the problem ??? any help would be appreciated.... As an asside someone did mention that there was an unofficial patch victor duchovni posted a patch on 01/31/07 to this list. Thanks james
