Re: [users@httpd] SSL on Apache 2.2.14

[John J. Consolati]

Finally figured this out and thought I'd put up the solution in case  
anyone else encounters it...

Turns out the problem lies with SunStudio 11 on Solaris 9 -- there is  
a compiler optimization bug that doesn't compile OpenSSL properly  
(specifically, the AES algorithms fail the make test).

I went in and did the normal ./config to OpenSSL, but then edited the  
Makefile.  I changed CFLAG from

CFLAG= -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H - 
xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN - 
DBN_DIV2W

to

CFLAG= -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H - 
xstrconst -xdepend=no -Xa -DB_ENDIAN -DBN_DIV2W

Basically, just took out the optimization stuff and compiled for a  
generic environment.  You have to make sure to specify -xdepend=no  
though, otherwise the compiler will automatically change optimization  
to level 3 in order to support dependence based transformations.

Hope this helps someone.  Thank you to everyone that offered  
suggestions and support.

Regards,
John Consolati
Lawrence Livermore National Laboratory

On Nov 30, 2009, at 11:59 AM, John J. Consolati wrote:

Hi All,

I'll try to squeeze everyone's suggestions into this mail.  Sorry  
for the delay -- was busy eating turkey for a couple of days :)

Dan:

When I built OpenSSL, I only specified --openssldir in the ./ 
config.  The libraries are in .../installed/lib.

Daniel:

bash-2.05# pldd 14100
14100:  /erd/www/erd/server/apache/httpd-2.2.14/installed/bin/httpd - 
f /erd/ww
/usr/lib/libm.so.1
/erd/www/erd/server/apache/httpd-2.2.14/installed/lib/ 
libaprutil-1.so.0
/erd/www/erd/server/apache/httpd-2.2.14/installed/lib/libexpat.so.0
/erd/www/erd/server/apache/httpd-2.2.14/installed/lib/libapr-1.so.0
/usr/lib/libuuid.so.1
/usr/lib/libsendfile.so.1
/usr/lib/librt.so.1
/usr/lib/libsocket.so.1
/usr/lib/libnsl.so.1
/usr/lib/libpthread.so.1
/usr/lib/libdl.so.1
/usr/lib/libthread.so.1
/usr/lib/libc.so.1
/usr/ucblib/libucb.so.1
/usr/lib/libresolv.so.2
/usr/lib/libelf.so.1
/usr/lib/libaio.so.1
/usr/lib/libmd5.so.1
/usr/lib/libmp.so.2
/usr/platform/sun4u-us3/lib/libc_psr.so.1
/usr/lib/nss_files.so.1
/usr/lib/nss_nisplus.so.1
/usr/lib/libdoor.so.1

Crypto:

Yes, I will be using client authentication.

Sander:

OpenSSL was built with Sun CC.

I'm currently trying the build with the new PATH.

Here the output of the openssl s_client:

CONNECTED(00000004)
write to 0x20fdd0 [0x2103e0] (124 bytes => 124 (0x7C))
0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00  
00   .z....Q... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0    
8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03   .. 
3..2../.......
0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00  
00   ................
0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00  
08   ......@.........
0050 - 00 00 06 04 00 80 00 00-03 02 00 80 81 2b f6  
0f   .............+..
0060 - 23 aa 7d 2e 5c ae 1b 8c-3e 95 78 65 ef 22 b7 54   #.}. 
\...>.xe.".T
0070 - a2 8e d9 dd 39 26 b6 e7-03 6c f4 42               ....9&...l.B
read from 0x20fdd0 [0x215940] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 2a 02                                 ....*.
0007 - <SPACES/NULS>
read from 0x20fdd0 [0x215947] (40 bytes => 40 (0x28))
0000 - 00 26 03 01 4b 13 ec f7-25 b2 46 61 86 86 ba 6f   .&..K... 
%.Fa...o
0010 - 72 8e d3 f7 a4 e9 21 79-c5 2f 4c 86 4c 54 14 42   r.....!y./ 
L.LT.B
0020 - 31 41 a1 b9 00 00 39                              1A....9
0028 - <SPACES/NULS>
read from 0x20fdd0 [0x215940] (5 bytes => 5 (0x5))
0000 - 16 03 01 09 f3                                    .....
read from 0x20fdd0 [0x215945] (2547 bytes => 2547 (0x9F3))
0000 - 0b 00 09 ef 00 09 ec 00-05 46 30 82 05 42 30  
82   .........F0..B0.
0010 - 04 2a a0 03 02 01 02 02-10 39 37 ec 17 22 f4 a8   .*....... 
97.."..
0020 - f9 08 49 8f bf 92 b1 b6-e0 30 0d 06 09 2a 86 48   ..I...... 
0...*.H
0030 - 86 f7 0d 01 01 05 05 00-30 81 b0 31 0b 30 09 06   ........ 
0..1.0..
0040 - 03 55 04 06 13 02 55 53-31 17 30 15 06 03 55  
04   .U....US1.0...U.
0050 - 0a 13 0e 56 65 72 69 53-69 67 6e 2c 20 49 6e  
63   ...VeriSign, Inc
0060 - 2e 31 1f 30 1d 06 03 55-04 0b 13 16 56 65 72 69   . 
1.0...U....Veri
0070 - 53 69 67 6e 20 54 72 75-73 74 20 4e 65 74 77 6f   Sign Trust  
Netwo
0080 - 72 6b 31 3b 30 39 06 03-55 04 0b 13 32 54 65 72   rk1;09..U... 
2Ter
0090 - 6d 73 20 6f 66 20 75 73-65 20 61 74 20 68 74 74   ms of use  
at htt
00a0 - 70 73 3a 2f 2f 77 77 77-2e 76 65 72 69 73 69 67   ps:// 
www.*verisig
00b0 - 6e 2e 63 6f 6d 2f 72 70-61 20 28 63 29 30 35 31   n.com/rpa  
(c)051
00c0 - 2a 30 28 06 03 55 04 03-13 21 56 65 72 69 53 69   *0(..U...! 
VeriSi
00d0 - 67 6e 20 43 6c 61 73 73-20 33 20 53 65 63 75 72   gn Class 3  
Secur
00e0 - 65 20 53 65 72 76 65 72-20 43 41 30 1e 17 0d 30   e Server  
CA0...0
00f0 - 39 30 35 30 34 30 30 30-30 30 30 5a 17 0d 31 30    
90504000000Z..10
0100 - 30 35 30 34 32 33 35 39-35 39 5a 30 81 b5 31 0b    
0504235959Z0..1.
0110 - 30 09 06 03 55 04 06 13-02 55 53 31 13 30 11 06    
0...U....US1.0..
0120 - 03 55 04 08 13 0a 43 61-6c 69 66 6f 72 6e 69  
61   .U....California
0130 - 31 12 30 10 06 03 55 04-07 14 09 4c 69 76 65 72    
1.0...U....Liver
0140 - 6d 6f 72 65 31 2f 30 2d-06 03 55 04 0a 14 26 4c    
more1/0-..U...&L
0150 - 61 77 72 65 6e 63 65 20-4c 69 76 65 72 6d 6f 72   awrence  
Livermor
0160 - 65 20 4e 61 74 69 6f 6e-61 6c 20 4c 61 62 6f 72   e National  
Labor
0170 - 61 74 6f 72 79 31 30 30-2e 06 03 55 04 0b 14 27    
atory100...U...'
0180 - 45 6e 76 69 72 6f 6e 6d-65 6e 74 61 6c 20 52 65    
Environmental Re
0190 - 73 74 6f 72 61 74 69 6f-6e 20 44 69 76 69 73 69   storation  
Divisi
01a0 - 6f 6e 20 65 72 64 63 31-1a 30 18 06 03 55 04 03   on  
erdc1.0...U..
01b0 - 14 11 77 77 77 2d 65 72-64 63 2e 6c 6c 6e 6c 2e   ..www- 
erdc.llnl.
01c0 - 67 6f 76 30 81 9f 30 0d-06 09 2a 86 48 86 f7 0d    
gov0..0...*.H...
01d0 - 01 01 01 05 00 03 81 8d-00 30 81 89 02 81 81 00   ......... 
0......
01e0 - b5 d0 17 60 87 b1 67 2c-66 88 db 6e 5a fb 03  
50   ...`..g,f..nZ..P
01f0 - 1c 64 88 2e 35 84 af 92-24 d8 d0 7d bb 20 43 a7   .d.. 
5...$..}. C.
0200 - 00 e4 81 42 75 7c e9 ef-d3 42 9f 22 2d 43 26  
97   ...Bu|...B."-C&.
0210 - 75 6b 29 7e 67 43 c7 99-37 4d 09 53 59 49 7b ae   uk)~gC.. 
7M.SYI{.
0220 - dd fb 66 f7 a1 9c 76 67-c0 39 e7 9a 84 2c a2 a9   ..f...vg. 
9...,..
0230 - d3 29 51 5f 25 e9 85 03-5d 96 e5 44 3c 2e 59 c9   .)Q_ 
%...]..D<.Y.
0240 - 5c ac ab 50 72 4c b2 c3-46 83 d5 6d 53 ac 7e 5b    
\..PrL..F..mS.~[
0250 - 8d a4 93 60 15 85 4e f5-94 c7 f4 91 6f e6 2f  
1f   ...`..N.....o./.
0260 - 02 03 01 00 01 a3 82 01-d3 30 82 01 cf 30 09 06   ......... 
0...0..
0270 - 03 55 1d 13 04 02 30 00-30 0b 06 03 55 1d 0f 04   .U.... 
0.0...U...
0280 - 04 03 02 05 a0 30 44 06-03 55 1d 1f 04 3d 30 3b   ..... 
0D..U...=0;
0290 - 30 39 a0 37 a0 35 86 33-68 74 74 70 3a 2f 2f 53    
09.7.5.3http://*S
02a0 - 56 52 53 65 63 75 72 65-2d 63 72 6c 2e 76 65 72   VRSecure- 
crl.ver
02b0 - 69 73 69 67 6e 2e 63 6f-6d 2f 53 56 52 53 65 63   isign.com/ 
SVRSec
02c0 - 75 72 65 32 30 30 35 2e-63 72 6c 30 44 06 03 55    
ure2005.crl0D..U
02d0 - 1d 20 04 3d 30 3b 30 39-06 0b 60 86 48 01 86  
f8   . .=0;09..`.H...
02e0 - 45 01 07 17 03 30 2a 30-28 06 08 2b 06 01 05 05   E....0*0(.. 
+....
02f0 - 07 02 01 16 1c 68 74 74-70 73 3a 2f 2f 77 77 77   .....https://*www
0300 - 2e 76 65 72 69 73 69 67-6e 2e 63 6f 6d 2f 72  
70   .verisign.com/rp
0310 - 61 30 1d 06 03 55 1d 25-04 16 30 14 06 08 2b 06   a0...U.%.. 
0...+.
0320 - 01 05 05 07 03 01 06 08-2b 06 01 05 05 07 03 02   ........ 
+.......
0330 - 30 1f 06 03 55 1d 23 04-18 30 16 80 14 6f ec af   0...U.#.. 
0...o..
0340 - a0 dd 8a a4 ef f5 2a 10-67 2d 3f 55 82 bc d7 ef   ......*.g-? 
U....
0350 - 25 30 79 06 08 2b 06 01-05 05 07 01 01 04 6d 30   %0y.. 
+........m0
0360 - 6b 30 24 06 08 2b 06 01-05 05 07 30 01 86 18 68   k0$..+..... 
0...h
0370 - 74 74 70 3a 2f 2f 6f 63-73 70 2e 76 65 72 69 73   ttp:// 
ocsp.veris
0380 - 69 67 6e 2e 63 6f 6d 30-43 06 08 2b 06 01 05 05   ign.com0C.. 
+....
0390 - 07 30 02 86 37 68 74 74-70 3a 2f 2f 53 56 52 53   .0..7http:// 
*SVRS
03a0 - 65 63 75 72 65 2d 61 69-61 2e 76 65 72 69 73 69   ecure- 
aia.verisi
03b0 - 67 6e 2e 63 6f 6d 2f 53-56 52 53 65 63 75 72 65   gn.com/ 
SVRSecure
03c0 - 32 30 30 35 2d 61 69 61-2e 63 65 72 30 6e 06 08   2005- 
aia.cer0n..
03d0 - 2b 06 01 05 05 07 01 0c-04 62 30 60 a1 5e a0 5c    
+........b0`.^.\
03e0 - 30 5a 30 58 30 56 16 09-69 6d 61 67 65 2f 67 69    
0Z0X0V..image/gi
03f0 - 66 30 21 30 1f 30 07 06-05 2b 0e 03 02 1a 04 14   f0! 
0.0...+......
0400 - 4b 6b b9 28 96 06 0c bb-d0 52 38 9b 29 ac 4b 07   Kk. 
(.....R8.).K.
0410 - 8b 21 05 18 30 26 16 24-68 74 74 70 3a 2f 2f 6c   .!..0&. 
$http://*l
0420 - 6f 67 6f 2e 76 65 72 69-73 69 67 6e 2e 63 6f 6d    
ogo.verisign.com
0430 - 2f 76 73 6c 6f 67 6f 31-2e 67 69 66 30 0d 06 09   / 
vslogo1.gif0...
0440 - 2a 86 48 86 f7 0d 01 01-05 05 00 03 82 01 01 00    
*.H.............
0450 - 5d 15 58 3b 10 4e d0 ae-59 96 cb 08 23 fe 2b  
4b   ].X;.N..Y...#.+K
0460 - 88 52 93 0f 9e 86 3b 30-eb 3d bc 33 c7 e9 f9 e0   .R....;0.=. 
3....
0470 - 6c 4f df 0d 78 6a 1d 4b-fc 74 9f 4a 3e c0 5d 14    
lO..xj.K.t.J>.].
0480 - 8c 13 61 f8 f2 69 95 b5-b7 f4 b6 ed b6 26 d4  
69   ..a..i.......&.i
0490 - 93 e4 52 b7 09 5e 2d 4a-21 d1 f3 5a 3b 78 19 99   ..R..^- 
J!..Z;x..
04a0 - ee 5f 40 f7 1a fa 2d 60-9c 6a 1b ad c7 aa d7 7f   ....@...- 
`.j......
04b0 - 87 4e ca 80 d9 bd 22 4d-b9 20 ad ff 43 74 4e  
01   .N...."M. ..CtN.
04c0 - e6 f1 69 18 2b d8 13 65-ea 1c 6b e0 4c ae 05 ac   ..i. 
+..e..k.L...
04d0 - 05 fd f0 79 6c fd 40 ec-c9 ad 22 36 8f a7 32  
d4   ......@..."6..2.
04e0 - 2c 54 71 f6 bf f3 76 46-ae 8f 66 98 8d 0d 98  
8c   ,Tq...vF..f.....
04f0 - f8 05 87 4c e7 2a fe fc-dd 58 e4 0f af 28 f4  
4c   ...L.*...X...(.L
0500 - b3 29 f3 94 1a 42 0c 60-a4 30 2e 38 8d 01 43 2b   .)...B.`. 
0.8..C+
0510 - 77 96 86 a7 9a af 76 db-84 63 dc 53 9b ee ae 5a    
w.....v..c.S...Z
0520 - 7b 3c 9c e7 b7 da bd 1c-a2 a3 23 a2 36 7c db a6   {<........#. 
6|..
0530 - b9 9b be 35 89 24 42 cf-c4 63 25 e8 9f 91 45 60   ...5.$B..c 
%...E`
0540 - 8e 5b 6b 72 fd 35 56 4c-c1 c1 e5 17 99 81 45 61   .[kr. 
5VL......Ea
0550 - 00 04 a0 30 82 04 9c 30-82 04 05 a0 03 02 01 02   ... 
0...0........
0560 - 02 10 75 33 7d 9a b0 e1-23 3b ae 2d 7d e4 46  
91   ..u3}...#;.-}.F.
0570 - 62 d4 30 0d 06 09 2a 86-48 86 f7 0d 01 01 05 05   b. 
0...*.H.......
0580 - 00 30 5f 31 0b 30 09 06-03 55 04 06 13 02 55 53   . 
0_1.0...U....US
0590 - 31 17 30 15 06 03 55 04-0a 13 0e 56 65 72 69 53    
1.0...U....VeriS
05a0 - 69 67 6e 2c 20 49 6e 63-2e 31 37 30 35 06 03 55   ign, Inc. 
1705..U
05b0 - 04 0b 13 2e 43 6c 61 73-73 20 33 20 50 75 62 6c   ....Class 3  
Publ
05c0 - 69 63 20 50 72 69 6d 61-72 79 20 43 65 72 74 69   ic Primary  
Certi
05d0 - 66 69 63 61 74 69 6f 6e-20 41 75 74 68 6f 72 69   fication  
Authori
05e0 - 74 79 30 1e 17 0d 30 35-30 31 31 39 30 30 30 30    
ty0...0501190000
05f0 - 30 30 5a 17 0d 31 35 30-31 31 38 32 33 35 39 35   00Z.. 
15011823595
0600 - 39 5a 30 81 b0 31 0b 30-09 06 03 55 04 06 13 02    
9Z0..1.0...U....
0610 - 55 53 31 17 30 15 06 03-55 04 0a 13 0e 56 65 72    
US1.0...U....Ver
0620 - 69 53 69 67 6e 2c 20 49-6e 63 2e 31 1f 30 1d 06   iSign, Inc. 
1.0..
0630 - 03 55 04 0b 13 16 56 65-72 69 53 69 67 6e 20  
54   .U....VeriSign T
0640 - 72 75 73 74 20 4e 65 74-77 6f 72 6b 31 3b 30 39   rust  
Network1;09
0650 - 06 03 55 04 0b 13 32 54-65 72 6d 73 20 6f 66 20   ..U... 
2Terms of
0660 - 75 73 65 20 61 74 20 68-74 74 70 73 3a 2f 2f 77   use at https://*w
0670 - 77 77 2e 76 65 72 69 73-69 67 6e 2e 63 6f 6d 2f    
ww.verisign.com/
0680 - 72 70 61 20 28 63 29 30-35 31 2a 30 28 06 03 55   rpa  
(c)051*0(..U
0690 - 04 03 13 21 56 65 72 69-53 69 67 6e 20 43 6c 61   ...! 
VeriSign Cla
06a0 - 73 73 20 33 20 53 65 63-75 72 65 20 53 65 72 76   ss 3 Secure  
Serv
06b0 - 65 72 20 43 41 30 82 01-22 30 0d 06 09 2a 86 48   er  
CA0.."0...*.H
06c0 - 86 f7 0d 01 01 01 05 00-03 82 01 0f 00 30 82  
01   .............0..
06d0 - 0a 02 82 01 01 00 95 c3-21 12 8e 40 c5 0d 01  
5f   ...........@..._
06e0 - 76 5e 66 94 d9 73 2c 58-19 22 b8 c9 fc 7a 39 90    
v^f..s,X."...z9.
06f0 - 2a 77 72 7c 1d 3e f7 d8-55 e3 af 42 cb 87 30 02    
*wr|.>..U..B..0.
0700 - dc 5b ac 70 e6 b8 44 b4-2b 35 eb 93 d2 17 05 7e   .[.p..D. 
+5.....~
0710 - cb 46 d6 5c 53 a0 32 51-9d 74 64 58 f9 0c 9a 00   .F.\S. 
2Q.tdX....
0720 - ea 5e 44 49 64 72 f4 cd-10 e2 85 0a f9 34 ee  
b3   .^DIdr.......4..
0730 - 88 66 a9 a5 a4 5a d0 0e-98 7f 58 0d 2b 52 bb 86   .f...Z....X. 
+R..
0740 - a9 7e 2e fa b2 48 7c 8d-db 2d 5f 01 75 a2 8d 06   .~...H|..- 
_.u...
0750 - 3b 8b b4 61 07 c9 be 22-99 f8 1b d1 b5 57 66  
04   ;..a...".....Wf.
0760 - 4d 35 f4 91 71 96 b5 99-08 25 9b 97 c8 3a f3 20   M5..q.... 
%...:.
0770 - b1 dd 9e 98 0c 4a 63 b7-a6 ce b0 01 ce f8 93  
6a   .....Jc........j
0780 - f3 0c 6e 9f b1 e9 84 7b-81 98 41 e6 81 dc 3d 2c   ..n.... 
{..A...=,
0790 - e7 b4 6b e3 9e fc 08 16-d7 b3 d5 b9 66 12 99  
7c   ..k.........f..|
07a0 - 6d 71 c8 4d be c7 0f e3-fb 37 ad d5 75 87 21 6b   mq.M..... 
7..u.!k
07b0 - 86 d0 44 14 5a 54 79 39-96 69 56 c9 b9 31 cd  
89   ..D.ZTy9.iV..1..
07c0 - 61 58 e1 d9 76 05 05 ad-f7 b9 02 af a7 fd 47 91    
aX..v.........G.
07d0 - a2 22 34 5a 31 d1 02 03-01 00 01 a3 82 01 81  
30   ."4Z1..........0
07e0 - 82 01 7d 30 12 06 03 55-1d 13 01 01 ff 04 08  
30   ..}0...U.......0
07f0 - 06 01 01 ff 02 01 00 30-44 06 03 55 1d 20 04 3d   ....... 
0D..U. .=
0800 - 30 3b 30 39 06 0b 60 86-48 01 86 f8 45 01 07 17    
0;09..`.H...E...
0810 - 03 30 2a 30 28 06 08 2b-06 01 05 05 07 02 01 16   .0*0(.. 
+........
0820 - 1c 68 74 74 70 73 3a 2f-2f 77 77 77 2e 76 65 72   .https://*www.*ver
0830 - 69 73 69 67 6e 2e 63 6f-6d 2f 72 70 61 30 31 06   isign.com/ 
rpa01.
0840 - 03 55 1d 1f 04 2a 30 28-30 26 a0 24 a0 22 86 20   .U...*0(0&. 
$.".
0850 - 68 74 74 70 3a 2f 2f 63-72 6c 2e 76 65 72 69 73   http:// 
*crl.veris
0860 - 69 67 6e 2e 63 6f 6d 2f-70 63 61 33 2e 63 72 6c   ign.com/ 
pca3.crl
0870 - 30 0e 06 03 55 1d 0f 01-01 ff 04 04 03 02 01 06    
0...U...........
0880 - 30 11 06 09 60 86 48 01-86 f8 42 01 01 04 04 03    
0...`.H...B.....
0890 - 02 01 06 30 29 06 03 55-1d 11 04 22 30 20 a4 1e   ... 
0)..U..."0 ..
08a0 - 30 1c 31 1a 30 18 06 03-55 04 03 13 11 43 6c 61    
0.1.0...U....Cla
08b0 - 73 73 33 43 41 32 30 34-38 2d 31 2d 34 35 30 1d    
ss3CA2048-1-450.
08c0 - 06 03 55 1d 0e 04 16 04-14 6f ec af a0 dd 8a  
a4   ..U......o......
08d0 - ef f5 2a 10 67 2d 3f 55-82 bc d7 ef 25 30 81 80   ..*.g-?U.... 
%0..
08e0 - 06 03 55 1d 23 04 79 30-77 a1 63 a4 61 30 5f  
31   ..U.#.y0w.c.a0_1
08f0 - 0b 30 09 06 03 55 04 06-13 02 55 53 31 17 30 15   . 
0...U....US1.0.
0900 - 06 03 55 04 0a 13 0e 56-65 72 69 53 69 67 6e  
2c   ..U....VeriSign,
0910 - 20 49 6e 63 2e 31 37 30-35 06 03 55 04 0b 13 2e    Inc. 
1705..U....
0920 - 43 6c 61 73 73 20 33 20-50 75 62 6c 69 63 20 50   Class 3  
Public P
0930 - 72 69 6d 61 72 79 20 43-65 72 74 69 66 69 63 61   rimary  
Certifica
0940 - 74 69 6f 6e 20 41 75 74-68 6f 72 69 74 79 82 10   tion  
Authority..
0950 - 70 ba e4 1d 10 d9 29 34-b6 38 ca 7b 03 cc ba bf   p.....)4.8. 
{....
0960 - 30 0d 06 09 2a 86 48 86-f7 0d 01 01 05 05 00 03    
0...*.H.........
0970 - 81 81 00 c3 7e 08 46 5d-91 36 cf 67 dc d7 a7 af   ....~.F]. 
6.g....
0980 - af b8 22 c3 8b 04 74 d3-b1 60 bc e6 fe b7 44  
12   .."...t..`....D.
0990 - 81 5b 31 73 14 63 56 c6-72 2e d1 1a 03 43 5c 38   . 
[1s.cV.r....C\8
09a0 - 0a 50 4a 4d cd da b6 19-a8 f4 99 0d af e3 f7  
d8   .PJM............
09b0 - f1 75 28 65 f6 6a fe 9b-f4 bd 52 d9 3f cb da  
16   .u(e.j....R.?...
09c0 - cb a5 9e 2e 8e 66 52 78-3d 26 fa fe 94 36 88  
4a   .....fRx=&...6.J
09d0 - 95 5e 2a 4c 19 ef 6e fa-82 3f 2d 03 ef d6 28  
b3   .^*L..n..?-...(.
09e0 - 37 18 cf 42 b2 34 21 64-47 d3 20 6b 3a 4c dc e6   7..B.4!dG.  
k:L..
09f0 - 03 90 0c                                          ...
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of  
use at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3  
Secure Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
read from 0x20fdd0 [0x215940] (5 bytes => 5 (0x5))
0000 - 16 03 01 01 8d                                    .....
read from 0x20fdd0 [0x215945] (397 bytes => 397 (0x18D))
0000 - 0c 00 01 89 00 80 d6 7d-e4 40 cb bb dc 19 36  
d6   .........@....6.
0010 - 93 d3 4a fd 0a d5 0c 84-d2 39 a4 5f 52 0b b8 81   ..J...... 
9._R...
0020 - 74 cb 98 bc e9 51 84 9f-91 2e 63 9c 72 fb 13 b4    
t....Q....c.r...
0030 - b4 d7 17 7e 16 d5 5a c1-79 ba 42 0b 2a 29 fe  
32   ...~..Z.y.B.*).2
0040 - 4a 46 7a 63 5e 81 ff 59-01 37 7b ed dc fd 33 16   JFzc^..Y. 
7{...3.
0050 - 8a 46 1a ad 3b 72 da e8-86 00 78 04 5b 07 a7 db   .F..;r....x. 
[...
0060 - ca 78 74 08 7d 15 10 ea-9f cc 9d dd 33 05 07 dd   .xt.}....... 
3...
0070 - 62 db 88 ae aa 74 7d e0-f4 d6 e2 bd 68 b0 e7 39    
b....t}.....h..9
0080 - 3e 0f 24 21 8e b3 00 01-02 00 80 40 49 1b 47 d6   >. 
$!.......@i.g.
0090 - 77 b3 be 40 cd 21 fe b9-c9 c8 a2 cd f5 f7 bd cd    
w...@.!..........
00a0 - 2b db 3a 87 8e 16 5a fe-e4 40 94 f6 70 6e ea cd    
+.:......@..pn..
00b0 - ee a0 56 14 3b 30 b8 e9-6e 47 15 9b ca fb 05 70   ..V.; 
0..nG.....p
00c0 - d9 93 b4 d4 7a 9d 05 05-b5 21 88 7a 86 d7 1a  
1e   ....z....!.z....
00d0 - 1e 5f 1f 71 0a 5d bb 96-93 0c 10 01 5f 4c 14  
b9   ._.q.]......_L..
00e0 - b5 c9 97 11 f4 8d a7 5c-b8 01 d6 bb fb bd 63 65   ....... 
\......ce
00f0 - 23 da 63 d3 ca 00 fe 64-c7 c0 8b 83 da a9 63 b1    
#.c....d......c.
0100 - 5b 79 58 62 73 fd c6 df-2f 56 a3 00 80 45 1e 00   [yXbs.../ 
V...E..
0110 - 99 60 2f 40 62 34 c9 16-d2 c3 6b 79 6f c7 df 3e   .`/ 
@b4....kyo..>
0120 - 1e a3 a2 47 a9 bd 5b 59-3b 28 b8 21 cd a4 1d c8   ...G..[Y; 
(.!....
0130 - 83 a9 5f 66 3e ed d8 a4-e1 cb 11 8b 78 0d bd  
da   .._f>.......x...
0140 - 86 a3 7d 41 1c ce 2c 08-94 bb 04 a5 27 96 fe  
41   ..}A..,.....'..A
0150 - 30 17 f1 cc 57 65 4f 6e-e6 e4 e6 8b 72 ed 8a f9    
0...WeOn....r...
0160 - fa 96 50 2a b7 c3 5d b6-da d1 71 74 01 95 e6  
fe   ..P*..]...qt....
0170 - e1 fe 1a 98 10 b0 cc e6-76 06 83 15 93 d0 25  
8b   ........v.....%.
0180 - 01 d2 aa af 29 fd 46 00-21 11 4b 8e ed            ....).F.!.K..
read from 0x20fdd0 [0x215940] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 04                                    .....
read from 0x20fdd0 [0x215945] (4 bytes => 4 (0x4))
0000 - 0e                                                .
0004 - <SPACES/NULS>
write to 0x20fdd0 [0x21fa70] (139 bytes => 139 (0x8B))
0000 - 16 03 01 00 86 10 00 00-82 00 80 6f 9d 96 80  
40   ...........o...@
0010 - 98 62 18 e4 a4 a8 d3 30-a4 cd 82 eb 2c d5 73 49   .b..... 
0....,.sI
0020 - b0 68 8f f5 fc 7d 1a 21-e2 f9 98 03 26 a9 c7  
3a   .h...}.!....&..:
0030 - ed bf 02 c5 a2 f9 7a 39-c7 f9 0b 84 bf 7c a9  
f2   ......z9.....|..
0040 - eb b8 1c 69 82 e3 df af-76 48 ab 21 a9 3e 63  
10   ...i....vH.!.>c.
0050 - dc 7d e9 bd 30 e9 9d 33-da 93 4e f2 18 a0 a0 8a   .}.. 
0..3..N.....
0060 - d9 65 a2 8c 8f 72 09 aa-31 38 ed 30 c7 6c ec f9   .e...r.. 
18.0.l..
0070 - c2 68 e5 db e3 cd 6f ac-71 8d 54 a0 d0 57 84  
00   .h....o.q.T..W..
0080 - ce c3 81 05 a3 2d 8e c3-1f 3c 7a                  .....-...<z
write to 0x20fdd0 [0x21fa70] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01                                 ......
write to 0x20fdd0 [0x21fa70] (53 bytes => 53 (0x35))
0000 - 16 03 01 00 30 ed 82 85-ac 7e aa 1a 26 8a 7d 66   .... 
0....~..&.}f
0010 - 42 6e a2 91 ea b0 c3 01-98 c5 89 e5 a0 9e fd da    
Bn..............
0020 - 8d 8c a5 2a 48 bc e6 5e-ad e5 c2 5a 03 6c d1  
5d   ...*H..^...Z.l.]
0030 - c0 b5 bb 39 65                                    ...9e
read from 0x20fdd0 [0x215940] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01                                    .....
read from 0x20fdd0 [0x215945] (1 bytes => 1 (0x1))
0000 - 01                                                .
read from 0x20fdd0 [0x215940] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30                                    ....0
read from 0x20fdd0 [0x215945] (48 bytes => 48 (0x30))
0000 - ad c0 8f 14 01 bd 4a a3-cf 28 31 d9 16 c7 9a 4a   ......J.. 
(1....J
0010 - 7e 71 ac 3b 6c ce 1f 08-84 c6 44 f7 1e d0 3d 02    
~q.;l.....D...=.
0020 - e0 3a cb bd d4 0d 4a aa-60 4b a3 a2 f7 15 81  
0f   .:....J.`K......
---
Certificate chain
0 s:/C=US/ST=California/L=Livermore/O=Lawrence Livermore National  
Laboratory/OU=Environmental Restoration Division erdc/CN=www- 
erdc.llnl.gov
  i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use  
at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure  
Server CA
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use  
at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure  
Server CA
  i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification  
Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFQjCCBCqgAwIBAgIQOTfsFyL0qPkISY+/krG24DANBgkqhkiG9w0BAQUFADCB
sDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMh
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBMB4XDTA5MDUwNDAwMDAw
MFoXDTEwMDUwNDIzNTk1OVowgbUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp
Zm9ybmlhMRIwEAYDVQQHFAlMaXZlcm1vcmUxLzAtBgNVBAoUJkxhd3JlbmNlIExp
dmVybW9yZSBOYXRpb25hbCBMYWJvcmF0b3J5MTAwLgYDVQQLFCdFbnZpcm9ubWVu
dGFsIFJlc3RvcmF0aW9uIERpdmlzaW9uIGVyZGMxGjAYBgNVBAMUEXd3dy1lcmRj
LmxsbmwuZ292MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC10Bdgh7FnLGaI
225a+wNQHGSILjWEr5Ik2NB9uyBDpwDkgUJ1fOnv00KfIi1DJpd1ayl+Z0PHmTdN
CVNZSXuu3ftm96GcdmfAOeeahCyiqdMpUV8l6YUDXZblRDwuWclcrKtQckyyw0aD
1W1TrH5bjaSTYBWFTvWUx/SRb+YvHwIDAQABo4IB0zCCAc8wCQYDVR0TBAIwADAL
BgNVHQ8EBAMCBaAwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL1NWUlNlY3VyZS1j
cmwudmVyaXNpZ24uY29tL1NWUlNlY3VyZTIwMDUuY3JsMEQGA1UdIAQ9MDswOQYL
YIZIAYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24u
Y29tL3JwYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgw
FoAUb+yvoN2KpO/1KhBnLT9VgrzX7yUweQYIKwYBBQUHAQEEbTBrMCQGCCsGAQUF
BzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wQwYIKwYBBQUHMAKGN2h0dHA6
Ly9TVlJTZWN1cmUtYWlhLnZlcmlzaWduLmNvbS9TVlJTZWN1cmUyMDA1LWFpYS5j
ZXIwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJaW1hZ2UvZ2lmMCEwHzAHBgUr
DgMCGgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYkaHR0cDovL2xvZ28udmVyaXNp
Z24uY29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEBBQUAA4IBAQBdFVg7EE7QrlmW
ywgj/itLiFKTD56GOzDrPbwzx+n54GxP3w14ah1L/HSfSj7AXRSME2H48mmVtbf0
tu22JtRpk+RStwleLUoh0fNaO3gZme5fQPca+i1gnGobrceq13+HTsqA2b0iTbkg
rf9DdE4B5vFpGCvYE2XqHGvgTK4FrAX98Hls/UDsya0iNo+nMtQsVHH2v/N2Rq6P
ZpiNDZiM+AWHTOcq/vzdWOQPryj0TLMp85QaQgxgpDAuOI0BQyt3loanmq9224Rj
3FOb7q5aezyc57favRyioyOiNnzbprmbvjWJJELPxGMl6J+RRWCOW2ty/TVWTMHB
5ReZgUVh
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Livermore/O=Lawrence Livermore  
National Laboratory/OU=Environmental Restoration Division erdc/ 
CN=www-erdc.llnl.gov
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of  
use at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3  
Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3069 bytes and written 322 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
   Protocol  : TLSv1
   Cipher    : DHE-RSA-AES256-SHA
   Session-ID:
   Session-ID-ctx:
   Master-Key:  
9E8941488E9BA08703CB9C00624F98AC4E61511A1B9CA009ACA20EEBAFE5416F21959237C1F50AB11B083B893F4AB0C9
   Key-Arg   : None
   Start Time: 1259597048
   Timeout   : 300 (sec)
   Verify return code: 20 (unable to get local issuer certificate)
---
read from 0x20fdd0 [0x215940] (5 bytes => 0 (0x0))
read:errno=0
write to 0x20fdd0 [0x21a150] (37 bytes => 37 (0x25))
0000 - 15 03 01 00 20 af e1 ab-10 6a 3e 70 e2 4f ee  
1a   .... ....j>p.O..
0010 - fb 51 20 ac 62 74 99 71-d7 7c 29 72 54 ee 62  
3d   .Q .bt.q.|)rT.b=
0020 - cf 82 c4 bc 73


Thanks again,
John


On Nov 27, 2009, at 11:42 AM, Sander Temme wrote:

On Nov 25, 2009, at 2:24 PM, John J. Consolati wrote:

Here are the build commands I've tried:

./configure --prefix=/home/consolati1/apache/httpd-2.2.14/ 
installed --enable-static-support --enable-ssl --with-ssl=/home/ 
consolati1/openssl/openssl-0.9.8l/installed --with-mpm=prefork

./configure --prefix=/home/consolati1/apache/httpd-2.2.14/ 
installed/ --enable-ssl --with-ssl=/home/consolati1/openssl/ 
openssl-0.9.8g/installed/   (currently using this one)

One remark about your build: your earlier ldd output had some /usr/ 
ucb stuff in it, which may be the result of your having /usr/ucb in  
your PATH.  You might try building with /usr/ccs/bin in your PATH  
before /usr/ucb to take advantage of some utilities a little more  
modern.

I ran into this when building Subversion on a new VM:

http://**www.**temme.net/sander/2009/04/28/building-subversion-with- 
sun-workshop/

No idea how this would impact your build.

S.

Both of them result in the same thing, and were the commands my  
predecessor used.

I will try building it with the configure command you sent.  I  
haven't personally tried gcc, but my coworkers have left extensive  
notes of errors that gcc throws.  It couldn't hurt to try again.

It is odd that libssl and libcrypt aren't in there -- I tried  
building statically, as you can see, but the httpd -l that I  
posted was from the second one (which should be dynamic).  Any  
ideas why they're missing?

Thanks,
John

On Nov 25, 2009, at 2:14 PM, dan_mit...@ymp.gov wrote:


We are only at Apache 2.2.9, but don't have any problems.  The  
command I use to build apache with is:

./configure --prefix=/usr/local/apache-2.2.9 --with-ssl=/usr/ 
local/ssl --with-z=/usr/local/lib --enable-ssl --enable-cache -- 
enable-disk-cache --enable-mem-cache --enable-autoindex --enable- 
mods-shared="rewrite ssl dav dav-fs proxy"

of course, this is building a shared mod_ssl.so, and a few other  
things.  We use gcc instead of Sun's.  Can you try it with gcc?   
I can't image that is the problem, but it might be worth a test.

We have changed both Apache and OpenSSL versions, several times,  
and never had any certificate problems.

Here is one thing to look into...  Looking back at your 'ldd  
httpd' output, there is no mention of libssl or libcrypt, so I  
assume that you are statically linking them in.  Are you sure  
that you are picking up the OpenSSL version and not Sun's default  
installed version in /lib ?  Can you post your build command?   
Personally, I like dynamic linking, so that you can upgrade to a  
new OpenSSL, without having to redo everything that uses it.

Dan


Please respond to users@httpd.apache.org


To:        users@httpd.apache.org
cc:         (bcc: Dan Mitton/YD/RWDOE)
Subject:        Re: [us...@httpd] SSL on Apache 2.2.14


LSN: Not Relevant
User Filed as: Not a Record

Dan,

The error occurs on both Safari and Firefox on Apache 2.2.14.  We
don't have IE in our environment.  Both Safari and Firefox work as
they should with 2.0.47.

It looks like mod_ssl.c is compiled in -- it shows up with httpd - 
l.

I've checked the links you sent me.  The description doesn't  
provide a
whole lot of detail, and, according to the other one, I checked to
make sure I am using prefork instead of MPM -- it seems to  
default to
prefork anyway, but I specified it in the /config before  
compilation.

I've Googled to my wit's end for several days without finding  
anything
conclusive.  Some pages hint at compilation options, others at
compilers (I'm using Sun's cc, not gcc), but nothing conclusive.

Here is one question I couldn't find the answer to, though: if I
requested a server certificate using a specific version of OpenSSL,
can I use that same certificate in a different version of Apache  
with
a different version of OpenSSL?  Or do I have to re-request if I
upgrade OpenSSL?  A long shot I know, but I'm running out of  
options...

Thank you for the help,
John

On Nov 25, 2009, at 12:07 PM, dan_mit...@ymp.gov wrote:


John,

You should not need to upgrade Solaris.  I've got apache running  
on
a solaris 9 box just fine.

Your "wrong path" shouldn't be a problem either.  Those are just
"the last place to look" for an .so.  Solaris will use what is in
the 'crle' command and the LD_LIBRARY_PATH environment variable
first (I'm not sure of the order).

You may or may not have a mod_ssl.so, depending on how you  
compiled
apache.  If you run:

httpd -l (that's an el)

It will list out which modules are compiled in.  If you see
mod_ssl.c, you will not have a mod_ssl.so.  Otherwise, mod_ssl.so
should normally be in your apache's modules subdirectory.

Do you only get the error on Firefox and not IE?

Dan


Please respond to users@httpd.apache.org


To:        users@httpd.apache.org
cc:         (bcc: Dan Mitton/YD/RWDOE)
Subject:        Re: [us...@httpd] SSL on Apache 2.2.14


LSN: Not Relevant
User Filed as: Not a Record

Here is the complete command:

openssl s_server -cert /erd/www/erd/server/apache/httpd-2.2.14/
installed/conf/ssl.crt/www-erdc.crt -key /erd/www/erd/server/ 
apache/
httpd-2.2.14/installed/conf/ssl.key/www-erdc.secureprivate.key -
CAfile /erd/www/erd/server/apache/httpd-2.2.14/installed/conf/ 
ssl.crt/
intermediate.crt -www

Your suggested 'GET / HTTP/1.0\r\r' was successful.

However, I found something interesting doing an ldd -- a few of  
them
have wrong paths:

bash-2.05# ldd httpd
      libm.so.1 =>     /usr/lib/libm.so.1
      libaprutil-1.so.0 =>     /wrong/path
      libexpat.so.0 =>         /wrong/path
      libapr-1.so.0 =>         /wrong/path
      libuuid.so.1 =>  /usr/lib/libuuid.so.1
      libsendfile.so.1 =>      /usr/lib/libsendfile.so.1
      librt.so.1 =>    /usr/lib/librt.so.1
      libsocket.so.1 =>        /usr/lib/libsocket.so.1
      libnsl.so.1 =>   /usr/lib/libnsl.so.1
      libpthread.so.1 =>       /usr/lib/libpthread.so.1
      libdl.so.1 =>    /usr/lib/libdl.so.1
      libthread.so.1 =>        /usr/lib/libthread.so.1
      libc.so.1 =>     /usr/lib/libc.so.1
      libucb.so.1 =>   (file not found)
      libresolv.so.2 =>        /usr/lib/libresolv.so.2
      libelf.so.1 =>   /usr/lib/libelf.so.1
      libucb.so.1 =>   /usr/ucblib/libucb.so.1
      libaio.so.1 =>   /usr/lib/libaio.so.1
      libmd5.so.1 =>   /usr/lib/libmd5.so.1
      libmp.so.2 =>    /usr/lib/libmp.so.2
      /usr/platform/SUNW,Sun-Fire-V250/lib/libc_psr.so.1
      /usr/platform/SUNW,Sun-Fire-V250/lib/libmd5_psr.so.1

I wasn't sure where to find mod_ssl.so -- I could only find  
mod_ssl.h.

Is there a way to change the links without rebuilding?

Thank you,
John

On Nov 25, 2009, at 11:21 AM, Sander Temme wrote:


On Nov 25, 2009, at 10:17 AM, John J. Consolati wrote:

Thank you for the reply.

Unfortunately, upgrading Solaris isn't an option.  Here is the
version I have to work with (quite old..):

bash-2.05# cat /etc/release
                    Solaris 9 4/04 s9s_u6wos_08a SPARC
       Copyright 2004 Sun Microsystems, Inc.  All Rights
Reserved.
                    Use is subject to license terms.
                         Assembled 22 March 2004
bash-2.05# uname -a
SunOS lucky 5.9 Generic_118558-17 sun4u sparc SUNW,Sun-Fire-V250

I've been using the Sun cc, not gcc, to compile everything.


Here is the output from the openSSL commands:

openssl -certs....etc etc

What is your complete command line here?

Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MHUCAQECAgMBBAIAOQQgXdTo4sJayMnyXJOOV7YI1JLumr7lqj4Sj+kZZTIeX2wE
MO2ne8Ry2DUppChW6xz01mi4gMU+WsyaH6SPREMHpFcSCBYmpX5sD+VVBS3F/Ajy
V6EGAgRLDXPAogQCAgEspAYEBAAAAAE=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-
SHA:EDH-
RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA- 
AES128-
SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4- 
MD5:EDH-
RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-
CBC-
SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-
RC4-
MD5
CIPHER is DHE-RSA-AES256-SHA



And on the other terminal:

bash-2.05$ openssl s_client -connect localhost:4433
CONNECTED(00000003)
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/ 
OU=Terms
of use at https://*****www.*****verisign.com/rpa (c)05/ 
CN=VeriSign
Class 3
Secure Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0

That's not a problem, just OpenSSL complaining it can't find the
Verisign root cert.  If you happen to have a copy of that (like  
your
browser does) and point openssl s_client to it, it can verify all
the way to the top.  This does not impact the connection itself.

---
Certificate chain
0 s:/C=US/ST=California/L=Livermore/O=Lawrence Livermore  
National
Laboratory/OU=Environmental Restoration Division erdc/CN=www-
erdc.llnl.gov
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of  
use
at https://*****www.*****verisign.com/rpa (c)05/CN=VeriSign  
Class 3
Secure
Server CA
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
use at https://*****www.*****verisign.com/rpa (c)05/ 
CN=VeriSign Class 3
Secure Server CA
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
certificate hash...
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Livermore/O=Lawrence Livermore
National Laboratory/OU=Environmental Restoration Division erdc/
CN=www-erdc.llnl.gov
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/ 
OU=Terms of
use at https://*****www.*****verisign.com/rpa (c)05/ 
CN=VeriSign Class 3
Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 2973 bytes and written 258 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher    : DHE-RSA-AES256-SHA
Session-ID:
5DD4E8E2C25AC8C9F25C938E57B608D492EE9ABEE5AA3E128FE91965321E5F6C
Session-ID-ctx:
Master-Key:

EDA77BC472D83529A42856EB1CF4D668B880C53E5ACC9A1FA48F444307A45712081626A57E6C0FE555052DC5FC08F257
Key-Arg   : None
Start Time: 1259172800
Timeout   : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---

Looks like there is a problem with one of the certificates,  
but I'm
not sure how to proceed...

At this point, you have a valid handshake, and the client and  
server
have exchanged data encrypted and MACed with the session keys.   
All
is well.  You could type on the command line 'GET / HTTP/1.0\r
\r' (two returns) and you'll get the status page generated by
openssl s_server -www.*****

This means you have a configuration problem with Apache.  Make  
sure
you're using the ssl and crypto libraries that you think you  
are by
running ldd on the httpd binary and the mod_ssl.so binary.  While
the Solaris build environment usually gets this right by  
hardcoding
the path to the libraries at link time, make sure this is ok at  
run
time.

Then, make sure your server is configured correctly, and that  
your
SSL virtual host(s) use the correct combination of
SSLCertificateFile and SSLCertificateKeyFile.

S.

Again, thank you for your help, I appreciate it.

Regards,
John


On Nov 25, 2009, at 10:00 AM, daniel.goul...@and.co.uk wrote:

This sounds like a Solaris bug.

Make sure you have a recent version of Solaris or the latest
patches
installed...

What release/patch level are you using?

Danny

________________________________

From: "John J. Consolati" <consola...@llnl.gov> [mailto:"John  
J.
Consolati" <consola...@llnl.gov>]
Sent: 25 November 2009 17:23
To: users@httpd.apache.org
Subject: [us...@httpd] SSL on Apache 2.2.14


Hello,

Hopefully someone will be able to help, as I've been working on
this
problem for quite a while and have hit a wall. I'm trying to
upgrade
Apache 2.0.47 to 2.2.14, and I need SSL support. Everything
seems to
build and compile okay, but when I try to access my site  
running
on
2.2.14, I get a strange error from Firefox: "Secure connection
failed. An error occurred during a connection to xxxxxx. SSL  
peer
reports incorrect Message Authentication Code. (Error code:
ssl_error_bad_mac_alert)."

I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the  
same
results. This is hosted on a Solaris sparc box. The 2.2.14
server is
utilizing all the same files and SSL certificates as the 2.0.47
server. I've called Verisign; I have valid certificates, but
they've
never heard of this error before. If I self-sign a  
certificate and
test it with the 2.2.14 server, it seems to work (except for  
the
expected error message regarding self-signed certificates).

Searching on Google has led me to try forcing Apache to compile
with
prefork enabled (but it seems to default to that anyway on
Solaris).
I've also tried statically linking Apache during compile with  
the
same
results.

If anyone has any ideas or suggestions, I'd very much  
appreciate
them...
Thank you,
John


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP  
Server
Project.
See < URL:http://******httpd.apache.org/userslist.html> for  
more
info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



______________________________________________________________________
This email has been scanned by the MessageLabs Email Security
System.
For more information please visit http://***
***www.******messagelabs.com/
email

______________________________________________________________________



______________________________________________________________________
This e-mail and any attached files are intended for the named
addressee only. It contains information, which may be  
confidential
and legally privileged and also protected by copyright.  
Unless you
are the named addressee (or authorised to receive for the
addressee) you may not copy or use it, or disclose it to anyone
else. If you received it in error please notify the sender
immediately and then delete it from your system. Please be  
advised
that the views and opinions expressed in this e-mail may not
reflect the views and opinions of Associated Newspapers  
Limited or
any of its subsidiary companies. We make every effort to keep  
our
network free from viruses. However, you do need to check this  
e-
mail and any attachments to it for viruses as we can take no
responsibility for any computer virus which may be  
transferred by
way of this e-mail. Use of this or any other e-mail facility
signifies consent to any interception we might lawfully carry  
out
to prevent abuse of these faciliti
es.
Associated Newspapers Ltd. Registered Office: Northcliffe  
House, 2
Derry St, Kensington, London, W8 5TT. Registered No 84121  
England.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP  
Server
Project.
See <URL:http://*****httpd.apache.org/userslist.html> for more  
info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
"   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





--
Sander Temme
scte...@apache.org
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://****httpd.apache.org/userslist.html> for more  
info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
"   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server  
Project.
See <URL:http://***httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
"   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server  
Project.
See <URL:http://**httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
"   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





--
Sander Temme
scte...@apache.org
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server  
Project.
See <URL:http://*httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org