Re: [Cosign-discuss] cosign integration in development

Fri, 17 Aug 2012 08:24:34 -0700 

On August 17, 2012 11:00 , Phil Pishioneri <p...@psu.edu> wrote:
> Starting with version 1 of openssl, it uses a different algorithm to 
> compute the hash. You can get the old and new values from it:
>
> pgp$ /opt/local/bin/openssl x509 -subject_hash -subject_hash_old 
> -noout -in umwebCA.pem
> 5cc1e784
> 4700e8dd

D'oh!  Thanks, Phil, I think you've hit the nail on the head.  I had no 
idea that OpenSSL had changed their hash algorithm.

Shawn, what version of the OpenSSL libraries are your installations of 
mod_cosign and mod_ssl linked against?  And is this from the same 
version of OpenSSL that the "openssl" executable is from?

[root@minos certs]# ldd /usr/lib64/httpd/modules/mod_cosign.so | grep ssl
         libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f7910dd4000)
[root@minos certs]# ldd /usr/lib64/httpd/modules/mod_ssl.so | grep ssl
         libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f6e0e383000)
[root@minos certs]# rpm -q -f /usr/lib64/libssl.so.10
openssl-1.0.0-20.el6_2.5.x86_64
[root@minos certs]# openssl version
OpenSSL 1.0.0-fips 29 Mar 2010
[root@minos certs]#

If all three use the same OpenSSL version and you still have a problem, 
then the hash symlink is not the problem and we'll have to look elsewhere.

On the other hand, if you are using one version of OpenSSL for either 
mod_cosign or mod_ssl and a different version of OpenSSL for the 
"openssl" executable, then the problem is definitely the hash symlink 
and you should probably use the same version of OpenSSL from the command 
line that you're using to compile mod_cosign.

--
   Mark Montague
   m...@catseye.org


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss

Reply via email to