Version of openssl binaries on El Capitan is OpenSSL 0.9.8zh 14 Jan 2016.
When I first upgraded I kept mod_cosign.so that I had built for Yosemite but
after I encountered these errors I thought I should rebuild mod_cosign. It
turns out that El Capitan does not include openssl libraries, so I downloaded
this same version 0.9.8zh and built that and then successfully built
mod_cosign. Same cert verification errors happened.
I ran c_rehash anyway on my CA directory but the hashes did not change.
The reason I tried adding the webaccess server to /etc/hosts was that I found
someone with a similar problem running linux and they discovered that apache
was chrooted. I can’t determine if that’s the case here---I don’t think it
is---but three of the errors disappeared after editing /etc/hosts as I stated
in my initial post. This is what makes me think it’s trying to resolve some
other name beside the webaccess server that I can’t identify.
—Andrew
> On Jul 19, 2016, at 8:27 AM, Liam Hoekenga <li...@umich.edu> wrote:
>
> OpenSSL also changed its rehash algorithm in more recent versions. Have you
> rehashed your CA cert directory?
>
> Liam
>
> On Tuesday, July 19, 2016, Phil Pishioneri <p...@psu.edu
> <mailto:p...@psu.edu>> wrote:
> On 07/18/2016 11:12 AM, Andrew Miller wrote:
> > Initially I saw these five error messages:
> > [Sun Jul 17 16:35:32.090667 2016] [:error] [pid 13173] mod_cosign:
> > snet_starttls: error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> Your mod_cosign may be complaining that it can't verify the certificate
> presented by the other side - the WebAccess servers. If the CA
> certificate(s) in your CosignCrypto directory are still present, it
> could be permissions of files or directory paths, or the OpenSSL version
> changed from the 0.9.x to the 1.x familiy, and the hashes used by
> OpenSSL changed (and so the usual symlinks need recreated or augmented).
>
> -Phil
>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> patterns at an interface-level. Reveals which users, apps, and protocols are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity planning
> reports.http://sdm.link/zohodev2dev <http://sdm.link/zohodev2dev>
> _______________________________________________
> Cosign-discuss mailing list
> Cosign-discuss@lists.sourceforge.net <javascript:;>
> https://lists.sourceforge.net/lists/listinfo/cosign-discuss
> <https://lists.sourceforge.net/lists/listinfo/cosign-discuss>
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
