On Tue, Jul 17, 2001 at 10:54:45AM -0700, Patrick Li wrote:
> Ok, I checked my SSL client program log and found this
>
> 2001-07-16 18:56:58:xform.cpp (171 ):9:USR:WARN :SSL_get_verify_result()
> failed with return code 7.
>
> In the connection routine of my SSL client, SSL_get_verify_result returns 7.
> According to the man page 7 means X509_V_ERR_CERT_SIGNATURE_FAILURE:
> certificate signature failure the signature of the certificate is invalid.
> When my program detects error, it will disconnect the SSL session. That
> explains why Apache received a broken pipe error.
>
> So, my SSL client is receiving an certificate from Apache with an invalid
> signature. This only happens when I have 10 SSL client
> programs connecting to the Apache server concurrently and the error didn't
> happen all the time when I reran my testing.
As your analysis alread showed, something odd is happening.
You now must find out, whether the problem is coming from the server or the
client. On a first glance, I would trust mod_ssl as it is widely deployed
and corresponding errors have not been reported.
> The Apache that I am using is not built with MM shared memory library and it
> is running on HP/UX.
My Apache is using a similar configuration.
So what to do next?
* I don't know whether you have simple self signed certificates or have an
infrastructure with at least one CA level, so I assume the latter option.
* Instrument your code with a verify callback. Use it to print out the
depth at which the verification error occurs. The server cert is sent
from the server, the root CA cert is kept locally (if a root CA cert
was sent, it is ignored and the local one used instead).
If intermediate CA certificates are used, they should be sent by
the server. When missing, they might be provided locally.
* Now you should have an idea on what to look for. If you find out, that
the certificates sent by the server are affected, use a dump_callback
to dump out the complete network traffic. This way you can later verify,
whether the data came in wrong or whether it was modified after arrival.
* If you find out that local data was modified, immediatly turn on a
memory debugger like efence to help catching buffer overruns...
(If you have a PC with memory without parity, there is always another
possible source of problems...)
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
