>>[EMAIL PROTECTED] wrote: >>> Hello List. My first post... >>> >>> Error: >>> ------- >>> >>> CA & RA on the same system, too short symmetric keylength error when >>> entering RA (General Error 6251043) >>> >>> OpenCA: General error trapped Aborting connection - you are using a >>> too short symmetric keylength ().: 6251043 at >>> /usr/local/share/perl/5.8.3/OpenCA/UI/HTML.pm line 175, <SOCK> line >>> 84. Compilation failed in require at ./openca_start line 62, <SOCK> >>> line 84. >> >>This means that you are using a symmetric key which is shorter than >> specified in etc/access_control/ra.xml. Usually the symmetric cipher >> must have a length greater or equal 128. If you are using a mozilla >> then you can klick on the small lock to get informations about the >> used session cipher. The empty () at the end of the errormessage looks >> like a general problem with your SSL. > > Thanks Michael, > > You guess is correct... I had a quick look at my apache server and it is > a: mod_ssl/2.0.49 OpenSSL/0.9.7d enabled binary... > I installed OpenSSL/0.9.7c for the installation of OpenCA but version > 0.9.7d is still hanging around. I guess what I have to do is recompile > apache2 with the correct OpenSSL/0.9.7c libs as well (and not use to > .deb package) or (temporary workaround) > modify the $OPENCADIR/etc/access_control/*.xml files, change: > from: > <channel> > <type>mod_ssl</type> > <protocol>ssl</protocol> > ...... > <symmetric_keylength>128</symmetric_keylength> > </channel> > to: > <channel> > <type>mod_ssl</type> > <protocol>ssl</protocol> > ...... > <symmetric_keylength>.*</symmetric_keylength> > </channel>
This is dangerous for your RA because the strength of the encryption is not defined. Only a small question - did you activate the default variables for SSL? If you forget this then OpenCA cannot access the parameters of the connection. Please check your apache config for this: SSLOptions +StdEnvVars +ExportCertData Perhaps we should add this to the documentation. Michael ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
