Hello all,
as part of a pilot project to deploy a CA, I have been trying OpenCA-0.9.2.5.
I encountered a couple of issues and problems. The maintainers of OpenCA and
its manual might take the following as hints for improvements. Moreover, if
you are an experienced OpenCA administrator (or even one of the developers),
any hints to get around several problems described below will be appreciated.
1. The meaning of many "configure" parameters are not clear.
Although "./configure --help" gives me a load of options with terse
explanations, most of the options are not further mentioned/explained in the
manual.
For example, "--with-openssl-prefix" is explained as "openssl prefix". That
works out of the box if you compile openssl yourself with a final "make
install". However, the average distribution does not preserve the default
file layout. So, when it reads "openssl prefix", does that mean where to
look for (a) the openssl binary (b) the openssl runtime libraries (c) the
openssl include files, or (d) the openssl etc-stuff? I could find out by
digging in the "Makefile.in"s, but it would make the user's life considerably
easier if the names here were chosen less ambiguous. After all, OpenCA is
not easy to tame for the first-time user anyway, especially of you use an
off-the-shelf distribution.
The same applies for "--with-httpd-fs-prefix" (and several others), which I
*guess* means the root for "htdocs", "cgi-bin", etc.
2. Speaking of "configure": Since it has so many options, it would be
really
nice if the according manual section could include some sample configure
command-lines for typical setups, in the form of "if you want to have only a
CA then do ..., and if you want ... then do ..., etc.". For my part, I first
want to play with OpenCA, get somehow familiar with it, and then make my
decisions about the CA structure. To this end, hints for configurations that
work are highly appreciated.
3. In fact, I use SUSE 10.2 Linux, and by default, no development packages
are
installed; for example, the openssl and openLDAP include headers are not
installed. However, the "./configure" process does not notice that; the
problem becomes apparent only if you attempt to build OpenCA (and the
inexperienced user will probably not easily find out why "make" fails
because "make" fails with a huge load of error messages; if the history
buffer of your terminal is not large enough or if you don't pipe the error
messages into a log file, you really will get not clue at all about what went
wrong).
This applies similarly for openLDAP: The "configure" script does complain, but
in a wholly arcane way: it claims that libldap and libber are not present,
which is nonsense: they are installed in /usr/lib, so *that* is *not* the
problem. The problem are in fact missing include files.
4. Building OpenCA - the make process.
First of all, I do like the effort that the authors of the manual spend on
security related issues, even less obvious ones. At the same time, getting
warnings like
make[7]: Entering directory `/scratch/OpenCA-0.9.2.5/src/modules'
Warning: prerequisite IO::Stringy 1.211 not found.
Warning: prerequisite Mail::Field 1.05 not found.
Warning: prerequisite Mail::Header 1.01 not found.
Warning: prerequisite Mail::Internet 1.0203 not found.
Checking if your kit is complete...
Looks good
are at least puzzeling - "... not found" but "... your kit is complete" -
huh?. (More likewise messages follow later.)
Then,
Checking if your kit is complete...
Warning: the following files are missing in your kit:
t/1.t
t/2.t
Please inform the author.
should actually abort the build process. As I said before, if you don't keep
and inspect the log, this will *certainly* escape your attention.
Moreover, several C compile warnings do not support confidence into the
robustness of OpenCA, and there are many, especially in OpenSSL.xs. See also
make[5]: Entering directory `/scratch/OpenCA-0.9.2.5/src/openca-sv/src'
gcc -DPACKAGE_VERSION=\"1.0.1\\x0\" -I../include -I/usr/include -g
-O2 -c
apps.c
apps.c: In function `password_callback':
apps.c:183: warning: incompatible implicit declaration of built-in
function
`strlen'
apps.c:186: warning: incompatible implicit declaration of built-in
function
`bcopy'
apps.c:222: warning: incompatible implicit declaration of built-in
function
`memset'
apps.c:227: warning: incompatible implicit declaration of built-in
function
`strlen'
apps.c:232: warning: incompatible implicit declaration of built-in
function
`memset'
apps.c:238: warning: incompatible implicit declaration of built-in
function
`memset'
apps.c: In function `load_cert':
apps.c:388: warning: passing argument 2 of `d2i_ASN1_HEADER' from
incompatible pointer type
apps.c:400: warning: passing argument 2 of `d2i_ASN1_HEADER' from
incompatible pointer type
apps.c: In function `configure_engine':
apps.c:644: warning: incompatible implicit declaration of built-in
function
`strstr'
apps.c:656: warning: incompatible implicit declaration of built-in
function
`bcopy'
and many more likewise. Finally, "make" terminates at
gcc -DPACKAGE_VERSION=\"0.5.1\\x0\" -D_USE_SEMAPHORES=1 -I../include
-I/usr/include -g -O2 -c
ocsp_response.c
In file included from /usr/include/openssl/pqueue.h:65,
from /usr/include/openssl/dtls1.h:64,
from /usr/include/openssl/ssl.h:985,
from ocsp_response.c:12:
/usr/include/string.h:38: error: expected declaration specifiers or
`...'
before `(' token
/usr/include/string.h:38: error: expected declaration specifiers or
`...'
before `(' token
/usr/include/string.h:38: error: expected declaration specifiers or
`...'
before `(' token
/usr/include/string.h:43: error: expected declaration specifiers or
`...'
before `(' token
/usr/include/string.h:43: error: expected declaration specifiers or
`...'
before `(' token
/usr/include/string.h:43: error: expected declaration specifiers or
`...'
before `(' token
/usr/include/string.h:293: error: conflicting types for `bcopy'
/usr/include/string.h:44: error: previous declaration of `bcopy' was
here
make[5]: *** [ocsp_response.o] Error 1
I have no idea what goes wrong here. Any clues???
5. Anyway, certain configurations go around compiling this source, and the
make process terminates sucessfully (more or less...). Now, when I do "make
test", I get an error message, no matter on what platform I try. I have read
about this problem before in the archives, but I could not find any really
useful clue. Apparently, many users have these problems. Is that normal?
Specifically, I get
make[6]: Entering directory
`/scratch/OpenCA-0.9.2.5/src/modules/MIME-tools-5.411'
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0,
'blib/lib', 'blib/arch')"
t/*.t
t/Body...........ok
t/Decoder........ok
t/Entity.........ok
t/Gauntlet.......ok
t/Head...........ok
t/Misc...........FAILED tests 4-6
Failed 3/7 tests, 57.14% okay
t/Parser.........ok
t/Ref............ok
t/WordDecoder....ok
t/Words..........ok
Failed Test Stat Wstat Total Fail Failed List of Failed
-------------------------------------------------------------------------------
t/Misc.t 7 3 42.86% 4-6
Failed 1/10 test scripts, 90.00% okay. 3/223 subtests failed, 98.65%
okay.
make[6]: *** [test_dynamic] Error 255
and
make[6]: Entering directory
`/scratch/OpenCA-0.9.2.5/src/modules/openca-openssl'
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0,
'blib/lib', 'blib/arch')"
t/*.t
t/1....Subroutine errno redefined
at ../openca-openssl/blib/lib/OpenCA/OpenSSL.pm line 271.
FAILED test 2
Failed 1/2 tests, 50.00% okay
t/2....Subroutine errno redefined
at ../openca-openssl/blib/lib/OpenCA/OpenSSL.pm line 271.
ok
t/3....Subroutine errno redefined
at ../openca-openssl/blib/lib/OpenCA/OpenSSL.pm line 271.
ok
t/4....Subroutine errno redefined
at ../openca-openssl/blib/lib/OpenCA/OpenSSL.pm line 271.
ok
t/5....Subroutine errno redefined
at ../openca-openssl/blib/lib/OpenCA/OpenSSL.pm line 271.
ok
t/6....Subroutine errno redefined
at ../openca-openssl/blib/lib/OpenCA/OpenSSL.pm line 271.
ok
Failed Test Stat Wstat Total Fail Failed List of Failed
-------------------------------------------------------------------------------
t/1.t 2 1 50.00% 2
Failed 1/6 test scripts, 83.33% okay. 1/72 subtests failed, 98.61% okay.
make[6]: *** [test_dynamic] Error 255
6. Anyway once more, ignoring the outcome so far, if I dare to install the
software, and if I try to run it, I (more specifically, my students) get
messages like
Error 700 General Error: The compilation of the command cmdViewCSR
failed.
Can't use an undefined value as a HASH reference
at /usr/local/openra/openca/lib/functions/crypto-utils.lib line 1186
Ok, that was a lot, and most readers will probably not get to this point here,
but if you do - do you have any hints for me?
Regards
--
S. Hamdy
United Arab Emirates University
College of Information Technology
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
