On Sat, Aug 18, 2001 at 10:01:05PM -0700, chirs charter wrote:
> I am using openssl-0.9.6 on a Solaris box. I am
> currently using a temporary self signed certificate.
> The OS is Solaris 8. For /dev/random I have installed
> ANDIrand(http://www.cosy.sbg.ac.at/~andi/) and I have
> also installed PRNGD. I installed both as I thought
> the problem might relate to the random number
> generator. I am using openssl to encrypt client
> connection to our Cyrus IMAP 2.0.16 server. Here is
> the ouput of a Cyrus connection utility called imtest:
First thing: OpenSSL versions before 0.9.7 (which is not yet released,
so I talk about all current versions), do not access /dev/random or
PRNGD automatically. The application has to access it explicitly.
(From the output below I am however not sure, what the reason for
the failure is.)
You may add RAND_egd("/path/to/egd-socket"); to the start of both server
and client to make sure that the PRNG is properly seeded.
> imtest -v -t /var/imap/mailhost.crt localhost
> C: C01 CAPABILITY
> S: * OK catfish Cyrus IMAP4 v2.0.16 server ready
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+
> NAMESPACE UIDPLUS ID NO_ATOMI
> C_RENAME UNSELECT MULTIAPPEND SORT
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE
> STARTTLS
> S: C01 OK Completed
> S01 NO Error initializing TLS
> starting TLS engine
> setting up TLS connection
> SSL_connect:before/connect initialization
> write to 000D6A20 [000F4870] (90 bytes => 90 (0x5A))
> 0000 16 03 01 00 55 01 00 00|51 03 01 3b 7f 48 2b 76
> 0010 b6 b5 6d dd c2 ce 95 6a|2c 19 88 c8 d9 a3 4a 76
> 0020 3b b7 e9 56 11 0c 11 73|fb 25 a5 00 00 2a 00 16
> 0030 00 13 00 0a 00 66 00 07|00 05 00 04 00 65 00 64
> 0040 00 63 00 62 00 61 00 60|00 15 00 12 00 09 00 14
> 0050 00 11 00 08 00 06 00 03|01
> 005a - <SPACES/NULS>
>
> SSL_connect:SSLv3 write client hello A
> read from 000D6A20 [000EC060] (5 bytes => 5 (0x5))
> 0000 2a 20 42 41 44
> write to 000D6A20 [000E3DD0] (7 bytes => 7 (0x7))
> 0000 15 20 42 00 02 02 46
> SSL3 alert write:fatal:unknown
I don't know what is going on here. Yesterday afternoon I wrote the
manual page for SSL_alert_type_string() et al and just discovered,
that the alert descriptions for TLSv1 are not included in the library,
only for SSLv3... Therefore we only see the "unknown" here. I will fix this
today.
> SSL_connect:error in SSLv3 read server hello A -1
> SSL_connect error -1
> SSL session removed
> TLS negotiation failed!
> Asking for capabilities again since they might have
> changed
> C: C01 CAPABILITY
> S: Invalid tag
> S: * BAD Invalid tag
>
> I have tried looking up some of these error on various
> newsgroup but have come up empty handed. Could someone
> help shed some light on the possible cause and or
> workaround. I would greatly appreciate any help. Thank
> you.
Please run ssldump (http://www.rtfm.com/ssldump) to find out more
details, and check out the output of the server.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
