Thanks for your replay Lutz. I do have a /dev/unrandom
though which is a link to /dev/random and I see a
prescence of a /.rnd file doesnt this mean that
openssl is starting up correctly ? Also can you tell
me how to add add RAND_egd("/path/to/egd-socket"); to
the beginning of an application in my case IMAP? i.e
what is the procedure for doing this? I will run
ssldump. Thanks again
--- Lutz Jaenicke <[EMAIL PROTECTED]>
wrote:
> On Sat, Aug 18, 2001 at 10:01:05PM -0700, chirs
> charter wrote:
> > I am using openssl-0.9.6 on a Solaris box. I am
> > currently using a temporary self signed
> certificate.
> > The OS is Solaris 8. For /dev/random I have
> installed
> > ANDIrand(http://www.cosy.sbg.ac.at/~andi/) and I
> have
> > also installed PRNGD. I installed both as I
> thought
> > the problem might relate to the random number
> > generator. I am using openssl to encrypt client
> > connection to our Cyrus IMAP 2.0.16 server. Here
> is
> > the ouput of a Cyrus connection utility called
> imtest:
>
> First thing: OpenSSL versions before 0.9.7 (which is
> not yet released,
> so I talk about all current versions), do not access
> /dev/random or
> PRNGD automatically. The application has to access
> it explicitly.
> (From the output below I am however not sure, what
> the reason for
> the failure is.)
> You may to the
> start of both server
> and client to make sure that the PRNG is properly
> seeded.
>
> > imtest -v -t /var/imap/mailhost.crt localhost
> > C: C01 CAPABILITY
> > S: * OK catfish Cyrus IMAP4 v2.0.16 server ready
> > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+
> > NAMESPACE UIDPLUS ID NO_ATOMI
> > C_RENAME UNSELECT MULTIAPPEND SORT
> > THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE
> > STARTTLS
> > S: C01 OK Completed
> > S01 NO Error initializing TLS
> > starting TLS engine
> > setting up TLS connection
> > SSL_connect:before/connect initialization
> > write to 000D6A20 [000F4870] (90 bytes => 90
> (0x5A))
> > 0000 16 03 01 00 55 01 00 00|51 03 01 3b 7f 48 2b
> 76
> > 0010 b6 b5 6d dd c2 ce 95 6a|2c 19 88 c8 d9 a3 4a
> 76
> > 0020 3b b7 e9 56 11 0c 11 73|fb 25 a5 00 00 2a 00
> 16
> > 0030 00 13 00 0a 00 66 00 07|00 05 00 04 00 65 00
> 64
> > 0040 00 63 00 62 00 61 00 60|00 15 00 12 00 09 00
> 14
> > 0050 00 11 00 08 00 06 00 03|01
> > 005a - <SPACES/NULS>
> >
> > SSL_connect:SSLv3 write client hello A
> > read from 000D6A20 [000EC060] (5 bytes => 5 (0x5))
> > 0000 2a 20 42 41 44
> > write to 000D6A20 [000E3DD0] (7 bytes => 7 (0x7))
> > 0000 15 20 42 00 02 02 46
> > SSL3 alert write:fatal:unknown
>
> I don't know what is going on here. Yesterday
> afternoon I wrote the
> manual page for SSL_alert_type_string() et al and
> just discovered,
> that the alert descriptions for TLSv1 are not
> included in the library,
> only for SSLv3... Therefore we only see the
> "unknown" here. I will fix this
> today.
>
> > SSL_connect:error in SSLv3 read server hello A -1
> > SSL_connect error -1
> > SSL session removed
> > TLS negotiation failed!
> > Asking for capabilities again since they might
> have
> > changed
> > C: C01 CAPABILITY
> > S: Invalid tag
> > S: * BAD Invalid tag
> >
> > I have tried looking up some of these error on
> various
> > newsgroup but have come up empty handed. Could
> someone
> > help shed some light on the possible cause and or
> > workaround. I would greatly appreciate any help.
> Thank
> > you.
>
> Please run ssldump (http://www.rtfm.com/ssldump) to
> find out more
> details, and check out the output of the server.
>
> Best regards,
> Lutz
> --
> Lutz Jaenicke
> [EMAIL PROTECTED]
> BTU Cottbus
> http://www.aet.TU-Cottbus.DE/personen/jaenicke/
> Lehrstuhl Allgemeine Elektrotechnik
> Tel. +49 355 69-4129
> Universitaetsplatz 3-4, D-03044 Cottbus
> Fax. +49 355 69-4153
>
______________________________________________________________________
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List
> [EMAIL PROTECTED]
> Automated List Manager
[EMAIL PROTECTED]
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
