On Thu, 2001-11-15 at 12:56, Lutz Jaenicke wrote:
> On Thu, Nov 15, 2001 at 11:05:45AM +0000, Brent Newson wrote:
> > I am running NetBSD 1.5.2 with openssl-0.9.6nb2 and cyrus-imapd-2.0.16.
> > I have created a self-signed certificate called cacert.pem but everytime
> > i try and connect to the server via ssl i get the following error:
>
> Don't mix self signed certs with CA certs. If you have only a self signed
> certificate, you only need CA certificates for client certificate verification,
> but see below.
>
> > i get the following error:
> >
> > C: C01 CAPABILITY
> > S: * OK esme.webscreen-technology.com Cyrus IMAP4 v2.0.16 server ready
> > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
> > NO_ATOMIC_RENAME UNSELECT MULTIAPPEND
> > SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS
> > AUTH=DIGEST-MD5 AUTH=CRAM-MD5 X-NETSCAPE
> > S: C01 OK Completed
> > S01 OK Begin TLS negotiation now
> > Nov 15 10:59:18 esme imapd[287]: TLS engine: cannot load CA data
> > Nov 15 10:59:18 esme imapd[287]: TLS engine: No CA file specified.
> > Client side certs may not work
>
> This is just a warning, you may ignore it.
>
> > verify error:num=18:self signed certificate
> The server sent a self signed certificate, that could not be verified by
> imtest!?
>
> > Nov 15 10:59:18 esme imapd[287]: Doing a peer verify
> > Nov 15 10:59:18 esme imapd[287]: verify error:num=18:self signed
> > certificate
> The client sent a certificate that could not be verified.
>
> > Nov 15 10:59:18 esme imapd[287]: STARTTLS failed: localhost[127.0.0.1]
> > Segmentation fault (core dumped)
> This is something far more severe. Is it imapd or imtest that fails?
> You must compile imapd with debugging support and analyze the coredump
> in order to find out the reason for the segmentation fault. It may well
> be possible for an application to fail when not set up properly, but
> it should do so with an error message but never with a segmentation fault.
>
> Best regards,
> Lutz
Thank Lutz, its both imtest and imapd that is bombing out, when i
recompile cyrus-imapd, openssl and cyrus-sasl wih the DEBUG=1 option i
get the following error:
mapd: illegal option -- s
imapd: illegal option -- d
imapd: illegal option -- 9
imapd: illegal option -- d
imapd: illegal option -- 9
This to me suggests that the master process is trying to call the imapd
daemon with the -s switch that starts imap over ssl but the imapd daemon
is reporting back that this isnt an option?
Also after the imtest program is run under gdb it gets to the
SSL_connect library and does the following
gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program:
/usr/pkgsrc/mail/cyrus-imapd/work/cyrus-imapd-2.0.16/imtest/imtest -t
"" esme
Cannot insert breakpoint 8:
Nov 19 21:26:05 esme imapd[839]: starttls: TLSv1 with cipher (NONE)
(0/0 bits) no authentication
Temporarily disabling shared library breakpoints:
8 9 10 11 13 14
Nov 19 21:26:05 esme imapd[839]: Undefined error: 0, closing
connection
C: C01 CAPABILITY
S: * OK esme.webscreen-technology.com Cyrus IMAP4 v2.0.16 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS
ID NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES IDLE STARTTLS AUTH=ANONYMOUS AUTH=DIGEST-MD5
AUTH=CRAM-MD5 X-NETSCAPE
S: C01 OK Completed
Nov 19 21:26:05 esme imapd[849]: TLS engine: cannot load CA data
Nov 19 21:26:05 esme imapd[849]: TLS engine: No CA file specified.
Client side certs may not work
S01 OK Begin TLS negotiation now
Breakpoint 3, tls_init_clientengine (verifydepth=10,
var_tls_cert_file=0xbfbfdc56 "", var_tls_key_file=0xbfbfdc56 "")
at imtest.c:304
304 int off = 0;
(gdb) info locals
off = 134543444
verify_flags = 76
CApath = 0x1004 <Error reading address 0x1004: Invalid argument>
CAfile = 0x804ca8b "\211CDÇC@"
c_cert_file = 0xbfbfd6c4 "ւ\004\b\n"
c_key_file = 0x1004 <Error reading address 0x1004: Invalid argument>
(gdb) info variables
All defined variables:
File imtest.c:
sasl_conn_t *conn;
struct protstream *pin;
struct protstream *pout;
int sock;
int tls_cipher_algbits;
char *tls_cipher_name;
int tls_cipher_usebits;
char *tls_issuer_CN;
char *tls_peer_CN;
char *tls_protocol;
char *var_tls_CAfile;
char *var_tls_CApath;
int verbose;
static char *authname;
static sasl_callback_t callbacks[0];
static int do_dump;
static char fingerprint[108];
static char issuer_CN[256];
static unsigned char md[36];
static char peer_CN[256];
---Type <return> to continue, or q <return> to quit---
static char peer_issuer[256];
static char peer_subject[256];
static char *realm;
static SSL *tls_conn;
static SSL_CTX *tls_ctx;
static char *username;
static int verify_depth;
static int verify_error;
Non-debugging symbols:
0804f7b0 __progname
0804f7b4 __ps_strings
0804f838 rsa_tmp.12
0804fae0 optarg
0804fae4 optind
0804fae8 __sF
080500e0 errbuf.34
080501e0 __mainprog_obj
080501e4 environ
4805eccf WS.18
4805f7f8 __sys_nerr14
4805fafa __infinity
4805fb20 _C_toupper_
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) list
299 * The skeleton of this function is taken from OpenSSL
apps/s_client.c.300 */
301
302 static int tls_init_clientengine(int verifydepth, char
*var_tls_cert_file, char *var_tls_key_file)
303 {
304 int off = 0;
305 int verify_flags = SSL_VERIFY_NONE;
306 char *CApath;
307 char *CAfile;
308 char *c_cert_file;
(gdb) cont
Continuing.
Breakpoint 1, tls_start_clienttls (layer=0xbfbfd6d8,
authid=0xbfbfd6dc)
at imtest.c:468
468 if (verbose==1)
(gdb) list
463 unsigned int n;
464 SSL_SESSION *session;
465 SSL_CIPHER *cipher;
466 X509 *peer;
467
468 if (verbose==1)
469 printf("setting up TLS connection\n");
470
471 if (tls_conn == NULL) {
472 tls_conn = (SSL *) SSL_new(tls_ctx);
(gdb) info locals
sts = -1077945568
j = 1048575
n = 0
session = (SSL_SESSION *) 0x0
cipher = (SSL_CIPHER *) 0x0
peer = (X509 *) 0x0
(gdb) list
473 }
474 if (tls_conn == NULL) {
475 printf("Could not allocate 'con' with SSL_new()\n");
476 return IMTEST_FAIL;
477 }
478 SSL_clear(tls_conn);
479
480 if (!SSL_set_fd(tls_conn, sock)) {
481 printf("SSL_set_fd failed\n");
482 return IMTEST_FAIL;
(gdb) cont
Continuing.
Breakpoint 15, tls_start_clienttls (layer=0xbfbfd6d8,
authid=0xbfbfd6dc)
at imtest.c:488
488 SSL_set_connect_state(tls_conn);
(gdb) info locals
sts = -1077945568
j = 1048575
n = 0
session = (SSL_SESSION *) 0x0
cipher = (SSL_CIPHER *) 0x0
peer = (X509 *) 0x0
(gdb) list
483 }
484 /*
485 * This is the actual handshake routine. It will do all
the negotiations
486 * and will check the client cert etc.
487 */
488 SSL_set_connect_state(tls_conn);
489
490
491 /*
492 * We do have an SSL_set_fd() and now suddenly a BIO_
routine is called?
(gdb) info tls_conn
Undefined info command: "tls_conn". Try "help info".
(gdb) info locals tls_conn
sts = -1077945568
j = 1048575
n = 0
session = (SSL_SESSION *) 0x0
cipher = (SSL_CIPHER *) 0x0
peer = (X509 *) 0x0
(gdb) info variables tls_conn
All variables matching regular expression "tls_conn":
File imtest.c:
static SSL *tls_conn;
(gdb) print tls_conn
$1 = (SSL *) 0x8056300
(gdb) print *tls_conn
$2 = {version = 769, type = 0, method = 0x4827a560, rbio = 0x8054380,
wbio = 0x8054380, bbio = 0x0, rwstate = 1, in_handshake = 0,
handshake_func = 0, server = 0, new_session = 0, quiet_shutdown = 0,
shutdown = 0, state = 20480, rstate = 240, init_buf = 0x0, init_num
= 0,
init_off = 0, packet = 0x0, packet_length = 0, s2 = 0x0, s3 =
0x8053400,
read_ahead = 0, hit = 0, purpose = 0, trust = 0, cipher_list = 0x0,
cipher_list_by_id = 0x0, enc_read_ctx = 0x0, read_hash = 0x0,
expand = 0x0,
enc_write_ctx = 0x0, write_hash = 0x0, compress = 0x0, cert =
0x8059600,
sid_ctx_length = 0, sid_ctx = '\000' <repeats 31 times>, session =
0x0,
verify_mode = 0, verify_depth = -1,
verify_callback = 0x804a0dc <verify_callback>, info_callback = 0,
error = 0,
error_code = 0, ctx = 0x8056200, debug = 0, verify_result = 0,
ex_data = {
sk = 0x0, dummy = 0}, client_CA = 0x0, references = 1, options =
1048575,
mode = 0, first_packet = 0, client_version = 769}
(gdb) break 489
Breakpoint 17 at 0x804aa96: file imtest.c, line 489.
(gdb) cont
Continuing.
Breakpoint 13, 0x4826a7f0 in SSL_set_connect_state ()
(gdb) cont
Continuing.
Breakpoint 17, tls_start_clienttls (layer=0xbfbfd6d8,
authid=0xbfbfd6dc)
at imtest.c:496
496 if (verbose==1)
(gdb) list
491 /*
492 * We do have an SSL_set_fd() and now suddenly a BIO_
routine is called?
493 * Well there is a BIO below the SSL routines that is
automatically 494 * created for us, so we can use it for
debugging purposes.
495 */
496 if (verbose==1)
497 BIO_set_callback(SSL_get_rbio(tls_conn), bio_dump_cb);
498
499 /* Dump the negotiation for loglevels 3 and 4 */
500 if (verbose==1)
(gdb) list 488
483 }
484 /*
485 * This is the actual handshake routine. It will do all
the negotiations
486 * and will check the client cert etc.
487 */
488 SSL_set_connect_state(tls_conn);
489
490
491 /*
492 * We do have an SSL_set_fd() and now suddenly a BIO_
routine is called?
(gdb) list
493 * Well there is a BIO below the SSL routines that is
automatically 494 * created for us, so we can use it for
debugging purposes.
495 */
496 if (verbose==1)
497 BIO_set_callback(SSL_get_rbio(tls_conn), bio_dump_cb);
498
499 /* Dump the negotiation for loglevels 3 and 4 */
500 if (verbose==1)
501 do_dump = 1;
502
(gdb) break 598
Breakpoint 18 at 0x804ad85: file imtest.c, line 598.
(gdb) break 498
Breakpoint 19 at 0x804aab6: file imtest.c, line 498.
(gdb) info variables vio_dump_cb
All variables matching regular expression "vio_dump_cb":
(gdb) info variables bio_dump_cb
All variables matching regular expression "bio_dump_cb":
(gdb) info locals bio_dump_cb
sts = -1077945568
j = 1048575
n = 0
session = (SSL_SESSION *) 0x0
cipher = (SSL_CIPHER *) 0x0
peer = (X509 *) 0x0
(gdb) cont
Continuing.
Breakpoint 19, tls_start_clienttls (layer=0xbfbfd6d8,
authid=0xbfbfd6dc)
at imtest.c:500
500 if (verbose==1)
(gdb) list
495 */
496 if (verbose==1)
497 BIO_set_callback(SSL_get_rbio(tls_conn), bio_dump_cb);
498
499 /* Dump the negotiation for loglevels 3 and 4 */
500 if (verbose==1)
501 do_dump = 1;
502
503 if ((sts = SSL_connect(tls_conn)) < 0) {
504 printf("SSL_connect error %d\n", sts);
(gdb) break 504
Breakpoint 20 at 0x804aae2: file imtest.c, line 504.
(gdb) list
505 session = SSL_get_session(tls_conn);
506 if (session) {
507 SSL_CTX_remove_session(tls_ctx, session);
508 printf("SSL session removed\n");
509 }
510 if (tls_conn!=NULL)
511 SSL_free(tls_conn);
512 tls_conn = NULL;
513 return IMTEST_FAIL;
514 }
(gdb) break 515
Breakpoint 21 at 0x804ab58: file imtest.c, line 515.
(gdb) cont
Continuing.
Breakpoint 14, 0x4826a374 in SSL_connect ()
(gdb) cont
Continuing.
Breakpoint 10, 0x4815d2ff in X509_get_issuer_name ()
(gdb) cont
Continuing.
Breakpoint 10, 0x4815d2ff in X509_get_issuer_name ()
(gdb) disable 10
(gdb) cont
Continuing.
verify error:num=18:self signed certificate
Program received signal SIGSEGV, Segmentation fault.
0x0 in ?? ()
(gdb)
The SSL_connect library was called just before the program failed, could
this mean the library has bugs in it? Any ideas?
Thanks for your help!
Regards
Brent Newson
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
