Re: Need some help debugging SSL error thrown from STunnel using OpenSSL-FIPS

Thu, 08 Jun 2006 11:39:12 -0700 

On Thu, Jun 08, 2006, David Gillingham wrote:

> I was able to convert the key as you instructed, and I overwrote the
> old RSA private key from my server.pem file with the new PKCS8 one.  I
> am now a getting a different error message.  From these new messages,
> I'm guessing OpenSSL is expecting a file in PKCS12 format, but that my
> file does not match this format.  Is my understanding correct?  Error
> log follows.
> 
> ----BEGIN STUNNEL LOG----
> 2006.06.08 17:49:38 LOG7[1120:616]: Certificate: server.pem
> 2006.06.08 17:49:38 LOG7[1120:616]: Key file: server.pem
> 2006.06.08 17:49:42 LOG3[1120:616]: error stack: 140B3009 :
> error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib
> 2006.06.08 17:49:42 LOG3[1120:616]: error stack: 906700D :
> error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib
> 2006.06.08 17:49:42 LOG3[1120:616]: error stack: 2306A075 :
> error:2306A075:PKCS12 routines:PKCS12_DECRYPT_D2I:pkcs12 pbe crypt
> error
> 2006.06.08 17:49:42 LOG3[1120:616]: error stack: 23077073 :
> error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor
> cipherinit error
> 2006.06.08 17:49:42 LOG3[1120:616]: SSL_CTX_use_RSAPrivateKey_file:
> 6074079: error:06074079:digital envelope
> routines:EVP_PBE_CipherInit:unknown pbe algorithm
> 
> 2006.06.08 17:49:42 LOG3[1120:616]: Server is down
> ----END STUNNEL LOG----

That error means that the PBE table has not been initialized in the 
application. 

A call to OpenSSL_add_all_algorithms() would have automatically done that so
I'd guess that the table is being initialized in a customized way, possible to
reduce the number of algorithms added.

A call to PKCS5_PBE_add() is needed in any case in the application.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to