A little history I have compiled openssl version 0.9.8e on Sun v420 system running opensolaris (version 11). I used the gcc 3.4.3 compiler loaded in /usr/sfw/bin.
I then compilied openldap the latest stable edition from openldap.org. using --L/usr/local/ssl/lib -R/usr/local/ssl/lib to link in the openssl libraries. I created a CA and self signed server certificates for TLS. using /usr/local/ssl/bin/openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3652 -config openssl.cnf /usr/local/ssl/bin/openssl req -new -x509 -nodes -keyout newreq.pem -out newreq.pem -days 3652 -config openssl.cnf /usr/local/ssl/bin/openssl -x509toreq -in newreq.pem -signkey newreq.pem-out tmp.req /usr/local/ssl/bin/openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem All works fine. I setup openldap properly with the certs by copying into the correct directory and with the correct permissions and set up slapd.conf with the following entries TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3 TLSCACertificateFile /usr/local/etc/openldap/cacert.pem TLSCertificateFile /usr/local/etc/openldap/server_cert.pem TLSCertificateKeyFile /usr/local/etc/openldap/server_key.pem Slapd starts up successfully ---- using /usr/local/libexec/slapd -d10 -u ldap -h "ldap:/// ldaps:///" now the openssl questios: I run /usr/local/ssl/bin/openssl s_client -connect localhost:636 -showcerts and get the error above TLS1_SETUP_KEY_BLOCK cipher or hash unavailable .... BUT ... If I use the openssl that came with Solaris 11 /usr/sfw/bin/openssl -connect localhost:636 this works properly.... without error... That version of ssl is 0.8.9a.. Question 1: is this a known issue with 0.9.8e ??? Question 2: Is there an official patch available that fixes this problem ??? Question 3: If not, is there an known workaround to the problem ??? any help would be appreciated.... As an asside someone did mention that there was an unofficial patch victor duchovni posted a patch on 01/31/07 to this list. Please note that I am for some reason unable to post to the openssl-users list even though I am subscribed if you can refer me a post online or know the answer I would appreciate the help. Thanks james
