libssl 1.0.1 breaking program

Wed, 26 Jun 2013 06:05:34 -0700 

Hello list,

I need to compile a version of PPP that supports EAP-TLS
authentication protocol.
Fortunately there is a a patch that accomplishes exactly this [1].

I have built the package using the default libssl-dev package provided by my
operating system (Debian Wheezy/7.0). Specifically, it is this version
: 1.0.1e-2

While there are no issues when building, the resulting binary doesn't behave as
expected: EAP-TLS auth fails.

By enabling debug information in the program, I was able to obtain
these error messages:

    pppd[2236]: EAP-TLS SSL error stack:
    pppd[2236]: error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib

and

    err: 7 (certificate signature failure)

The first one appears to be a mere warning, as the handshake proceeds, while the
second one triggers a TLS Alert message 'Decryption failed'. I thought maybe the
encoding error results in a corrupt cert being sent, which would
obviously fail the
signature check. However, I don't know how to check for this.

Both errors disappeared when I replaced the libssl-dev package currently
installed by an older version. To be precise, I installed the
libssl-dev_0.9.8o-4squeeze14_amd64.deb package.

While this solves my problem right now, I am curious as to why this is
happening.
Additionally, replacing libssl-dev is not exactly acceptable, as other
packages may
depend on it and require a more up to date version.

I've examined the patch and it doesn't to be doing anything out of the ordinary,
yet it fails to work properly with a more recent version of the library.

For my tests, I generated a CA and a pair of certs with openssl:

/usr/lib/ssl/misc/CA.pl -newca
/usr/lib/ssl/misc/CA.pl -newreq
/usr/lib/ssl/misc/CA.pl -sign

Kept the default values mostly, including the empty fields. The only
exception being
the commonName field where I put the hostname of each machines.

I doubt the certificates are the issue as I tested them with s_server
/ s_client and the
handshake completed without any errors.

Does anybody know why the patch fails to work with libssl-1.0.1e, and
what can be done to
fix this ?

Let me know if there is any additional information I can provide.

Thanks,

Marios

[1] http://www.nikhef.nl/~janjust/ppp/index.html
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to