Re: Working cert rejection after reboot

Tue, 19 Aug 2014 10:46:47 -0700 

Thanks for the reply.

It seems that in between reboots, OpenSSL was updated, and stunnel was
re-compiled and delivered with the newer OpenSSL on the server (AIX) side

2014.03.15 10:15:09 LOG5[3866990:1]: stunnel 4.32 on rs6000-ibm-aix with
OpenSSL 0.9.8x 10 May 2012
2014.08.17 09:34:02 LOG5[41681886:1]: stunnel 4.32 on rs6000-ibm-aix with
OpenSSL 1.0.1e 11 Feb 2013


Both client and server were c_rehash-ed, but the certs remain the same.  I
verified "Subject" field in both client and server certs on each end:

On the client

[root@skpkpsfseas02 ca_certs]# openssl x509 -text -in cert.pem | grep
Subject
        Subject: C=US, ST=New Jersey, L=South Brunswick, O=Dow Jones and
Company, OU=GBTS, CN=
skpkpsfsdb01.dowjones.net/emailAddress=doug.eck...@dowjones.com
        Subject Public Key Info:
            X509v3 Subject Key Identifier:

[root@skpkpsfseas02 ca_certs]# openssl x509 -text -in
skpkpsfsdb01.dowjones.net.pem | grep Subject
        Subject: C=US, ST=New Jersey, L=South Brunswick, O=Dow Jones and
Company, OU=GBTS, CN=
skpkpsfsdb01.dowjones.net/emailAddress=doug.eck...@dowjones.com
        Subject Public Key Info:
            X509v3 Subject Key Identifier:


On the server

skpkpsfsdb01# openssl x509 -text -in skpkpsfseas02-client.dowjones.net.pem
| grep Subject
        Subject: C=US, ST=New Jersey, L=South Brunswick, O=Dow Jones and
Company, OU=SSL Client Authentication, CN=
skpkpsfseas02.dowjones.net/emailAddress=doug.eck...@dowjones.com
        Subject Public Key Info:
            X509v3 Subject Key Identifier:

skpkpsfsdb01# openssl x509 -text -in cert.pem | grep Subject
        Subject: C=US, ST=New Jersey, L=South Brunswick, O=Dow Jones and
Company, OU=GBTS, CN=
skpkpsfsdb01.dowjones.net/emailAddress=doug.eck...@dowjones.com
        Subject Public Key Info:
            X509v3 Subject Key Identifier:

--Doug



On Tue, Aug 19, 2014 at 1:10 PM, Salz, Rich <rs...@akamai.com> wrote:

> > After a recent reboot, a previously working cert is now being rejected
> with "NO X509_NAME".  I can't set the log level higher on the AIX side to
> get more detail.  What are the most likely causes of the "NO X509_NAME"
> error?
>
> Something changed in addition to the system rebooting.  New software, new
> configuration, and/or new certificate.
>
> The only cause of the message is that there is no "Subject" field in the
> certificate.
>
> Find the cert that you are using, and look at it via "openssl x509 -text"
>
>         /r$
>
> --
> Principal Security Engineer
> Akamai Technologies, Cambridge MA
> IM: rs...@jabber.me Twitter: RichSalz
>
>


-- 

*Doug Eckert*
*Technical Architect*

*Global Business Technology*
*Dow Jones* | *A News Corporation Company*
P.O. Box 300 | Princeton NJ 08543-0300
(W) 609.520.4993 (C) 732.666.3681
*Email: **doug.eck...@dowjones.com* <al...@dowjones.com>

Reply via email to