Didn't the rehash naming or linking algorithm change sometime between
0.9.8 and 1.0.1?

Also, 0.9.8 and 1.0.1 are not ABI-compatible.  I don't know how AIX does
shared-object support, but it might be wise to recompile stunnel against
the new headers and libraries.

-Kyle H

On 8/19/2014 10:35 AM, Eckert, Doug wrote:
> Thanks for the reply.
>
> It seems that in between reboots, OpenSSL was updated, and stunnel was
> re-compiled and delivered with the newer OpenSSL on the server (AIX) side
>
> 2014.03.15 10:15:09 LOG5[3866990:1]: stunnel 4.32 on rs6000-ibm-aix
> with OpenSSL 0.9.8x 10 May 2012
> 2014.08.17 09:34:02 LOG5[41681886:1]: stunnel 4.32 on rs6000-ibm-aix
> with OpenSSL 1.0.1e 11 Feb 2013
>
>
> Both client and server were c_rehash-ed, but the certs remain the
> same.  I verified "Subject" field in both client and server certs on
> each end:
>
> On the client
>
> [root@skpkpsfseas02 ca_certs]# openssl x509 -text -in cert.pem | grep
> Subject
>         Subject: C=US, ST=New Jersey, L=South Brunswick, O=Dow Jones
> and Company, OU=GBTS,
> CN=skpkpsfsdb01.dowjones.net/emailAddress=doug.eck...@dowjones.com
> <http://skpkpsfsdb01.dowjones.net/emailAddress=doug.eck...@dowjones.com>
>         Subject Public Key Info:
>             X509v3 Subject Key Identifier:
>
> [root@skpkpsfseas02 ca_certs]# openssl x509 -text -in
> skpkpsfsdb01.dowjones.net.pem | grep Subject
>         Subject: C=US, ST=New Jersey, L=South Brunswick, O=Dow Jones
> and Company, OU=GBTS,
> CN=skpkpsfsdb01.dowjones.net/emailAddress=doug.eck...@dowjones.com
> <http://skpkpsfsdb01.dowjones.net/emailAddress=doug.eck...@dowjones.com>
>         Subject Public Key Info:
>             X509v3 Subject Key Identifier:
>
>
> On the server
>
> skpkpsfsdb01# openssl x509 -text -in
> skpkpsfseas02-client.dowjones.net.pem | grep Subject
>         Subject: C=US, ST=New Jersey, L=South Brunswick, O=Dow Jones
> and Company, OU=SSL Client Authentication,
> CN=skpkpsfseas02.dowjones.net/emailAddress=doug.eck...@dowjones.com
> <http://skpkpsfseas02.dowjones.net/emailAddress=doug.eck...@dowjones.com>
>         Subject Public Key Info:
>             X509v3 Subject Key Identifier:
>
> skpkpsfsdb01# openssl x509 -text -in cert.pem | grep Subject
>         Subject: C=US, ST=New Jersey, L=South Brunswick, O=Dow Jones
> and Company, OU=GBTS,
> CN=skpkpsfsdb01.dowjones.net/emailAddress=doug.eck...@dowjones.com
> <http://skpkpsfsdb01.dowjones.net/emailAddress=doug.eck...@dowjones.com>
>         Subject Public Key Info:
>             X509v3 Subject Key Identifier:
>
> --Doug
>
>
>
> On Tue, Aug 19, 2014 at 1:10 PM, Salz, Rich <rs...@akamai.com
> <mailto:rs...@akamai.com>> wrote:
>
>     > After a recent reboot, a previously working cert is now being
>     rejected with "NO X509_NAME".  I can't set the log level higher on
>     the AIX side to get more detail.  What are the most likely causes
>     of the "NO X509_NAME" error?
>
>     Something changed in addition to the system rebooting.  New
>     software, new configuration, and/or new certificate.
>
>     The only cause of the message is that there is no "Subject" field
>     in the certificate.
>
>     Find the cert that you are using, and look at it via "openssl x509
>     -text"
>
>             /r$
>
>     --
>     Principal Security Engineer
>     Akamai Technologies, Cambridge MA
>     IM: rs...@jabber.me <mailto:rs...@jabber.me> Twitter: RichSalz
>
>
>
>
> -- 
>
> *Doug Eckert*
> *Technical Architect*
>
> *Global Business Technology**
> **Dow Jones*| /A News Corporation Company/
> P.O. Box 300 | Princeton NJ 08543-0300
> (W) 609.520.4993 (C) 732.666.3681
> *Email: **doug.eck...@dowjones.com* <mailto:al...@dowjones.com>**
>
>

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to