Didn't the rehash naming or linking algorithm change sometime between 0.9.8 and 1.0.1?
Also, 0.9.8 and 1.0.1 are not ABI-compatible. I don't know how AIX does shared-object support, but it might be wise to recompile stunnel against the new headers and libraries. -Kyle H On 8/19/2014 10:35 AM, Eckert, Doug wrote: > Thanks for the reply. > > It seems that in between reboots, OpenSSL was updated, and stunnel was > re-compiled and delivered with the newer OpenSSL on the server (AIX) side > > 2014.03.15 10:15:09 LOG5[3866990:1]: stunnel 4.32 on rs6000-ibm-aix > with OpenSSL 0.9.8x 10 May 2012 > 2014.08.17 09:34:02 LOG5[41681886:1]: stunnel 4.32 on rs6000-ibm-aix > with OpenSSL 1.0.1e 11 Feb 2013 > > > Both client and server were c_rehash-ed, but the certs remain the > same. I verified "Subject" field in both client and server certs on > each end: > > On the client > > [root@skpkpsfseas02 ca_certs]# openssl x509 -text -in cert.pem | grep > Subject > Subject: C=US, ST=New Jersey, L=South Brunswick, O=Dow Jones > and Company, OU=GBTS, > CN=skpkpsfsdb01.dowjones.net/emailAddress=doug.eck...@dowjones.com > <http://skpkpsfsdb01.dowjones.net/emailAddress=doug.eck...@dowjones.com> > Subject Public Key Info: > X509v3 Subject Key Identifier: > > [root@skpkpsfseas02 ca_certs]# openssl x509 -text -in > skpkpsfsdb01.dowjones.net.pem | grep Subject > Subject: C=US, ST=New Jersey, L=South Brunswick, O=Dow Jones > and Company, OU=GBTS, > CN=skpkpsfsdb01.dowjones.net/emailAddress=doug.eck...@dowjones.com > <http://skpkpsfsdb01.dowjones.net/emailAddress=doug.eck...@dowjones.com> > Subject Public Key Info: > X509v3 Subject Key Identifier: > > > On the server > > skpkpsfsdb01# openssl x509 -text -in > skpkpsfseas02-client.dowjones.net.pem | grep Subject > Subject: C=US, ST=New Jersey, L=South Brunswick, O=Dow Jones > and Company, OU=SSL Client Authentication, > CN=skpkpsfseas02.dowjones.net/emailAddress=doug.eck...@dowjones.com > <http://skpkpsfseas02.dowjones.net/emailAddress=doug.eck...@dowjones.com> > Subject Public Key Info: > X509v3 Subject Key Identifier: > > skpkpsfsdb01# openssl x509 -text -in cert.pem | grep Subject > Subject: C=US, ST=New Jersey, L=South Brunswick, O=Dow Jones > and Company, OU=GBTS, > CN=skpkpsfsdb01.dowjones.net/emailAddress=doug.eck...@dowjones.com > <http://skpkpsfsdb01.dowjones.net/emailAddress=doug.eck...@dowjones.com> > Subject Public Key Info: > X509v3 Subject Key Identifier: > > --Doug > > > > On Tue, Aug 19, 2014 at 1:10 PM, Salz, Rich <rs...@akamai.com > <mailto:rs...@akamai.com>> wrote: > > > After a recent reboot, a previously working cert is now being > rejected with "NO X509_NAME". I can't set the log level higher on > the AIX side to get more detail. What are the most likely causes > of the "NO X509_NAME" error? > > Something changed in addition to the system rebooting. New > software, new configuration, and/or new certificate. > > The only cause of the message is that there is no "Subject" field > in the certificate. > > Find the cert that you are using, and look at it via "openssl x509 > -text" > > /r$ > > -- > Principal Security Engineer > Akamai Technologies, Cambridge MA > IM: rs...@jabber.me <mailto:rs...@jabber.me> Twitter: RichSalz > > > > > -- > > *Doug Eckert* > *Technical Architect* > > *Global Business Technology** > **Dow Jones*| /A News Corporation Company/ > P.O. Box 300 | Princeton NJ 08543-0300 > (W) 609.520.4993 (C) 732.666.3681 > *Email: **doug.eck...@dowjones.com* <mailto:al...@dowjones.com>** > >
smime.p7s
Description: S/MIME Cryptographic Signature
