Re: RSA decrypt problems
Steve Price wrote: > > On Sun, 7 May 2000, Doug Barton wrote: > > # Ok, here are some silly questions. Did you create a private key for > # this server, did you encrypt your cert with it, and is that .key file > # pointed to in your httpd.conf config file? SSLCertificateKeyFile is what > # you're looking for. http://www.modssl.org/related/ has some really good > # resources for this, and their FAQ has step by step instructions for > # creating and testing keys and certs that may help you track down where > # in the process it's getting lost. > > I did create a key for my server with the following command > > ssh-keygen -f /etc/ssh/ssh_host_key ERrr... that's for ssh only. > I didn't encrypt a cert with it. This is on a test box and > up until a few days ago the only steps I ever had to take > were to install one of the apache13-*ssl ports, crank up apache, > and it just worked. Of course this could be where I've gone > astray, as it appears this no longer works. :) I'm not familiar with those ports, so I can't speak intelligently about them, however I've looked over the mod_ssl stuff, and they have pre-configured a whole certificate authority chain with the snake oil stuff so that you can test your installation of the binary(ies). However, that does you a disservice down the road when you have to do it for real. > # Also, did you install the openssl port, or are you using the openssl > # that is part of the base in 4.0+? I vaguely remember you saying that you > # were using the port. If so, cd to /usr/local/openssl and cp > # openssl.cnf.sample to openssl.cnf. > > I'm not using the port. I'm using the bits that come with > -current (and 4.0 on another box). At Kris' suggestion I > did copy over an /etc/ssl/openssl.cnf file but that didn't > seem to help with the problem I'm having. :( Well, it'll help, but you have to get down the road a bit before you notice how it helps you. :) Take a look at http://www.modssl.org/docs/2.6/ssl_faq.html#ToC28 which describes the process of creating real certificates. If this is to be a "real" secure server that will be visible on the internet, you'll want to follow those instructions pretty much to the letter (assuming you're using mod_ssl, or one of its ports). The way x509 works for secure servers is that you first create a "key" that is your server's unique signature. This is similar to the identity files created with ssh-keygen. Then you create a certificate that contains what is essentially your public key (actually a combination of your certificate's public key and your identity key's public part). You sign this certificate with your server's identity key, then send it to a certificate authority (read, "Verisign") which signs the certificate with its public key. Then you install the doubly signed certificate. The client browser is able to use the information in your certificate to A) confirm with the CA that your certificate really came from you, B) encrypt an offer of a session key/cipher for that session, and C) decrypt your acceptance of that offer. I'm oversimplifying this a bit, hopefully you get the idea. There is more info on the web pages I sent in my previous e-mail. HTH, Doug -- "Live free or die" - State motto of my ancestral homeland, New Hampshire Do YOU Yahoo!? To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Sun, 7 May 2000, Steve Price wrote: > # Then: > # > # dumpasn1 file.der > > root@bonsai(/usr/local/etc/apache/ssl.key)# dumpasn1 server.key Nope, this is the .pem-encoded version. You need to decode it to .der using: openssl asn1parse -in server.key -out server.der before running dumpasn1 on it. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <[EMAIL PROTECTED]> To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Sun, 7 May 2000, Doug Barton wrote: # Ok, here are some silly questions. Did you create a private key for # this server, did you encrypt your cert with it, and is that .key file # pointed to in your httpd.conf config file? SSLCertificateKeyFile is what # you're looking for. http://www.modssl.org/related/ has some really good # resources for this, and their FAQ has step by step instructions for # creating and testing keys and certs that may help you track down where # in the process it's getting lost. I did create a key for my server with the following command ssh-keygen -f /etc/ssh/ssh_host_key I didn't encrypt a cert with it. This is on a test box and up until a few days ago the only steps I ever had to take were to install one of the apache13-*ssl ports, crank up apache, and it just worked. Of course this could be where I've gone astray, as it appears this no longer works. :) I've been using the 'Snake Oil' certs that come with these ports up until now, since the box is behind a firewall and not in production yet. # Also, did you install the openssl port, or are you using the openssl # that is part of the base in 4.0+? I vaguely remember you saying that you # were using the port. If so, cd to /usr/local/openssl and cp # openssl.cnf.sample to openssl.cnf. I'm not using the port. I'm using the bits that come with -current (and 4.0 on another box). At Kris' suggestion I did copy over an /etc/ssl/openssl.cnf file but that didn't seem to help with the problem I'm having. :( Thanks. -steve To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
Steve Price wrote: > > On Fri, 5 May 2000, Kris Kennaway wrote: > > # I'm suspecting it might be something missing in the ASN.1 encoding of the > # certificate, which netscape requires but IE permits. This would be > # consistent with a missing openssl.cnf file at the time of certificate > # generation. Could one of you try copying the openssl.cnf file from > # crypto/openssl/apps/ to /etc/ssl (editing as appropriate) and see if that > # fixes it (i.e. make a new certificate and test it in the same way)? > > It didn't help here. I rebuilt the port and re-installed from > a clean WRKDIR and I get the same error message. If I do a > 'make certificate', copy those files over, and try to start > apache it just hangs definitely until I ^C it. After I kill > it I see this in the apache error logs. > > [error] mod_ssl: Init: Private key not found (OpenSSL library > error follows) > [error] OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object: > header too long > > Methinks it has something to do with key generation as well, but > I'll be darned if I know what. Ok, here are some silly questions. Did you create a private key for this server, did you encrypt your cert with it, and is that .key file pointed to in your httpd.conf config file? SSLCertificateKeyFile is what you're looking for. http://www.modssl.org/related/ has some really good resources for this, and their FAQ has step by step instructions for creating and testing keys and certs that may help you track down where in the process it's getting lost. Also, did you install the openssl port, or are you using the openssl that is part of the base in 4.0+? I vaguely remember you saying that you were using the port. If so, cd to /usr/local/openssl and cp openssl.cnf.sample to openssl.cnf. I'm currently hip deep in certificate generation problems myself, so I sympathize with your plight there Steve. Kris, I was going to let you know about the openssl.cnf problem, but I wanted to wait till I had more data. But, since the cat's out of the bag here, yes, we do need an openssl.cnf file in /etc/ssl for the system version. I attached a patch (not that you couldn't have done it yourself...). The only problem with this is that from the mergemaster standpoint, there is no $FreeBSD/$Id tag in that file. mm will still work (doing a complete comparison with diff) but it speeds things up and hides local mods if there is a CVS tag. HTH, Doug -- "Live free or die" - State motto of my ancestral homeland, New Hampshire Do YOU Yahoo!? Index: Makefile === RCS file: /usr/ncvs/src/etc/Makefile,v retrieving revision 1.221 diff -u -r1.221 Makefile --- Makefile2000/04/15 16:48:41 1.221 +++ Makefile2000/05/07 19:20:41 @@ -26,6 +26,10 @@ ${.CURDIR}/../crypto/openssh/sshd_config .endif +.if exists(${.CURDIR}/../crypto) && !defined(NO_OPENSSL) +SSL= ${.CURDIR}/../crypto/openssl/apps/openssl.cnf +.endif + # -rwxr-xr-x root.wheel, for the new cron root.wheel BIN2= netstart pccard_ether rc.suspend rc.resume @@ -76,6 +80,10 @@ .if exists(${.CURDIR}/../crypto) && !defined(NO_OPENSSH) (cd ${.CURDIR}; ${INSTALL} -c -o ${BINOWN} -g ${BINGRP} -m 644 ${SSH} \ ${DESTDIR}/etc/ssh ) +.endif +.if exists(${.CURDIR}/../crypto) && !defined(NO_OPENSSL) + (cd ${.CURDIR}; ${INSTALL} -c -o ${BINOWN} -g ${BINGRP} -m 644 ${SSL} \ + ${DESTDIR}/etc/ssl ) .endif .if !defined(NO_MAKEDEV) (cd ${DESTDIR}/dev; sh MAKEDEV all)
Re: RSA decrypt problems
On Sat, 6 May 2000, Kris Kennaway wrote: # I'm strongly suspecting something wrong with the encoding of the # certificate. Can you grab dumpasn1.c and dumpasn1.cfg from [snip] # Then: # # dumpasn1 file.der root@bonsai(/usr/local/etc/apache/ssl.key)# dumpasn1 server.key 0 2D 45: Unknown (Reserved) { 2 2D 45: Unknown (Reserved) { 4 2D 66: Unknown (Reserved) { 6 45 71: [APPLICATION 5] : 'IN RSA PRIVATE KEY-.MIICXgIBAAKBgQC554Ro+VH0' : 'dJONqljPBW+C72MDNGNy9eX' Error: Inconsistent object length, 7 bytes difference. : } Error: Inconsistent object length, 30 bytes difference. : } Error: Inconsistent object length, 32 bytes difference. : } 0 warnings, 3 errors. I get similar errors with server.crt. -steve To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Sat, 6 May 2000, Kris Kennaway wrote: > http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c > and http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.cfg I've made these into a port, so you can just install the converters/dumpasn1 port and save the minor trouble of editing the stupid ^Z out of the .c file and compiling it :-) Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <[EMAIL PROTECTED]> To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Sat, 6 May 2000, Garrett Wollman wrote: > I've had this problem with recent values of OpenSSL since last > November. I haven't gotten around to playing with permutations of the I'm strongly suspecting something wrong with the encoding of the certificate. Can you grab dumpasn1.c and dumpasn1.cfg from http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c and http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.cfg and run it on the old and new certificates to see if anything is different? To convert the Cert to DER: openssl asn1parse -in file.pem -out file.der Then: dumpasn1 file.der Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <[EMAIL PROTECTED]> To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Sat, 6 May 2000, Garrett Wollman wrote: # I've had this problem with recent values of OpenSSL since last # November. I haven't gotten around to playing with permutations of the # openssl.cnf file yet. I tried my site certificate on various versions # of Netscape and Exploder, and all of them failed in a similar manner, # but `openssl s_client' worked just fine, and all the other clients # failed identically against `openssl s_server'. I sent a note about # this to the OpenSSL mailing-list, and did not receive a single # relevant response. So what do you use as a workaround? The openssl port? The old SSLeay port? Would using DSA instead of RSA make matters better? -steve To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
< said: > FWIW, I've had a weird (perhaps related) problem, only in the > reverse. After creating a certificate (ie: 'make certificate' in > apache), I was unable to connect to the server from a Netscape > 4.72 browser. It only told me there was a decryption error in the > apache logs. I've had this problem with recent values of OpenSSL since last November. I haven't gotten around to playing with permutations of the openssl.cnf file yet. I tried my site certificate on various versions of Netscape and Exploder, and all of them failed in a similar manner, but `openssl s_client' worked just fine, and all the other clients failed identically against `openssl s_server'. I sent a note about this to the OpenSSL mailing-list, and did not receive a single relevant response. (I guess they're not used to people who run their own certificate authorities.) [This is one of the areas in which my job requires me to play with stuff which I would not use myself for programming-freedom reasons. At least we don't have to pay Jim Bidzos for the privilege] -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same [EMAIL PROTECTED] | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Sat, 6 May 2000, Louis A. Mamakos wrote: > Just curious, but is there any documentation installed that describes > what the contents of the file look like? I went on a hunt for this > recently, and found precious little documentation on openssl provided > with the system. The sample file is in /usr/src/crypto/openssl/apps/openssl.cnf - thats about all there is in the way for documentation about that file. As I noted in another response, OpenSSL manpages exist in crypto/openssl/docs/{crypto,ssl} but we don't install them yet because they conflict with system manpages and I'm waiting for the OpenSSL team to fix them. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <[EMAIL PROTECTED]> To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
> On Fri, 5 May 2000, Kris Kennaway wrote: > > # It's not clear that you installed the openssl.cnf file before making the > # cert - can you confirm? > > Yes I did. I put it in /etc/ssl as you suggested. Just curious, but is there any documentation installed that describes what the contents of the file look like? I went on a hunt for this recently, and found precious little documentation on openssl provided with the system. louie To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Fri, 5 May 2000, Kris Kennaway wrote: # It's not clear that you installed the openssl.cnf file before making the # cert - can you confirm? Yes I did. I put it in /etc/ssl as you suggested. -steve To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Fri, 5 May 2000, Steve Price wrote: > It didn't help here. I rebuilt the port and re-installed from > a clean WRKDIR and I get the same error message. If I do a > 'make certificate', copy those files over, and try to start > apache it just hangs definitely until I ^C it. After I kill > it I see this in the apache error logs. It's not clear that you installed the openssl.cnf file before making the cert - can you confirm? Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <[EMAIL PROTECTED]> To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Fri, 5 May 2000, Kris Kennaway wrote: # How long ago was the previous port built? >From the best I can remember it was sometime early to middle of March. # Do you still have the openssl # port installed, if it was built against that? Nope. -steve To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Fri, 5 May 2000, Kris Kennaway wrote: # I'm suspecting it might be something missing in the ASN.1 encoding of the # certificate, which netscape requires but IE permits. This would be # consistent with a missing openssl.cnf file at the time of certificate # generation. Could one of you try copying the openssl.cnf file from # crypto/openssl/apps/ to /etc/ssl (editing as appropriate) and see if that # fixes it (i.e. make a new certificate and test it in the same way)? It didn't help here. I rebuilt the port and re-installed from a clean WRKDIR and I get the same error message. If I do a 'make certificate', copy those files over, and try to start apache it just hangs definitely until I ^C it. After I kill it I see this in the apache error logs. [error] mod_ssl: Init: Private key not found (OpenSSL library error follows) [error] OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object: header too long Methinks it has something to do with key generation as well, but I'll be darned if I know what. -steve To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Fri, 5 May 2000, Forrest Aldrich wrote: > Okay, I just did, using MS Explorer 5 and it worked with no problems. > So, this is related to Netscape-4.72. But is it a bug on their part, > or something else? I'm suspecting it might be something missing in the ASN.1 encoding of the certificate, which netscape requires but IE permits. This would be consistent with a missing openssl.cnf file at the time of certificate generation. Could one of you try copying the openssl.cnf file from crypto/openssl/apps/ to /etc/ssl (editing as appropriate) and see if that fixes it (i.e. make a new certificate and test it in the same way)? Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <[EMAIL PROTECTED]> To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
Duh :) It didn't occur to me to try another browser: Okay, I just did, using MS Explorer 5 and it worked with no problems. So, this is related to Netscape-4.72. But is it a bug on their part, or something else? Forrest On Fri, May 05, 2000 at 10:49:04PM -0500, Steve Price wrote: > On Fri, 5 May 2000, Forrest Aldrich wrote: > > # FWIW, I've had a weird (perhaps related) problem, only in the > # reverse. After creating a certificate (ie: 'make certificate' in > # apache), I was unable to connect to the server from a Netscape > # 4.72 browser. It only told me there was a decryption error in the > # apache logs. > > I see the same thing in my apache error logs so it probably > is related. Did you by chance try another browser and did > it work? > > -steve > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Fri, 5 May 2000, Steve Price wrote: > Nope. I generated the key with 'make certificate' on the > apache13-php4 port. Here's what openssl says about the key. > > % openssl rsa -noout -text -in server.key | grep bit > Private-Key: (1024 bit) > % It sounds like somehting is broken with the certificate generation. I wonder if it could have to do with the fact that we currently don't install an openssl.cnf (my oversight, pointed out by rwatson yesterday), since thats where openssl looks for parameters when generating keys. > I'm beginning to wonder if it isn't something that has changed > in the ports. My problems started when I pkg_delete'd the > apache13-modssl port to install the apach13-php4 port with modssl > support so that I could play around with php4. It worked before > I did this. Even now if I go back to the port without php4 > support it doesn't work. :( How long ago was the previous port built? Do you still have the openssl port installed, if it was built against that? Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <[EMAIL PROTECTED]> To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Fri, 5 May 2000, Forrest Aldrich wrote: # FWIW, I've had a weird (perhaps related) problem, only in the # reverse. After creating a certificate (ie: 'make certificate' in # apache), I was unable to connect to the server from a Netscape # 4.72 browser. It only told me there was a decryption error in the # apache logs. I see the same thing in my apache error logs so it probably is related. Did you by chance try another browser and did it work? -steve To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Fri, 5 May 2000, Kris Kennaway wrote: # #define RSAREF_F_RSAREF_BN2BIN 101 # #define RSAREF_R_LEN 0x0406 # # RSARef can't handle keys > 1024 bits long. This is a design limitation # which the license forbids us from fixing. # # Does your webserver use a long key? Nope. I generated the key with 'make certificate' on the apache13-php4 port. Here's what openssl says about the key. % openssl rsa -noout -text -in server.key | grep bit Private-Key: (1024 bit) % I'm beginning to wonder if it isn't something that has changed in the ports. My problems started when I pkg_delete'd the apache13-modssl port to install the apach13-php4 port with modssl support so that I could play around with php4. It worked before I did this. Even now if I go back to the port without php4 support it doesn't work. :( -steve To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Fri, 5 May 2000, Forrest Aldrich wrote: > I understand, from private correspondence, that OpenSSH will have > SSH2 protocol support, thus allowing people to not use RSA. Can > someone confirm as it applies to use on FreeBSD. It's being developed in the current version of OpenSSH. I'll probably update to a more recent snapshot soon - I got a message from Markus Friedl confirming it should be stable enough to update to. > I personally find the RSARef licensing to be a sham, in the light > of everything else on the internet, an would rather not have to > use it. But SSH1 requires it in the protocol. Roll on September 20! :-) Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <[EMAIL PROTECTED]> To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
I understand, from private correspondence, that OpenSSH will have SSH2 protocol support, thus allowing people to not use RSA. Can someone confirm as it applies to use on FreeBSD. I personally find the RSARef licensing to be a sham, in the light of everything else on the internet, an would rather not have to use it. But SSH1 requires it in the protocol. _F To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
FWIW, I've had a weird (perhaps related) problem, only in the reverse. After creating a certificate (ie: 'make certificate' in apache), I was unable to connect to the server from a Netscape 4.72 browser. It only told me there was a decryption error in the apache logs. ? On Fri, May 05, 2000 at 08:10:27PM -0700, Kris Kennaway wrote: > On Fri, 5 May 2000, Steve Price wrote: > > > [Fri May 5 20:46:19 2000] [error] OpenSSL: error:1E06D401:RSAref > > routines:func(109) :reason(1025) > > You can interpret these error codes by looking up the defines in > - for example, these two are: > > #define RSAREF_F_RSA_REF_PRIVATE_DECRYPT 109 > #define RSAREF_R_DATA0x0401 > > which doesn't tell you much in itself. However: > > > Doing 2048 bit private rsa's for 10s: RSA private encrypt failure > > 14674:error:1E065406:RSAref routines:func(101) > > >:reason(1030):/usr/src/secure/lib/librsausa/../../../crypto/openssl/crypto/../rsaref/rsaref.c:125: > > 14674:error:1E065406:RSAref routines:func(101) > > >:reason(1030):/usr/src/secure/lib/librsausa/../../../crypto/openssl/crypto/../rsaref/rsaref.c:125: > > 1 2048 bit private RSA's in 0.00s > > #define RSAREF_F_RSAREF_BN2BIN 101 > #define RSAREF_R_LEN 0x0406 > > RSARef can't handle keys > 1024 bits long. This is a design limitation > which the license forbids us from fixing. > > Does your webserver use a long key? > > Kris > > > In God we Trust -- all others must submit an X.509 certificate. > -- Charles Forsythe <[EMAIL PROTECTED]> > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-current" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Fri, 5 May 2000, Steve Price wrote: > [Fri May 5 20:46:19 2000] [error] OpenSSL: error:1E06D401:RSAref > routines:func(109) :reason(1025) You can interpret these error codes by looking up the defines in - for example, these two are: #define RSAREF_F_RSA_REF_PRIVATE_DECRYPT 109 #define RSAREF_R_DATA0x0401 which doesn't tell you much in itself. However: > Doing 2048 bit private rsa's for 10s: RSA private encrypt failure > 14674:error:1E065406:RSAref routines:func(101) > >:reason(1030):/usr/src/secure/lib/librsausa/../../../crypto/openssl/crypto/../rsaref/rsaref.c:125: > 14674:error:1E065406:RSAref routines:func(101) > >:reason(1030):/usr/src/secure/lib/librsausa/../../../crypto/openssl/crypto/../rsaref/rsaref.c:125: > 1 2048 bit private RSA's in 0.00s #define RSAREF_F_RSAREF_BN2BIN 101 #define RSAREF_R_LEN 0x0406 RSARef can't handle keys > 1024 bits long. This is a design limitation which the license forbids us from fixing. Does your webserver use a long key? Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <[EMAIL PROTECTED]> To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
RSA decrypt problems
Is anyone else noticing the following problems on their -current boxen? I first noticed when my apache webserver quit allowing secure connections with errors like this. [Fri May 5 20:46:19 2000] [error] mod_ssl: SSL handshake failed (server new.host.name:443, client 127.0.0.1) (OpenSSL library error follows) [Fri May 5 20:46:19 2000] [error] OpenSSL: error:1E06D401:RSAref routines:func(109) :reason(1025) [Fri May 5 20:46:19 2000] [error] OpenSSL: error:1408B076:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:bad rsa decrypt steve@bonsai(~)$ openssl OpenSSL> speed rsa Doing 512 bit private rsa's for 10s: 317 512 bit private RSA's in 9.96s Doing 512 bit public rsa's for 10s: 3664 512 bit public RSA's in 9.99s Doing 1024 bit private rsa's for 10s: 51 1024 bit private RSA's in 10.16s Doing 1024 bit public rsa's for 10s: 1002 1024 bit public RSA's in 9.94s Doing 2048 bit private rsa's for 10s: RSA private encrypt failure 14674:error:1E065406:RSAref routines:func(101) :reason(1030):/usr/src/secure/lib/librsausa/../../../crypto/openssl/crypto/../rsaref/rsaref.c:125: 14674:error:1E065406:RSAref routines:func(101) :reason(1030):/usr/src/secure/lib/librsausa/../../../crypto/openssl/crypto/../rsaref/rsaref.c:125: 1 2048 bit private RSA's in 0.00s Doing 2048 bit public rsa's for 10s: RSA verify failure 14674:error:04077077:rsa routines:RSA_verify:wrong signature length:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/rsa/rsa_sign.c:149: 14674:error:04077077:rsa routines:RSA_verify:wrong signature length:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/rsa/rsa_sign.c:149: 1 2048 bit public RSA's in 0.00s OpenSSL 0.9.5a 1 Apr 2000 built on: Fri Apr 21 16:31:20 CDT 2000 options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) blowfish(idx) compiler: cc signverifysign/s verify/s rsa 512 bits 0.0314s 0.0027s 31.8366.7 rsa 1024 bits 0.1991s 0.0099s 5.0100.8 rsa 2048 bits 0.0010s 0.0010s 1000.0 1000.0 OpenSSL> quit This is with sources last updated on April 21, 2000. I rebuilt and reinstalled rsaref from sources just before I ran this test just in case that had something to do with it. -steve To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message