OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Hello, I am in desperate need of some help! I have requested a new certificate from Verisign, however it doesn't seem to work! I get the error when starting Apache.. Unable to configure RSA server private key (OpenSSL library error follows) OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch httpd.conf does nto start, only httpd_pls.conf starts To test the issue, I created a new csr file to send them for a trial certificate, based on the current apache_1024.key file but it still doesn't work! I checked everywhere and found the same comments.. basically say that the private key does not match the certificate. I ran a couple of commands to compare the 2 based on all the hits I got You can check to make sure that you your private key and certificate are in the correct format and match each other. To do this, give the commands below to decrypt the private key in one terminal window and decrypt the certificate in the other. What you will be comparing are the Modulus and the Exponent of each key. If the modulus and exponent from the key matches the set from the certificate, you have just confirmed that your certificate and key are correctly paired. If all else fails, create a new private key, CSR or self-signed certificate. Before you do this, check your CA's re-issue policy. You may be charged for a re-issue. To view the contents of the certificate: |openssl x509 -noout -text -in filename.crt | To view the contents of the private key: |openssl rsa -noout -text -in filename.key | $OPENSSL_TOP/bin/openssl x509 -noout -text -in apache_1024.crt Modulus (1024 bit): 00:c2:4d:20:ed:a1:87:44:33:af:1e:28:c6:2d:e7: 63:bd:25:b4:2e:ad:84:21:55:ec:1a:aa:99:61:45: 66:10:8d:4d:17:16:2d:cc:ac:a8:1c:4e:08:4d:7b: 24:e4:d0:7d:f8:cb:5b:23:e1:8f:48:f7:0d:96:4e: 3d:d8:50:32:ee:10:9c:44:32:cf:1e:74:1a:3d:37: a0:06:87:dc:db:7a:9f:e7:9a:70:4a:fb:e8:81:f2: 43:17:be:99:ce:ce:10:29:05:64:c6:01:8e:d3:a3: 33:34:89:cf:ad:aa:b7:69:ab:c0:75:d2:aa:0a:f3: 59:b8:ec:19:bd:73:56:b8:15 Exponent: 65537 (0x10001) $OPENSSL_TOP/bin/openssl rsa -noout -text -in apache_1024.key modulus: 00:c2:4d:20:ed:a1:87:44:33:af:1e:28:c6:2d:e7: 63:bd:25:b4:2e:ad:84:21:55:ec:1a:aa:99:61:45: 66:10:8d:4d:17:16:2d:cc:ac:a8:1c:4e:08:4d:7b: 24:e4:d0:7d:f8:cb:5b:23:e1:8f:48:f7:0d:96:4e: 3d:d8:50:32:ee:10:9c:44:32:cf:1e:74:1a:3d:37: a0:06:87:dc:db:7a:9f:e7:9a:70:4a:fb:e8:81:f2: 43:17:be:99:ce:ce:10:29:05:64:c6:01:8e:d3:a3: 33:34:89:cf:ad:aa:b7:69:ab:c0:75:d2:aa:0a:f3: 59:b8:ec:19:bd:73:56:b8:15 publicExponent: 65537 (0x10001) These match!! So why does it say mismatch?? Am I comparing the right files? If they match, it does not say what I can check next. Any suggestions please??? Kind Regards, Adriana Dalley -
[openssl.org #1764] openssl-0.9.8i random generator bug
Hello rt, During stress testing my project, suddenly got crash inside openssl openssl version - openssl-0.9.8i compiler - Microsoft Visual Studio 2008 Professional Edition (C++ project) project - x64 debug compilation OS - Microsoft Windows XP x64 Edition Service Pack 2 usage example: __inline void Rand(unsigned char* pBuf, uintptr_t nSize) { RAND_pseudo_bytes(pBuf,int(nSize)); } __inline uintptr_t Rand(void) { uintptr_t nRet; Rand(reinterpret_castunsigned char*(nRet),sizeof(uintptr_t)); return nRet; } uintptr_t = Rand(); stress test: my code executing Rand() repeately in two threads with 100% loading of Dual Core CPU, in 100k-300k calls application crashes. no need to wait long :) crash: 0xc005 (ACCESS_VIOLATION) sha1_block_data_order d:\libraryes\openssl-0.9.8i\crypto\sha\sha_locl.h (259) where is wrong: ssleay_rand_bytes d:\libraryes\openssl-0.9.8i\crypto\rand\md_rand.c (474) crypto\rand\md_rand.c line 470: k=(st_idx+MD_DIGEST_LENGTH/2)-st_num; --- something wrong around this line with this data I'm getting crash: st_idx = 1032 st_num = 1023 k=(st_idx+MD_DIGEST_LENGTH/2)-st_num; // k == 19 // MD_DIGEST_LENGTH/2-k == -9 MD_Update(m,(state[st_idx]),MD_DIGEST_LENGTH/2-k); // with -9 it will crash I'm getting 100% crashes at each stress test. :( ps: sorry for my english -- Best regards, Osup mailto:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
OPENSSL_ITEM regarding
Hi all, Can i get some information on how to use OPENSSL_ITEM structure. I found the structure definition in crypto.h as follows: *typedef* *struct* openssl_item_st http://cvs.opensolaris.org/source/s?refs=openssl_item_st { *int* code http://cvs.opensolaris.org/source/s?refs=code; *void* *value http://cvs.opensolaris.org/source/s?refs=value; /* Not used for flag attributes */ size_t http://cvs.opensolaris.org/source/s?defs=size_t value_size http://cvs.opensolaris.org/source/s?refs=value_size; /* Max size of value for output, length for input */ size_t http://cvs.opensolaris.org/source/s?defs=size_t *value_length http://cvs.opensolaris.org/source/s?refs=value_length; /* Returned length of value for output */ } OPENSSL_ITEM http://cvs.opensolaris.org/source/s?refs=OPENSSL_ITEM; But i didn't find anything related to how to use this structure.Means any example program of using this structure ?? I am bit confused a'out value_size and value_length ??? Thanks in advance, Waiting for your reply, Aravind.
Re: OPENSSL_ITEM regarding
On Tue, Oct 21, 2008, Aravinda babu wrote: Hi all, Can i get some information on how to use OPENSSL_ITEM structure. I found the structure definition in crypto.h as follows: It can be considered as an opaque way to define an ASN1 structure. You should not use it directly. Instead rely on the ASN1 macros to set up the structure in an appropriate way. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [CVS] OpenSSL: openssl/crypto/objects/ obj_xref.h
Dr. Stephen Henson wrote: OpenSSL CVS Repository http://cvs.openssl.org/ Server: cvs.openssl.org Name: Dr. Stephen Henson Root: /v/openssl/cvs Email: [EMAIL PROTECTED] Module: openssl Date: 20-Oct-2008 17:12:48 Branch: HEAD Handle: 2008102016124800 Added files: openssl/crypto/objects obj_xref.h Log: Reinstate obj_xref.h as it is not auto generated on all platforms. Why not? Summary: RevisionChanges Path 1.8 +75 -0 openssl/crypto/objects/obj_xref.h patch -p0 '@@ .' Index: openssl/crypto/objects/obj_xref.h $ cvs diff -u -r0 -r1.8 obj_xref.h --- /dev/null 2008-10-20 17:11:55 +0200 +++ obj_xref.h 2008-10-20 17:12:48 +0200 @@ -0,0 +1,75 @@ +/* AUTOGENERATED BY objxref.pl, DO NOT EDIT */ + +typedef struct + { + int sign_id; + int hash_id; + int pkey_id; + } nid_triple; + +static const nid_triple sigoid_srt[] = + { + {NID_md2WithRSAEncryption, NID_md2, NID_rsaEncryption}, + {NID_md5WithRSAEncryption, NID_md5, NID_rsaEncryption}, + {NID_shaWithRSAEncryption, NID_sha, NID_rsaEncryption}, + {NID_sha1WithRSAEncryption, NID_sha1, NID_rsaEncryption}, + {NID_dsaWithSHA, NID_sha, NID_dsa}, + {NID_dsaWithSHA1_2, NID_sha1, NID_dsa_2}, + {NID_mdc2WithRSA, NID_mdc2, NID_rsaEncryption}, + {NID_md5WithRSA, NID_md5, NID_rsa}, + {NID_dsaWithSHA1, NID_sha1, NID_dsa}, + {NID_sha1WithRSA, NID_sha1, NID_rsa}, + {NID_ripemd160WithRSA, NID_ripemd160, NID_rsaEncryption}, + {NID_md4WithRSAEncryption, NID_md4, NID_rsaEncryption}, + {NID_ecdsa_with_SHA1, NID_sha1, NID_X9_62_id_ecPublicKey}, + {NID_sha256WithRSAEncryption, NID_sha256, NID_rsaEncryption}, + {NID_sha384WithRSAEncryption, NID_sha384, NID_rsaEncryption}, + {NID_sha512WithRSAEncryption, NID_sha512, NID_rsaEncryption}, + {NID_sha224WithRSAEncryption, NID_sha224, NID_rsaEncryption}, + {NID_ecdsa_with_Recommended, NID_undef, NID_X9_62_id_ecPublicKey}, + {NID_ecdsa_with_Specified, NID_undef, NID_X9_62_id_ecPublicKey}, + {NID_ecdsa_with_SHA224, NID_sha224, NID_X9_62_id_ecPublicKey}, + {NID_ecdsa_with_SHA256, NID_sha256, NID_X9_62_id_ecPublicKey}, + {NID_ecdsa_with_SHA384, NID_sha384, NID_X9_62_id_ecPublicKey}, + {NID_ecdsa_with_SHA512, NID_sha512, NID_X9_62_id_ecPublicKey}, + {NID_dsa_with_SHA224, NID_sha224, NID_dsa}, + {NID_dsa_with_SHA256, NID_sha256, NID_dsa}, + {NID_id_GostR3411_94_with_GostR3410_2001, NID_id_GostR3411_94, NID_id_GostR3410_2001}, + {NID_id_GostR3411_94_with_GostR3410_94, NID_id_GostR3411_94, NID_id_GostR3410_94}, + {NID_id_GostR3411_94_with_GostR3410_94_cc, NID_id_GostR3411_94, NID_id_GostR3410_94_cc}, + {NID_id_GostR3411_94_with_GostR3410_2001_cc, NID_id_GostR3411_94, NID_id_GostR3410_2001_cc}, + }; + +static const nid_triple * const sigoid_srt_xref[] = + { + sigoid_srt[17], + sigoid_srt[18], + sigoid_srt[0], + sigoid_srt[1], + sigoid_srt[7], + sigoid_srt[2], + sigoid_srt[4], + sigoid_srt[3], + sigoid_srt[9], + sigoid_srt[5], + sigoid_srt[8], + sigoid_srt[12], + sigoid_srt[6], + sigoid_srt[10], + sigoid_srt[11], + sigoid_srt[13], + sigoid_srt[24], + sigoid_srt[20], + sigoid_srt[14], + sigoid_srt[21], + sigoid_srt[15], + sigoid_srt[22], + sigoid_srt[16], + sigoid_srt[23], + sigoid_srt[19], + sigoid_srt[25], + sigoid_srt[26], + sigoid_srt[27], + sigoid_srt[28], + }; + @@ . __ OpenSSL Project http://www.openssl.org CVS Repository Commit List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- http://www.apache-ssl.org/ben.html http://www.links.org/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [CVS] OpenSSL: openssl/crypto/objects/ obj_xref.h
On Tue, Oct 21, 2008, Ben Laurie wrote: Dr. Stephen Henson wrote: OpenSSL CVS Repository http://cvs.openssl.org/ Server: cvs.openssl.org Name: Dr. Stephen Henson Root: /v/openssl/cvs Email: [EMAIL PROTECTED] Module: openssl Date: 20-Oct-2008 17:12:48 Branch: HEAD Handle: 2008102016124800 Added files: openssl/crypto/objects obj_xref.h Log: Reinstate obj_xref.h as it is not auto generated on all platforms. Why not? On some platforms the perl isn't available to rebuild the file. VMS is the one that springs to mind... Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1753] snapshot 20081003 broke mingw build
Attached are patches, please address this issues, it is hard to keep sync this way. The order of the issue is according to importance, (1, 2, 3) blockers. Thanks! 1. _XOPEN_SOURCE cannot be used in mingw, strptime is never used anyway? 2. Make domd use cross compiler if available. 3. Update depend to execute update so that openssl/crypto/objects/obj_xref.h will be generated as it is required for make depend. 4. For some strange reason perl reports that symlinks are available under msys, while it cannot create symbolic link when the to is not reachable from cwd. 5. Added -DWIN32_LEAN_AND_MEAN and drop the conflict undef of x509.h _XOPEN_SOURCE cannot be used in mingw, strptime is never used anyway? Added -DWIN32_LEAN_AND_MEAN and drop the conflict undef of x509.h Make domd use cross compiler if available. Update depend to execute update so that openssl/crypto/objects/obj_xref.h will be generated as it is required for make depend. --- diff -urNp openssl-SNAP-20081003.org/ssl/kssl.c openssl-SNAP-20081003/ssl/kssl.c --- openssl-SNAP-20081003.org/ssl/kssl.c 2007-02-10 13:00:54.0 +0200 +++ openssl-SNAP-20081003/ssl/kssl.c 2008-10-04 21:30:51.0 +0300 @@ -68,7 +68,6 @@ #include openssl/opensslconf.h -#define _XOPEN_SOURCE 500 /* glibc2 needs this to declare strptime() */ #include time.h #if 0 /* Experimental */ #undef _XOPEN_SOURCE /* To avoid clashes with anything else... */ --- openssl-SNAP-20081019/Configure 2008-10-12 17:00:05.0 +0200 +++ openssl-SNAP-20081019.old/Configure 2008-10-21 20:13:28.0 +0200 @@ -495,7 +495,7 @@ my %table=( BC-32,bcc32WIN32::BN_LLONG DES_PTR RC4_INDEX EXPORT_VAR_AS_FN:${no_asm}:win32, # MinGW -mingw, gcc:-mno-cygwin -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::MINGW32:-lws2_32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_coff_asm}:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:-mno-cygwin:.dll.a, +mingw, gcc:-mno-cygwin -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::MINGW32:-lws2_32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_coff_asm}:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:-mno-cygwin:.dll.a, # UWIN UWIN, cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32, @@ -1394,12 +1394,13 @@ while (IN) s/^AR=\s*/AR= \$\(CROSS_COMPILE_PREFIX\)/; s/^NM=\s*/NM= \$\(CROSS_COMPILE_PREFIX\)/; s/^RANLIB=\s*/RANLIB= \$\(CROSS_COMPILE_PREFIX\)/; + s/^MAKEDEPPROG=.*$/MAKEDEPPROG= \$\(CROSS_COMPILE_PREFIX\)$cc/ if $cc eq gcc; } else { s/^CC=.*$/CC= $cc/; s/^RANLIB=.*/RANLIB= $ranlib/; + s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc eq gcc; } - s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc eq gcc; s/^CFLAG=.*$/CFLAG= $cflags/; s/^DEPFLAG=.*$/DEPFLAG= $depflags/; s/^PEX_LIBS=.*$/PEX_LIBS= $prelflags/; --- openssl-SNAP-20081019/util/domd 2008-09-09 23:00:21.0 +0300 +++ openssl-SNAP-20081019.old/util/domd 2008-10-21 20:16:57.0 +0200 @@ -14,7 +14,7 @@ if [ $MAKEDEPEND = ]; then MAKEDEPE cp Makefile Makefile.save # fake the presence of Kerberos touch $TOP/krb5.h -if [ $MAKEDEPEND = gcc ]; then +if echo $MAKEDEPEND | grep gcc /dev/null; then args= while [ $# -gt 0 ]; do if [ $1 != -- ]; then args=$args $1; fi @@ -22,7 +22,7 @@ if [ $MAKEDEPEND = gcc ]; then done sed -e '/^# DO NOT DELETE.*/,$d' Makefile Makefile.tmp echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' Makefile.tmp -gcc -Werror -D OPENSSL_DOING_MAKEDEPEND -M $args Makefile.tmp || exit +$MAKEDEPEND -Werror -D OPENSSL_DOING_MAKEDEPEND -M $args Makefile.tmp || exit ${PERL} $TOP/util/clean-depend.pl Makefile.tmp Makefile.new rm -f Makefile.tmp else --- openssl-SNAP-20081019.old/Makefile.org 2008-06-04 15:00:10.0 +0300 +++ openssl-SNAP-20081019/Makefile.org 2008-10-21 20:30:17.0 +0200 @@ -409,7 +409,7 @@ tests: rehash report: @$(PERL) util/selftest.pl -depend: +depend: update @set -e; target=depend; $(RECURSIVE_BUILD_CMD) lint: --- openssl-SNAP-20081019/crypto/x509/x509.h 2008-10-08 01:00:18.0 +0200 +++ openssl-SNAP-20081019.new/crypto/x509/x509.h 2008-10-21 20:42:20.0 +0200 @@ -112,12 +112,6 @@ extern C { #endif -#ifdef OPENSSL_SYS_WIN32 -/* Under Win32 these are defined in wincrypt.h */ -#undef X509_NAME -#undef X509_CERT_PAIR -#endif - #define X509_FILETYPE_PEM 1 #define X509_FILETYPE_ASN1 2 #define X509_FILETYPE_DEFAULT 3 For some strange reason perl reports that symlinks are available under msys, while it cannot create symbolic link when the to is not reachable from cwd. --- diff -urNp openssl-SNAP-20080611.org/util/mklink.pl openssl-SNAP-20080611/util/mklink.pl --- openssl-SNAP-20080611.org/util/mklink.pl 2006-02-09 15:00:35.0 +0200 +++ openssl-SNAP-20080611/util/mklink.pl 2008-06-13 12:42:06.0 +0300 @@ -51,6 +51,7 @@ my $to = join('/', @to_path);
Re: [openssl.org #1753] snapshot 20081003 broke mingw build
Alon Bar-Lev via RT wrote: Attached are patches, please address this issues, it is hard to keep sync this way. The order of the issue is according to importance, (1, 2, 3) blockers. Thanks! 1. _XOPEN_SOURCE cannot be used in mingw, strptime is never used anyway? 2. Make domd use cross compiler if available. 3. Update depend to execute update so that openssl/crypto/objects/obj_xref.h will be generated as it is required for make depend. 4. For some strange reason perl reports that symlinks are available under msys, while it cannot create symbolic link when the to is not reachable from cwd. 5. Added -DWIN32_LEAN_AND_MEAN and drop the conflict undef of x509.h I couldn't confirm above but I build in cross-compilation environment. About 5) -DWIN32_LEAN_AND_MEAN it has to be default for all windows build except mingw32. It is related to winsock2 but mingw32 always include winsock2 headers. No objections this to be default for mingw too. May by you use mingw64 and this project use different headers in comparison to mingw32 project. The issue with mingw64 was already reported. About 1) _XOPEN_SOURCE it is not clear what is really problem. I would like to reject this for minw32 It definition for mingw32 project is same as -posix compiler flag. Please detail version of mingw runtime environment. About 2,3,4 - later. Roumen __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]