Re: OpenSSL and Solaris zones

[Garick Hamlin]

On Tue, Oct 18, 2011 at 04:08:17PM -0400, Jorge Medina wrote:
 I don't have much information, but maybe someone has had a similar problem.
 
 I am building my distribution of Apache Web Server (and Tomcat). I
 include in my tarball a compiled version of openssl, apr, apr-util and
 apache with several modules including mod_jk

Have you tried doing a pldd to verify that /usr/sfw/lib/libcrypt.so
didn't get linked in?

 
 I build the components above in a physical machine running Solaris 10,
 create the tar ball and deploy it in another system (possibly in
 different directory, so we use LD_LIBRARY_PATH to point to the right
 set of libraries)
 
 All this has worked wonderful for quite some time. We have over the
 years updated several of the components with minor adjustment to our
 build.  Currently we are using apache 2.2.20 with openssl 1.0.0d
 
 Recently our IT department decided to use Solaris zones; so they
 deployed the same tarball in a zone. It works fine for most of the
 users of the system, except for two of them. Their requests time out.
 The apache access and error logs don't show anything, but we were able
 to narrow it down to the SSL handshaking failing.
 
 So far, it seems that building openssl in the target machine (the
 solaris zone)  fixes the problem; but I really want to distribute a
 compiled version of all libraries rather than building it in the
 target machine.
 
 So I was wondering if anybody has experienced a similar problem with
 OpenSSL when building it in a Soalris physical (global zone) machine
 but deploying it in a zone.
 
 -Jorge
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Bad Decrypt - Password Correct

[Garick Hamlin]

I've done things like this is the past.  My suspicion is you are
using a shell that does not specify binary mode on pipelines.   I
think line endings in the file were corrupted when it was written to 
JMBkFile.ssl and possible when it was written to openssl from 
JMBkFile.tar.  

This kind of thing can be done reliably with perl using binmode.
Some shells do not set binary mode on the file descriptors when
using redirection.

That is my guess if so you should see a lack of bare newlines in
the corrupted file.  If so, the file likely has a nontrivial number 
of corrupted points so it is likely intractable to recover.  This is 
obviously not an openssl problem if this is the case.

If so, something like this might be an interesting test.

perl -0377 -ne '$c++ if /(?![\r])([\n])/; END { print $c }'

It will count the number of bare newlines.

Garick





On Sun, Sep 27, 2009 at 02:25:55PM -0400, John Medearis wrote:
 Using openssl on Windows Vista 64-bit.  Would create a tar backup of data,
 and then use openssl to encrypt:
 
 openssl enc -aes-256-cbc -salt -pass file:backup_key  JMBkFile.tar 
 JMBkFile.ssl
 
 This has worked well on a RHEL 5 box, with a 1.2GB tar file.  I have been
 able to encrypt and decrypt successfully.
 
 The windows backup file is 8.3GB.  The password file has a single line
 containing just the password, no CR or LF, no additional lines.
 
 I have tried to decrypt specifying the file on the command line,
 specifying the actual password on the command line, but I continue to
 receive the Bad Decrypt message.  All of the posts I can find that seem to
 apply to my situation suggest a bad password or specifying the wrong
 encryption algorithm, but I know they are correct because I have a command
 file that creates it, so I know the parameters being used.
 
 Is it the size of the file?  What other possibilities should I look at?
 
 John
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org