Re: Attempting to use a sprint U600 (BCSM250)

Thu, 13 Jan 2011 08:53:06 -0800 

On Wed, 2011-01-12 at 23:57 -0800, dormando wrote:
> >
> > SSL: SSL_connect:error in SSLv3 write certificate verify A
> > OpenSSL: tls_connection_handshake - SSL_connect error:14099004:SSL
> > routines:SSL3_SEND_CLIENT_VERIFY:RSA lib
> > SSL: 0 bytes pending from ssl_out
> > SSL: Failed - tls_out available to report error
> > SSL: No data to be sent out
> >

That error comes from openssl's ssl3_send_client_verify() function,
specifically from this code block:

        if (pkey->type == EVP_PKEY_RSA)
                {
                s->method->ssl3_enc->cert_verify_mac(s,
                        NID_md5,
                        &(data[0]));
                if (RSA_sign(NID_md5_sha1, data,
                                 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
                                &(p[2]), &u, pkey->pkey.rsa) <= 0 )
                        {
                        SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
                        goto err;
                        }
                s2n(u,p);
                n=u+2;
                }

This indicates a problem during the SSL exchange and may mean that
something is wrong with the client certificate.  Like maybe the
certificate's fingerprint doesn't match or something.  You might try
adding some debugging print code to openssl in this function to figure
out exactly what's wrong with RSA_sign().

Dan

> Some quick notes that I somehow missed earlier:
> 
> The main debug log (from wimaxd) shows:
> ***** Sending EAPEncryptPrivateRequest request (2011/00/12 23:50:50.257)
> ... bunch of data...
> ***** Message sent successfully
> 
> then it sits around for a few seconds, and:
> ERROR: RSA private key encryption timeout
> ... which is from the beceem engine stuff, and at the same time the auth
> log is spitting out what I noted before.
> 
> It's also probably worth saying that no matter what I put in for
> UserIdentity or TLSDevicePrivateKeyPassword I get the same timeout in the
> same place.
> 
> Which leads me to believe that one or both are wrong somewhere, but I
> can't find where that would be.
> 
> Thanks,
> -Dormando
> _______________________________________________
> wimax mailing list
> [email protected]
> http://lists.linuxwimax.org/listinfo/wimax


_______________________________________________
wimax mailing list
[email protected]
http://lists.linuxwimax.org/listinfo/wimax

Reply via email to