Server :: Openssl Support For SNI And TLS?
Apr 1, 2010
I want to recompile Apache in order to be SNI supportive because I need to use ssl named based virtual host:
I referred to the following links:
[URL]
I installed the latest version of openssl which is now openssl-1.0.0 I ran the following commands:
./config enable-tlsext --prefix=/usr/local2 --openssldir=/usr/local2/openssl
make
make test
make install
then to recompile apache with new SNI support I ran the following:
./configure --enable-so --enable-ssl --enable-rewrite --enable-unique-id --with-ssl=/usr/local2/openssl
make
make install
After that when I start Apache: /usr/local/apache2/bin/apachectl -k start I get the following error:
SSLStrictSNIVHostCheck failed; OpenSSL is not built with support for TLS extensions and SNI indication. Refer to the documentation, and build a compatible version of OpenSSL.
View 11 Replies
ADVERTISEMENT
Sep 26, 2010
I asked on irc, and received a sad 'not unless the version in synaptics is with ssl'. Is it not possible to change this ? - or is the only way out to compile/build it yourself?
View 1 Replies
View Related
Jul 14, 2010
I got an task assigned to me, i have to create new ssl key, csr & crt files using openssl. But the file name must be of this kind (*.aaa.xx.aa). When I tried the file name starting with * its not accepting the file name. But when I tried with the file name starting with . its getting generated.
View 1 Replies
View Related
Jan 18, 2011
I inherited a project that someone built in lampp, and I need create new SSL certs.
So I go to do so and it says that OpenSSL is not installed and to apt-get and install it.(Ubuntu by the way)
So before I did so, I wondered if it would cause any problems...since it was supposed to be part of the lampp stack.
View 3 Replies
View Related
Feb 25, 2010
I would like to encrypt and decrypt zip file using OpenSSL keys. I have generated the keys and can encrypt normal text files but if I try to encrypt the zip file, I get error: "Error reading input Data" Following is what I have done.
generate keys:
Code:
openssl genrsa 4096 > private-key.pem
openssl rsa -pubout < private-key.pem
openssl rsa -pubout < private-key.pem > public-key.pem
encrypt the file:
Code:
openssl rsautl -encrypt -pubin -inkey public-key.pem -in test.zip test.zip.encrypted
I must use public/ private key pair (without any password) and I must use OpenSSL. But I can use any algorithm other than RSA (not sure which one to use and how).
View 3 Replies
View Related
Nov 3, 2010
For some years now I have been able to use openssl (apache-mod_ssl) to process encrypted traffic because I had, in effect, only one host - the main server - as the sole entry in our ssl_vhost.conf file.
Now we are working toward serving a couple of more secure sites for closely related organizations, but with their own distinct identities. This, in the past, would have meant additional static IPs with matching nic cards for starters. But my understanding is that since 2007/8 we have been able to use gnutls (apache-mod_gnutls) which gets around the old problem of Apache not being able to direct name-based traffic because that would not yet have been decoded. This is referred to as SNI - Server Name Indication.
Here my confusion begins. Is there an overlap between SSL and TLS? For instance, I would have generated RSA keys and a self-signed certificate with the genrsa command. Is this sufficient for gnutls or does it need to generate its own keys and certificates? I realize gnutls is relatively a new kid on the block but it is appealing and I'd like to give it a try.
I am working with the Mandriva/Mageia cooker with an x86_64 architecture so all packages are up-to-the-minute.
View 3 Replies
View Related
Nov 10, 2010
I am using fetchmail (with ssl support) to download my e-mail. About a week ago, the downloading from two servers stopped, among them gmail.com, due to an ssl error. Usually that means updating the ssl fingerprint in fetchmail.conf, and when I wanted to do this I discovered that there seems to a issue with openssl.
When I do openssl s_client -connect pop.gmail.com:995 -showcerts I now get an error
server:> openssl s_client -connect pop.gmail.com:995 -showcerts
CONNECTED(00000003) 5448:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
Ubuntu 8.04 (2.6.24-28-server #1 SMP Sat Oct 16 17:53:34 UTC 2010 i686 GNU/Linux)OpenSSL 0.9.8g 19 Oct 2007
Can anybody explain to me what the error means and how to fix it?
View 1 Replies
View Related
Jul 10, 2011
I'm trying to find out when QME2572 (Qlogic) card became support by the kernel. We have a RHEL 5.1 system that is moving to new hardware, however the kernel at this release doesn't support the new hardware, due to the Qlogic card change. I tired the Redhat KB and Bugzilla. Is there a Kernel change list etc I can search. Never really played around with the kernel too much so I'm just after some pointers for looking up this information. Offically its not supported until Redhat 5.3, I'm trying trying to research kernel info so I can tell the customer they have to upgrade.
View 3 Replies
View Related
May 14, 2010
I'm unable to compile ruby 1.9.X and I found out it was related to openssl, although it seems there's a patch available for ruby I don't know how to apply it so I was thinking on downgrading to openssl 0.9.8n
I'm using F13 btw, I'm still posting it here as openssl 1.0.0 was first introduced on F12, the other major distros are still using openssl 0.9.8k so there's no much information on the problem
View 2 Replies
View Related
Jul 27, 2011
I have a weird problem in which I try to use cryptodev in Openssl version 0.9.8g, but then if an error occurs or the system logs out, the version for Openssl rolls back to 0.9.8b.I have also tried reinstalling, but no dice. The version stays 0.9.8b. I am using Intel Tolapai with RedHat 5
View 1 Replies
View Related
Jan 14, 2011
I was upgrading openssl 0.7 to 0.9.81 in my redhat 9 server. I've followed the guideline from here: [url]
Now everything is messed up There's no libcrypto.so in /usr/local/ssl/lib directory. Only libcrypto.a. Neither in /usr/lib or /lib directory. I can't even run scp or wget to download rpm of openssl. Getting libcrypto.so error. I've use locate command to find libcrypto.so. There's none. I've run ./config, make, make test and make install command again in the openssl 0.9.81 source directory. But no luck. No libcrypto.so. This is a production server and the httpd went down.
View 4 Replies
View Related
Jan 8, 2011
I am trying to get openssl to verify a certificate. I will walk you through what I have done so far.
1. openssl genrsa -des3 -out connect.mydomain.com.key 2048
2. openssl req -new -key connect.mydomain.com.key -out connect.mydomain.com.csr
3. Bought an SSL from GoDaddy.
4. Submitted my CSR
5. Downloaded sf_bundle.crt (CA File I presume)
6. Downloaded connect.mydomain.com.crt
Now I can do the following: [root@server tls]# openssl verify -CAfile sf_bundle.crt connect.mydomain.com.crt
connect.mydomain.com.crt: OK This is specifying the CAfile.
[Code]...
View 2 Replies
View Related
Aug 17, 2011
in order to share profiles between a Mahara and a Moodle installation I need to get OpenSSL working.
I've got OpenSSL installed on the server and followed this tutorial. However, I still get an error message saying that either OpenSSL or PHPs support for OpenSSL are missing: Could not generate a new SSL key. Are you sure that both openssl and the PHP module for openssl are installed on this machine?
What would be the next steps to actually set up the Apache server and PHP so they can use OpenSSL? (I've already specified the path to my caconfig.cnf file in Maharas config.php)
View 4 Replies
View Related
Aug 10, 2011
I am a new administrator and am running SLES 11 on a VM. I have openssl installed, but when I attempt to compile an add-on module to Nginx I get the following list of errors:
[Code]...
View 3 Replies
View Related
Oct 7, 2010
I've been googling around and have had a bit of a hard time trying to find help with this little issue. Managed to install CouchDB on the server at work after doing some fiddling due to not having spidermonkey availableAnyways, rt of this involved updating openssl.fter doing this however all hell broke loose.It seems a lot of programs needed the old version- I keep getting: error while loading shared libraries: libssl.so.0.9.8: cannot open shared object file: No such file or directory
I did a search:
>locate libssl.so.0.9.8
And it returned:
[code]...
View 9 Replies
View Related
Apr 27, 2010
I have problem in installing openvpn I get this error:
[Code]....
View 4 Replies
View Related
Aug 18, 2010
I want to use FIPS mode under linux. With openssl-0.9.8o, I typed "./config fipscanisterbuild" and then typed "make". The compile successful. Then I did a test about fips, below is my test code (main.cpp):
#include <iostream>
#include <openssl/ssl.h>
#include <openssl/fips.h>
int main(int argc, char *argv[])
{
[Code]....
View 2 Replies
View Related
Aug 25, 2009
After install rhel 5.1 is there any way to activate rhn support.because at the time of insatalltion have choosed i will do it later.
now i have to take the updates from redhat server.
View 1 Replies
View Related
May 3, 2016
Is it mandatory to reboot a public server after upgrading openssl? Or is it sufficient to restart the services?
View 2 Replies
View Related
Jan 19, 2010
I'm using Apache as a web server and mod_ssl to handle my certs. Everything was working fine on Fedora 11 running 0.9.8x of openssl until I updated to 12. Version 1.0.0beta4 of open ssl is full of bugs. It is basically incompatible with .net and php's implementation of SSL. Running wireshark actually shows it fails at handshake stages...
I'm not here to report the bugs relating to openssl but can somebody please explain why there is an unstable version of openssl in Fedora 12 as standard?
View 2 Replies
View Related
May 11, 2010
I'm getting a segv when trying to run CA.pl/.sh to create a rootCA:
Please enter the following 'extra' attributes to be sent with your certificate request.
A challenge password []:
An optional company name []:
unknown option -create_serial
usage: ca args
-verbose - Talk alot while doing things
-config file - A config file
-name arg - The particular CA definition to use
-gencrl - Generate a new CRL
-crldays days - Days is when the next CRL is due
-crlhours hours - Hours is when the next CRL is due
-startdate YYMMDDHHMMSSZ - certificate validity notBefore
-enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)
-days arg - number of days to certify the certificate for
-md arg - md to use, one of md2, md5, sha or sha1
-policy arg - The CA 'policy' to support
-keyfile arg - private key file
-keyform arg - private key file format (PEM or ENGINE)
-key arg - key to decode the private key if it is encrypted
-cert file - The CA certificate
-in file - The input PEM encoded certificate request(s)
-out file - Where to put the output file(s)
-outdir dir - Where to put output certificates
-infiles .... - The last argument, requests to process
-spkac file - File contains DN and signed public key and challenge
-ss_cert file - File contains a self signed cert to sign
-preserveDN - Don't re-order the DN
-noemailDN - Don't add the EMAIL field into certificate' subject
-batch - Don't ask questions
-msie_hack - msie modifications to handle all those universal strings
-revoke file - Revoke a certificate (given in file)
-subj arg - Use arg instead of request's subject
-extensions .. - Extension section (override value in config file)
-extfile file - Configuration file with X509v3 extentions to add
-crlexts .. - CRL extension section (override value in config file)
-engine e - use engine e, possibly a hardware device.
-status serial - Shows certificate status given the serial number
-updatedb - Updates db for expired certificates
./CA.sh: line 197: 10495 Segmentation fault
$CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch -keyfile ${CATOP}/private/$CAKEY -selfsign -extensions v3_ca -infiles ${CATOP}/$CAREQ
I tried removing the -create_serial option and then it complains about the -selfsign option. Removed that too - but it just errors out, never creating my root ca cert. Happens with openssl 0.9.8m/1.0.0 on suse linux 9.
View 3 Replies
View Related
May 9, 2010
I saw, there is a new OpenSSL v 1.0.0 and I wanna ask how to install it. I have this server now Apache/2.2.14 (Ubuntu) PHP/5.2.10-2ubuntu6.4 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k
And I try to install by reading the Install file in the package but I still have 0.9.8k.
$ ./config
$ make
$ make test
$ make install
View 5 Replies
View Related
Jul 28, 2010
I'd like to upgrade libssl to 0.9.8l version on my Lucid-based server, because of CVE-2009-3555 - they say that 0.9.8l disables SSL renegotiation, fixing the security issue. But there is no 0.9.8l in Ubuntu repositories - only 0.9.8k-7 is available. how can I upgrade this library? BTW. it is really strange why such significant security fix is not available in Ubuntu repositories. why it is not available?
View 9 Replies
View Related
Dec 10, 2010
i have a encrypted file using .aes256. I'm trying to decrypt but it fails. This is the command i used
Quote: openssl enc -d -aes256 -in insurance.aes256 > /media/DATA/out.dec And here's the error:Quote: enter aes-256-cbc decryption password: bad decrypt13930:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:330:
View 3 Replies
View Related
Jul 5, 2010
I'm try to connect to pop.gmail.com via openssl usingopenssl s_client -connect pop.gmail.com:995and i always have one error socket: Connection refusedconnect:errno=29what can i do to make it work?
View 5 Replies
View Related
Sep 24, 2010
I'm on F13 and I'm trying to compile a package from the source. The package is delasa (www.dalesa.lk) and when I ./configure. I get 'configure: error: openssl development libraries not found'. This is the output of 'yum search openssl | grep dev'
openssl-devel.i686 : Files for development of applications which will use
globus-gsi-openssl-error-devel.i686 : Globus Toolkit - Globus OpenSSL Error
globus-openssl-devel.i686 : Globus Toolkit - Openssl Library Development Files
globus-openssl-module-devel.i686 : Globus Toolkit - Globus OpenSSL Module
[Code]....
View 4 Replies
View Related
Jun 11, 2010
I haven't been able to determine what exactly Python OpenSSL and what it does. Google searching has not yielded me anything I can understand. In a terminal window (using RHEL 4.8 AS) typing
Code: rpm -qi pyOpenSSL yields information pertaining to the version of Python OpenSSL on my server. Can you explain what Python OpenSSL is in simple terms?
View 5 Replies
View Related
Jan 29, 2011
I've recently migrated an unlicensed RHEL5 box to CentOS 5 in order to get the system patched, and yum is telling me that openssl 0.9.8e is the up-to-date version. But that version is over two years old. I know I can install the newest openssl by using the rpm and I also know how to install from the tarball, but I'm trying to avoid both methods because I prefer the automated dependency handling of yum.
My question is SHOULD I be expecting yum to see openssl 0.9.8q when I run 'yum update openssl'?
If so, I'll be happy to reinvestigate my configuration for problems. I'm currently just using the default CentOS repositories.
If it's a case where anything beyond 0.9.8e simply hasn't been included from upstream, and I need to install it manually, that's fine. I'm just trying to get a handle on my expectations. I've been pouring through google and forums and looking for documentation for weeks, but there's so much that it's definitely possible I've overlooked it.
View 4 Replies
View Related
May 20, 2009
I am using debian base, and I want to know where can I download openssl-devel. What is the name in apt-get or aptitude?
View 4 Replies
View Related
May 16, 2009
I just can't figure out how to enable openssl on my server. I've searched around on the web but have come upon dead ends. I recently became the admin to a server of a new company, the previous admin installed everything on this server. The server has php running which was installed thru yum I believe. And so was OpenSSL. Recently though I've been ordered to configure a online sales software. So I started investigating what I would need. I know I need OpenSSL, a certificate which should be bought, etc.
I met the dreaded dead ends when I came upon knowledge that I had to make OpenSSL work with PHP. Ok so I got to work. I found out that I needed an extension enabled in php. And the only way (that I've read so far) is thru compiling PHP with the command --with-openssl-dir=path. The problem is that I've compiled many times now and see no change in the phpinfo file. Can the extension be enabled (--with-openssl-dir=path) even after the php and openssl have been installed thru yum? I'm also new to linux
View 5 Replies
View Related
