[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

Re: SSL, certs, and conserver (fix included)

DJ Gregor dj@gregor.com
Thu, 29 Jun 2006 21:39:34 -0700 (PDT)

Here are references to this problem:

http://www.google.com/search&q=%22cipher+or+hash+unavailable%22+% 22solaris+10%22

Note that it doesn't fail on Solaris in all cases--it fails with the OpenSSL that *ships with Solaris 10*. If you compile OpenSSL yourself and make sure that conserver links with the OpenSSL that you compiled, it's fine.

This might have some insight:

http://cvs.opensolaris.org/source/xref/on/usr/src/common/openssl/ README.SUNW

- djg

On Jun 29, 2006, at 1:17 PM, Chris Ross wrote:

On Oct 19, 2005, at 6:20 PM, Bryan Stansell wrote:
   So, I have a workaround now, but would like to
know if you knew that it required something above
0.9.7d?  Thanks...

i didn't know (or expect) a requirement of using something newer than
0.9.7d. the code used to work with 0.9.6, etc. something could very
well have changed such that it's not backward compatible any more - in
some way.

surprisingly, i have openssl-0.9.7d (as well as a handful of other
versions on my box).  here's two (0.9.7d and 0.9.7c):

So, time flies by, jobs change, and now I'm at a totally different place finding the same problem. It's still a sparc Solaris 10 machine, in this case Solaris 10 Update 1 (I think. We have update 2 boxes around, as well, but this is an Update 1 box).

   I have the aforementioned problem that when running with a
compilation against the Solaris 0.9.7d OpenSSL, I get:

[Thu Jun 29 12:51:37 2006] conserver (5930): ERROR: FileSSLAccept():
SSL error on fd 5

as output from conserver -v, and I get:

$ console -x
console: SSL negotiation failed
5932:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash

from the client command as shown.

   :-/  I found the old conversation on the web (and later in my
mailbox.  ;-)
and now know that with a fair amount of effort, I can work around this
problem, but it seems like we should try to figure out why this fails
on Solaris.

   If you think you might have some time to help me with it s'more, I
can probably even make a solaris box available to you, given a
little bit of time.

   Let me know if you have any other suggestions of things to try.
conserver -V output is attached, in case it's useful...

$ /usr/local/sbin/conserver -V
conserver: conserver.com version 8.1.14
conserver: default access type `r'
conserver: default escape sequence `^Ec'
conserver: default configuration in `/etc/conserver/conserver.cf'
conserver: default password in `/etc/conserver/conserver.passwd'
conserver: default logfile is `/var/log/conserver'
conserver: default pidfile is `/var/run/conserver.pid'
conserver: default limit is 16 members per group
conserver: default primary port referenced as `conserver'
conserver: default secondary base port referenced as `0'
conserver: options: openssl, pam
conserver: openssl version: OpenSSL 0.9.7d 17 Mar 2004
conserver: built with `./configure --prefix=/usr/local --sysconfdir=/
etc/conserver --with-extmsgs --with-rpath --with-openssl --with-pam'