Re: SSL, certs, and conserver (fix included)

Here are references to this problem:

https://www.conserver.com/pipermail/users/2005-October/msg00002.html
http://www.google.com/search&q=%22cipher+or+hash+unavailable%22+% 
22solaris+10%22

Note that it doesn't fail on Solaris in all cases--it fails with the  
OpenSSL that *ships with Solaris 10*.  If you compile OpenSSL  
yourself and make sure that conserver links with the OpenSSL that you  
compiled, it's fine.

This might have some insight:

http://cvs.opensolaris.org/source/xref/on/usr/src/common/openssl/ 
README.SUNW


	- djg

On Jun 29, 2006, at 1:17 PM, Chris Ross wrote:

> On Oct 19, 2005, at 6:20 PM, Bryan Stansell wrote:
> > >    So, I have a workaround now, but would like to
> > > know if you knew that it required something above
> > > 0.9.7d?  Thanks...
> >
> > i didn't know (or expect) a requirement of using something newer than
> > 0.9.7d.  the code used to work with 0.9.6, etc.  something could very
> > well have changed such that it's not backward compatible any more  
> > - in
> > some way.
> >
> > surprisingly, i have openssl-0.9.7d (as well as a handful of other
> > versions on my box).  here's two (0.9.7d and 0.9.7c):
>
>    So, time flies by, jobs change, and now I'm at a totally different
> place
> finding the same problem.  It's still a sparc Solaris 10 machine, in
> this
> case Solaris 10 Update 1 (I think.  We have update 2 boxes around, as
> well, but this is an Update 1 box).
>
>    I have the aforementioned problem that when running with a
> compilation against the Solaris 0.9.7d OpenSSL, I get:
>
> [Thu Jun 29 12:51:37 2006] conserver (5930): ERROR: FileSSLAccept():
> SSL error on fd 5
>
> as output from conserver -v, and I get:
>
> $ console -x
> console: SSL negotiation failed
> 5932:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash
> unavailable:../../../../common/openssl/ssl/t1_enc.c:449:
> $
>
> from the client command as shown.
>
>    :-/  I found the old conversation on the web (and later in my
> mailbox.  ;-)
> and now know that with a fair amount of effort, I can work around this
> problem, but it seems like we should try to figure out why this fails
> on Solaris.
>
>    If you think you might have some time to help me with it s'more, I
> can probably even make a solaris box available to you, given a
> little bit of time.
>
>    Let me know if you have any other suggestions of things to try.
> conserver -V output is attached, in case it's useful...
>
> $ /usr/local/sbin/conserver -V
> conserver: conserver.com version 8.1.14
> conserver: default access type `r'
> conserver: default escape sequence `^Ec'
> conserver: default configuration in `/etc/conserver/conserver.cf'
> conserver: default password in `/etc/conserver/conserver.passwd'
> conserver: default logfile is `/var/log/conserver'
> conserver: default pidfile is `/var/run/conserver.pid'
> conserver: default limit is 16 members per group
> conserver: default primary port referenced as `conserver'
> conserver: default secondary base port referenced as `0'
> conserver: options: openssl, pam
> conserver: openssl version: OpenSSL 0.9.7d 17 Mar 2004
> conserver: built with `./configure --prefix=/usr/local --sysconfdir=/
> etc/conserver --with-extmsgs --with-rpath --with-openssl --with-pam'