Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SSL_connect:error

98 views
Skip to first unread message

chirs charter

unread,
Aug 19, 2001, 1:05:19 AM8/19/01
to
Hello,
I am using openssl-0.9.6 on a Solaris box. I am
currently using a temporary self signed certificate.
The OS is Solaris 8. For /dev/random I have installed
ANDIrand(http://www.cosy.sbg.ac.at/~andi/) and I have
also installed PRNGD. I installed both as I thought
the problem might relate to the random number
generator. I am using openssl to encrypt client
connection to our Cyrus IMAP 2.0.16 server. Here is
the ouput of a Cyrus connection utility called imtest:

imtest -v -t /var/imap/mailhost.crt localhost
C: C01 CAPABILITY
S: * OK catfish Cyrus IMAP4 v2.0.16 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+
NAMESPACE UIDPLUS ID NO_ATOMI
C_RENAME UNSELECT MULTIAPPEND SORT
THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE
STARTTLS
S: C01 OK Completed
S01 NO Error initializing TLS
starting TLS engine
setting up TLS connection
SSL_connect:before/connect initialization
write to 000D6A20 [000F4870] (90 bytes => 90 (0x5A))
0000 16 03 01 00 55 01 00 00|51 03 01 3b 7f 48 2b 76
0010 b6 b5 6d dd c2 ce 95 6a|2c 19 88 c8 d9 a3 4a 76
0020 3b b7 e9 56 11 0c 11 73|fb 25 a5 00 00 2a 00 16
0030 00 13 00 0a 00 66 00 07|00 05 00 04 00 65 00 64
0040 00 63 00 62 00 61 00 60|00 15 00 12 00 09 00 14
0050 00 11 00 08 00 06 00 03|01
005a - <SPACES/NULS>

SSL_connect:SSLv3 write client hello A
read from 000D6A20 [000EC060] (5 bytes => 5 (0x5))
0000 2a 20 42 41 44
write to 000D6A20 [000E3DD0] (7 bytes => 7 (0x7))
0000 15 20 42 00 02 02 46
SSL3 alert write:fatal:unknown
SSL_connect:error in SSLv3 read server hello A -1
SSL_connect error -1
SSL session removed
TLS negotiation failed!
Asking for capabilities again since they might have
changed
C: C01 CAPABILITY
S: Invalid tag
S: * BAD Invalid tag

I have tried looking up some of these error on various
newsgroup but have come up empty handed. Could someone
help shed some light on the possible cause and or
workaround. I would greatly appreciate any help. Thank
you.

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Lutz Jaenicke

unread,
Aug 19, 2001, 4:23:22 AM8/19/01
to
On Sat, Aug 18, 2001 at 10:01:05PM -0700, chirs charter wrote:
> I am using openssl-0.9.6 on a Solaris box. I am
> currently using a temporary self signed certificate.
> The OS is Solaris 8. For /dev/random I have installed
> ANDIrand(http://www.cosy.sbg.ac.at/~andi/) and I have
> also installed PRNGD. I installed both as I thought
> the problem might relate to the random number
> generator. I am using openssl to encrypt client
> connection to our Cyrus IMAP 2.0.16 server. Here is
> the ouput of a Cyrus connection utility called imtest:

First thing: OpenSSL versions before 0.9.7 (which is not yet released,
so I talk about all current versions), do not access /dev/random or
PRNGD automatically. The application has to access it explicitly.
(From the output below I am however not sure, what the reason for
the failure is.)
You may add RAND_egd("/path/to/egd-socket"); to the start of both server
and client to make sure that the PRNG is properly seeded.

I don't know what is going on here. Yesterday afternoon I wrote the
manual page for SSL_alert_type_string() et al and just discovered,
that the alert descriptions for TLSv1 are not included in the library,
only for SSLv3... Therefore we only see the "unknown" here. I will fix this
today.

> SSL_connect:error in SSLv3 read server hello A -1
> SSL_connect error -1
> SSL session removed
> TLS negotiation failed!
> Asking for capabilities again since they might have
> changed
> C: C01 CAPABILITY
> S: Invalid tag
> S: * BAD Invalid tag
>
> I have tried looking up some of these error on various
> newsgroup but have come up empty handed. Could someone
> help shed some light on the possible cause and or
> workaround. I would greatly appreciate any help. Thank
> you.

Please run ssldump (http://www.rtfm.com/ssldump) to find out more
details, and check out the output of the server.

Best regards,
Lutz
--
Lutz Jaenicke Lutz.J...@aet.TU-Cottbus.DE
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153

chirs charter

unread,
Aug 19, 2001, 1:31:08 PM8/19/01
to
Thanks for your replay Lutz. I do have a /dev/unrandom
though which is a link to /dev/random and I see a
prescence of a /.rnd file doesnt this mean that
openssl is starting up correctly ? Also can you tell
me how to add add RAND_egd("/path/to/egd-socket"); to
the beginning of an application in my case IMAP? i.e
what is the procedure for doing this? I will run
ssldump. Thanks again
--- Lutz Jaenicke <Lutz.J...@aet.TU-Cottbus.DE>
wrote:
> You may to the

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

Lutz Jaenicke

unread,
Aug 19, 2001, 4:31:05 PM8/19/01
to
On Sun, Aug 19, 2001 at 10:27:52AM -0700, chirs charter wrote:
> Thanks for your replay Lutz. I do have a /dev/unrandom
> though which is a link to /dev/random and I see a
> prescence of a /.rnd file doesnt this mean that
> openssl is starting up correctly ? Also can you tell

The link does help for the first steps. On the long run you may run
into trouble, as /dev/random may block when exhausted and thus
all starting processes requiring entropy will also block.
/.rnd is only used by the "openssl" command line tools.

> me how to add add RAND_egd("/path/to/egd-socket"); to
> the beginning of an application in my case IMAP? i.e
> what is the procedure for doing this?

Add it to the source code and recompile :-)
I do use UW-imapd and I added it to src/osdeb/unix/ssl_unix.c,
directly after SSLeay_add_ssl_algorithms().
If you use another imap software, look out for SSLeay_add_ssl_algorithms(),
OpenSSL_add_ssl_algorithms() or SSL_library_init() (they all are synonyms)
and add RAND_egd("/path/to/your/egd-socket"); just behind it and recompile.

Lutz Jaenicke

unread,
Aug 19, 2001, 4:34:23 PM8/19/01
to
On Sun, Aug 19, 2001 at 02:26:24PM -0500, Amos Gouaux wrote:
> As it happens, I too am trying to get SSL/TLS going with latest
> cyrus-imapd. Though, in my case I'm trying to use a Verisign cert.
> At this point I'm just trying to figure out what I need to do next.
>
> I have the server key file in pem format defined, the cert I got
> back from Verisign, and the vsignss.pem that came with
> openssl-0.9.6b. When I attempt to connect I get the following:
>
> depth=1 /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
>
> Is this telling me I need a chain cert? Suggestions on what to try next?

This error message tells you, that the chain is complete (the verification
process reaches the root CA chain and finds it to be sel signed).
However the verification cannot succeed, as the root CA certificate must
be available as a local copy for verification purposes.
From the API point of view, this is achieved by loading it using
SSL_CTX_load_verify_locations()
I don't know how to load the trusted CA certificates using the specific
cyrus-imapd software, please check out the manual or grep for the call
shown above in the source and see, how it is used.

0 new messages