OpenSSL certs

Had a recent install with Veisign certs thats was fun.
Therefore looking at some questions before I deploy the openssl cert for guest access.
Reading the docs it says the following
"Ensure that the host name that is used to create the certificate (Common Name) matches the Domain Name System (DNS) host name entry for the virtual interface IP on the WLC and that the name exists in the DNS as well"
However IF we use 1.1.1.1 as the usual virtual interface IP address and asscociate this with the CName in DNS it would publish this, now I am not a DNS expert but recall you can have an internal/external lookup so it woiuld be on the internal lookup?
Also in the Verisign product page it does not list the Cisco WLC as server type for SSL certs. Which should I go for?
Any help appreciated

Pete, did you get this taken care of buddy? Do you still need a hand?

Similar Messages

TLS not working with Openssl Certs

Hi I have been struggleing with a certificate problem for about two weeks now with no joy. Almost all the forums, tutorials and examples etc. I have tried are simply not working. Without fail I get the following exception or similar:
[Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found]
Basically I know I have a valid certificate, because when I use an ldap client with just the self generated cacert.pem there are no problems and a TCP dump shows the encrypted data.
My setup is as follows I have an openLDAP server running on Debian. I generated my own certificates as per: http://www.openldap.org/faq/data/cache/185.html
All I want to do now is import these generated certs/keys with keytool, and be able to use theme with TLS.
When importing the certs via java ldap browsers they work fine, but as soon as I try use my own TLS client like the StartTLS.java sample provided by the java tutorial I get the above exception. I'm probably missing some piece of the puzzle.
Please if anyone else knows how to set this up correctly using the certs I have generated via the openldap example above I would really appreciate your help. There are alot of examples pertaining to app servers etc. but nothing I could find to talk to OpenLDAP.
regards
ed

On a similar occation i did extend the javax.net.ssl.X509TrustManager and upon generating the connecton I first did initialized the ssl context with that trust manager.
something like
SSLContext sslContext = SSLContext.getInstance("SSLv3");
MyTrustManager tm = new MyTrustManager(....);
TrustManager tms[] = {tm};
sslContext.init(null, tms, null); HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory()); //or on ur corresponding tls connection classdo that before getting any https connection or alike tls connections
In case that does not bring you further, post some stack trace and further settings.

OpenSSL cert client distro

Hello everyone,
I have recently installed OS X server one one of my machines and I am getting ready to host secure websites. I have fumbled through cmd line and GUI creation of my first SSL cert until I finally got one that worked. My question is how do I distribute the self-signed key to other users since it will not be a 'trusted' cert? Thank you for any help on this issue.

Found a solution

Openssl: how to find out version installed

Hi,
I am looking into installing Webmin only for the purpose of being a frontend to MySql.
The Webmin install preamble mentions to check Perl + OpenSSL versions.
Perl version installed is OK but following the instruction,
< OpenSSL: 0.9.7b to see version open terminal cd /usr/bin then type OpenSSL version >
no satisfactory answer is returned, ie,
[PowerBook:/usr/bin] patrickh% OpenSSL --version
==//==
/Previous Systems/Previous System 1/usr/share/man/man3/UI_OpenSSL.3ssl
/sw/share/man/man3/OpenSSLadd_allalgorithms.3
/System/Library/OpenSSL
/System/Library/OpenSSL/certs
/System/Library/OpenSSL/lib
/System/Library/OpenSSL/misc
/System/Library/OpenSSL/misc/CA.pl
/System/Library/OpenSSL/misc/CA.sh
/System/Library/OpenSSL/misc/c_hash
/System/Library/OpenSSL/misc/c_info
/System/Library/OpenSSL/misc/c_issuer
/System/Library/OpenSSL/misc/c_name
/System/Library/OpenSSL/misc/der_chop
/System/Library/OpenSSL/openssl.cnf
/System/Library/OpenSSL/private
/usr/share/man/man3/DH_OpenSSL.3ssl
/usr/share/man/man3/DSA_OpenSSL.3ssl
/usr/share/man/man3/OpenSSLadd_allalgorithms.3ssl
/usr/share/man/man3/OpenSSLadd_allciphers.3ssl
/usr/share/man/man3/OpenSSLadd_alldigests.3ssl
/usr/share/man/man3/OpenSSLadd_sslalgorithms.3ssl
/usr/share/man/man3/UI_OpenSSL.3ssl
[PowerBook:/usr/bin] patrickh% cd /System/Library/OpenSSL
[PowerBook:/System/Library/OpenSSL] patrickh% OpenSSL --version
tcsh: OpenSSL: Command not found.
[PowerBook:/System/Library/OpenSSL] patrickh%
=====
Of course < tcsh: OpenSSL: Command not found. > is the important bit here I guess.
The other question is, any other suitable mysql (open source) frontends?
Looked at rekall but did not much like its feel, look.
Patrick

Not quite the answer you are looking for but if you only want a GUI for mysql you might want to try phpmyadmin instead http://www.phpmyadmin.net/home_page/index.php
Webmin is a great admin tool for numerous applications but phpadmin is a great tool for mysql administration that does not require you to learn all of the nuances of Webmin.
FWIW I have both installed and really like Webmin for it's versatility but find phpmyadmin much simplere to learn and use.

Snow leopard and 3.2.6 xcode

To begin Snow leopard is 10.6.8 up to date.
Well, as I only been searching up and down the web for a solution to this problem, I have found alot of dead ends and unanswered problems.
Xcode 3.2.6 Seems to be the must rare thing in the universe to come across, or at least for myself it is.
I'm running Snow leopard hint the title.
It came with a disc, oh wait isn't that a wonder since thats the only way you can download it, as I'm aware of, and almost absurd you can digitally download mavericks.
Anyways the xcode that comes with the optional install on the disc only is up to date to 3.0, isn't that shocking since i wasted my time and money getting snow leopard because of the many problems apple has with almost everything (leopard & openssl cert.) which was a pain in the *** to begin with.
Warning: Xcode is not installed
Most formulae need Xcode to build.
It can be installed from https://developer.apple.com/downloads/
As the above is pretty ******* obvious what the problem is, where the real problem lies is that i can't install it.
When i go to install: xcode_3.2.6_and_Ios_sdk_4.3.dmg everything appears to be fine until it actually starts to verify it and in less then about ten second everytime it is denied.
I've gone through **** trying to figure this out and even the programmers at my local business are unable to figure this problem out because there is absolutely no explanation to why it won't install. It does not give me a hint of any sort, it is simply put "verification unable to process"
Now before I thought of actually coming here and looking for help i have reinstalled xcode and snow leopard numerous times to recieve the same problem.
Quite frankly I do not wanna put more money into lion as I heard first off its a waste, and secondly why should I keep spending money and getting the same **** results.
I heard about getting Xcode 4.2 but I'm not even sure this is compatible with Snow leopard let alone the link is busted and access is denied due to having to be a paid member on the apple site, (which at this rate will never happen)
I don't mean to be rude, I'm just a twenty one year old kid with a bit of furious attitude who doesn't like to waste his time and money.
But please if this at all gets answered (which I'm almost positive it won't from everywhere else i searched no answers are being given) that it at least be related to the cause, as I can see alot of people are in the same situation and therefore i believe a REAL solution should not be left unheard.
If any more information is needed, please feel free to ask. I will be checking in so often to to hopefully come back to a fix.
Thank you for letting me waste your time.

Okay so after reinstalling everything and running brew doctor
I'm getting this now
arning: Unbrewed dylibs were found in /usr/local/lib.
If you didn't put them there on purpose they could cause problems when
building Homebrew formulae, and may need to be deleted.
Unexpected dylibs:
    /usr/local/lib/libexslt.0.dylib
    /usr/local/lib/libexslt.dylib
    /usr/local/lib/libhistory.6.0.dylib
    /usr/local/lib/libhistory.6.dylib
    /usr/local/lib/libhistory.dylib
    /usr/local/lib/libreadline.6.0.dylib
    /usr/local/lib/libreadline.6.dylib
    /usr/local/lib/libreadline.dylib
    /usr/local/lib/libruby.1.8.7.dylib
    /usr/local/lib/libruby.1.8.dylib
    /usr/local/lib/libruby.dylib
    /usr/local/lib/libsqlite3.0.8.6.dylib
    /usr/local/lib/libsqlite3.0.dylib
    /usr/local/lib/libsqlite3.dylib
    /usr/local/lib/libxml2.2.dylib
    /usr/local/lib/libxml2.dylib
    /usr/local/lib/libxslt.1.dylib
    /usr/local/lib/libxslt.dylib
Warning: Unbrewed .la files were found in /usr/local/lib.
If you didn't put them there on purpose they could cause problems when
building Homebrew formulae, and may need to be deleted.
Unexpected .la files:
    /usr/local/lib/libexslt.la
    /usr/local/lib/libsqlite3.la
    /usr/local/lib/libxml2.la
    /usr/local/lib/libxslt.la
Warning: Unbrewed .pc files were found in /usr/local/lib/pkgconfig.
If you didn't put them there on purpose they could cause problems when
building Homebrew formulae, and may need to be deleted.
Unexpected .pc files:
    /usr/local/lib/pkgconfig/libexslt.pc
    /usr/local/lib/pkgconfig/libxml-2.0.pc
    /usr/local/lib/pkgconfig/libxslt.pc
    /usr/local/lib/pkgconfig/sqlite3.pc
Warning: Unbrewed static libraries were found in /usr/local/lib.
If you didn't put them there on purpose they could cause problems when
building Homebrew formulae, and may need to be deleted.
Unexpected static libraries:
    /usr/local/lib/libexslt.a
    /usr/local/lib/libhistory.a
    /usr/local/lib/libreadline.a
    /usr/local/lib/libruby-static.a
    /usr/local/lib/libsqlite3.a
    /usr/local/lib/libxml2.a
    /usr/local/lib/libxslt.a
Warning: Your Xcode (3.2) is outdated
Please update to Xcode 3.2.6.
Xcode can be updated from https://developer.apple.com/downloads/

Patches not patching, error occurred "Error is:"

Hello! I am patching a SLES 11 SP2 server with ZCM 11.2.4 with Monthly Update 1 applied. The majority of my patches are applied appropriately, however there are 5 patches that will not apply and I get this unhelpful message in the message log - "An error occurred while executing the program. Error is:" with no error listed after the colon. I have tried clearing the cache on the agent, rebooting, checking and unchecking the "Resolve all RPM dependencies" box, all with no change. For testing purposes, I downloaded the one of the patch RPMs from Novell's web site and was able to to install it without any errors (interestingly enough the ZCM server does not see it as being patched). The patches I am having problems with are as follows...
Novell SUSE 2014:8791 kernel security update for SLE 11 SP2 x86_64
Novell SUSE 2013:8701 libpixman-1-0 security update for SLE 11 SP2 x86_64
Novell SUSE 2013:8681 openssl-certs security update for SLE 11 SP2 x86_64
Novell SUSE 2013:8621 curl security update for SLE 11 SP2 x86_64
Novell SUSE 2013:8656 cifs-mount security update for SLE 11 SP2 x86_64
and attached is a copy of the zmd-messages.log file from the affected client.
Thanks for the help!

ahilton,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://forums.novell.com/

WriteNow to RTF on Tiger

My dad has purchased leopard but before we install it (since we will lose OS 9 capabilities) we would like to convert his old WriteNow files to RTF. Obviously we can do this manually but this would take a long time. Is there a good way to do this with AppleScript? I am not very learned with AppleScript, I can use automator to get all the files, but then I need to run a script for "Save As..." that automatically saves as RTF in the same location with preferably a similar name (but not replacing the file) is there an easy way to do this? Thanks!

At this point I'm not clear if it's the key generation, or it's the paths in the conf that are not allowing it to be used. At the moment, this is what I get when I verify the cert:
*error 18 at 0 depth lookup:self signed certificate*
I found this link which is helping me understand all this:
*http://www.madboa.com/geek/openssl/#cert-self*
So I end up starting over with the same results. Am I mad to think this can be done? I've not seen otherwise, other than I've seen people talk about self-signed certs.
Muchly appreciated!

Svc:/system/ca-certificates:default in maintenance

After Upgrade from U1.SRU19 to U2.SRU5 the ca-certificates SMF is in maintenance
-bash-4.1$ svcs -x
svc:/milestone/multi-user-server:default (multi-user plus exports milestone)
State: maintenance since January 10, 2015 01:23:34 PM CET
Reason: Start method died on Killed (9).
   See: http://support.oracle.com/msg/SMF-8000-KS
   See: init(1M)
   See: /var/svc/log/milestone-multi-user-server:default.log
Impact: 4 dependent services are not running. (Use -v for list.)
svc:/system/ca-certificates:default (CA Certificates Service)
State: maintenance since January 10, 2015 12:52:26 PM CET
Reason: Start method failed repeatedly, last exited with status 1.
   See: http://support.oracle.com/msg/SMF-8000-KS
   See: openssl(5)
   See: /var/svc/log/system-ca-certificates:default.log
Impact: This service is not running.
-bash-4.1$ tail -13 /var/svc/log/system-ca-certificates:default.log
[ Jan 10 12:52:25 Executing start method ("/lib/svc/method/svc-ca-certificates start"). ]
Re-generating OpenSSL hash Links
Traceback (most recent call last):
File "/lib/svc/method/svc-ca-certificates", line 108, in <module>
    smf_include.smf_main()
File "/usr/lib/python2.6/vendor-packages/smf_include.py", line 95, in smf_main
    sys.exit(frame.f_globals[sys.argv[1]]())
File "/lib/svc/method/svc-ca-certificates", line 91, in start
    generate_links()
File "/lib/svc/method/svc-ca-certificates", line 43, in generate_links
    os.symlink(os.path.join(RELCDIR, cfile), os.path.join(LINKDIR, shash))
OSError: [Errno 17] File exists
[ Jan 10 12:52:25 Method "start" exited with status 1. ]
Any ideas? Which file is the problem?
Thanks,
Marcel

Thanks for your answer.
/etc/openssl/certs was fine, but /etc/certs/CA contained "illegal files"
# pwd
/etc/certs/CA
# ls *Ops*
192.168.100.59.OpsCenter_cert.pem 192.168.20.59.OpsCenter_cert.pem
# rm 192.168.100.59.OpsCenter_cert.pem
# rm 192.168.20.59.OpsCenter_cert.pem
SMF is online now.
Best regards,
Marcel

Mod_ssl and accelerator cards

As anyone configured mod_ssl to work with accelerator cards?
We are using 9iAS on Sun Solaris and wish to use an accelrator
card for SSL key manipulation.
A question for Oracle, if we replace the provided mod_ssl binary
with one we have compiled from the source available on the web
whatis the effect on Oracle support?
Regards
Mike Bray

Hi ibosie,
   I'm not sure exactly what you're asking but I don't think there's a required reference to anything you've mentioned. I keep my certs in my /System/Library/OpenSSL/certs directory but that's a matter of choice. As far as I know, all that matters is what file you provide as values of the SSLCertificateFile and SSLCertificateKeyFile properties in the VirtualHost block used to define your secure website in the httpd.conf file. (or file included from the httpd.conf file) Traditionally the SSLCertificateFile value points to a server.crt file and the SSLCertificateKeyFile value points to a server.key file.
   I don't what they're talking about in the security advise. The only file you have to protect is your private key; the rest you share freely. The private key should be in a directory owned by and readable only by root. However, that still has to be on the server.
   At least that's the way apache works traditionally. Maybe there's some way to keep the private key in a keychain. That would naturally be preferable; I just don't how to do it. Apple's web page, Creating Secure Transactions on Mac OS X server Using SSL, puts the key in a keychain but still uses a file for the web server.
Gary
~~~~
   Q:   What's the difference betweeen USL and the Graf Zeppelin?
   A:   The Graf Zeppelin represented cutting edge technology for its time.

Roundcube not working after last php update [SOLVED]

After the last php update my roundcubemail stopped working. The log-in page loads and after attempting to log in I get the following error:
IMAP Error in /usr/share/webapps/roundcubemail/program/lib/Roundcube/rcube_imap.php (184): Login failed for [email protected] from 192.168.1.1. Could not connect to ssl://localhost:993: Unknown reason (fsockopen() function disabled?)
Last edited by whahn1983 (2014-09-19 18:46:11)

I fixed it yesterday. I modified the PKGBUILD to get the upstream fix.
# $Id$
# Maintainer: Sergej Pupykin <[email protected]>
pkgname=roundcubemail
pkgver=1.0.2.3b55da
pkgrel=1
pkgdesc="A PHP web-based mail client"
arch=('any')
url="http://www.roundcube.net"
license=('GPL')
depends=('php')
optdepends=('python2')
backup=('etc/webapps/roundcubemail/.htaccess'
'etc/webapps/roundcubemail/apache.conf')
install=roundcubemail.install
options=('!strip' 'emptydirs')
source=("${pkgname}::git+https://github.com/roundcube/roundcubemail.git#commit=9a498212446f6c9a186df5652a7625526b590b78"
apache.conf)
md5sums=('SKIP'
'f11b17e2a80b383cde4af963fb307541')
prepare() {
cd ${srcdir}/${pkgname}
sed -i \
-e "s|RCUBE_INSTALL_PATH . 'temp.*|'/var/cache/roundcubemail';|" \
-e "s|RCUBE_INSTALL_PATH . 'logs.*|'/var/log/roundcubemail';|" \
config/defaults.inc.php \
program/lib/Roundcube/rcube_config.php
package() {
mkdir -p ${pkgdir}/etc/webapps/roundcubemail
mkdir -p ${pkgdir}/usr/share/webapps
mkdir -p ${pkgdir}/var/log
cd ${pkgdir}/usr/share/webapps
cp -ra ${srcdir}/${pkgname} roundcubemail
cd roundcubemail
mv .htaccess $pkgdir/etc/webapps/roundcubemail/
ln -s /etc/webapps/roundcubemail/.htaccess .htaccess
mv config $pkgdir/etc/webapps/roundcubemail/
ln -s /etc/webapps/roundcubemail/config config
install -dm0750 $pkgdir/var/{log,cache}/roundcubemail
install -Dm0644 $srcdir/apache.conf $pkgdir/etc/webapps/roundcubemail/apache.conf
# install -dm0755 $pkgdir/etc/php/conf.d/
# cat <<EOF >$pkgdir/etc/php/conf.d/$pkgname.ini
#open_basedir = ${open_basedir}:/etc/webapps/roundcubemail:/usr/share/webapps/roundcubemail:/var/log/roundcubemail:/var/cache/roundcubemail
#EOF
rm -rf temp logs
Then I added these values to my roundcube config:
// IMAP socket context options
// See http://php.net/manual/en/context.ssl.php
// The example below enables server certificate validation
//$config['imap_conn_options'] = array(
// 'ssl' => array(
// 'verify_peer' => true,
// 'verify_depth' => 3,
// 'cafile' => '/etc/openssl/certs/ca.crt',
$config['imap_conn_options'] = array(
'ssl' => array(
'verify_peer' => false,
'verfify_peer_name' => false,
// SMTP connection timeout, in seconds. Default: 0 (use default_socket_timeout)
// Note: There's a known issue where using ssl connection with
// timeout > 0 causes connection errors (https://bugs.php.net/bug.php?id=54511)
$config['smtp_timeout'] = 5;
// SMTP socket context options
// See http://php.net/manual/en/context.ssl.php
// The example below enables server certificate validation, and
// requires 'smtp_timeout' to be non zero.
// $config['smtp_conn_options'] = array(
// 'ssl' => array(
// 'verify_peer' => true,
// 'verify_depth' => 3,
// 'cafile' => '/etc/openssl/certs/ca.crt',
$config['smtp_conn_options'] = array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
It works like a charm.

Build failure when trying to build haproxy with SSL support.

Hello everybody,
I don't know if this is the right "context" to submit this question.
How ever I'm having problem with building haproxy 1.5.5 with SSL support.
I'm running SLES 11 SP3 with the latest updates via YAST2.
Building without SSL support works fine.
I use the syntax:
make TARGET=linux2628 USE_OPENSSL=1
And here is the output:
gcc -Iinclude -Iebtree -Wall -O2 -g -fno-strict-aliasing -DCONFIG_HAP_LINUX_SPLICE -DTPROXY -DCONFIG_HAP_LINUX_TPROXY -DCONFIG_HAP_CRYPT -DENABLE_POLL -DENABLE_EPOLL -DUSE_CPU_AFFINITY -DASSUME_SPLICE_WORKS -DUSE_ACCEPT4 -DNETFILTER -DUSE_GETSOCKNAME -DUSE_OPENSSL -DUSE_SYSCALL_FUTEX -DCONFIG_HAPROXY_VERSION=\"1.5.5\" -DCONFIG_HAPROXY_DATE=\"2014/10/07\" \
-DBUILD_TARGET='"linux2628"' \
-DBUILD_ARCH='""' \
-DBUILD_CPU='"generic"' \
-DBUILD_CC='"gcc"' \
-DBUILD_CFLAGS='"-O2 -g -fno-strict-aliasing"' \
-DBUILD_OPTIONS='"USE_OPENSSL=1"' \
-c -o src/haproxy.o src/haproxy.c
In file included from include/types/acl.h:33,
from include/types/proxy.h:40,
from include/proto/log.h:32,
from includehttps://www.novell.comhttps://www.novell.comhttps://www.novell.comhttps://www.novell.com/common/cfgparse.h:29,
from src/haproxy.c:61:
include/types/server.h:29:25: error: openssl/ssl.h: No such file or directory
In file included from include/types/connection.h:30,
from include/types/server.h:36,
from include/types/acl.h:33,
from include/types/proxy.h:40,
from include/proto/log.h:32,
from includehttps://www.novell.comhttps://www.novell.comhttps://www.novell.comhttps://www.novell.com/common/cfgparse.h:29,
from src/haproxy.c:61:
include/types/listener.h:127: error: expected specifier-qualifier-list before SSL_CTX
In file included from include/types/acl.h:33,
from include/types/proxy.h:40,
from include/proto/log.h:32,
from includehttps://www.novell.comhttps://www.novell.comhttps://www.novell.comhttps://www.novell.com/common/cfgparse.h:29,
from src/haproxy.c:61:
include/types/server.h:207: error: expected specifier-qualifier-list before SSL_CTX
In file included from src/haproxy.c:90:
include/proto/listener.h: In function bind_conf_alloc:
include/proto/listener.h:130: error: struct bind_conf has no member named file
include/proto/listener.h:131: error: struct bind_conf has no member named line
include/proto/listener.h:133: error: struct bind_conf has no member named by_fe
include/proto/listener.h:133: error: struct bind_conf has no member named by_fe
include/proto/listener.h:133: error: struct bind_conf has no member named by_fe
include/proto/listener.h:133: error: struct bind_conf has no member named by_fe
include/proto/listener.h:133: error: struct bind_conf has no member named by_fe
include/proto/listener.h:135: error: struct bind_conf has no member named arg
include/proto/listener.h:137: error: struct bind_conf has no member named ux
include/proto/listener.h:138: error: struct bind_conf has no member named ux
include/proto/listener.h:139: error: struct bind_conf has no member named ux
include/proto/listener.h:141: error: struct bind_conf has no member named listeners
include/proto/listener.h:141: error: struct bind_conf has no member named listeners
include/proto/listener.h:141: error: struct bind_conf has no member named listeners
In file included from src/haproxy.c:107:
include/proto/ssl_sock.h: At top level:
include/proto/ssl_sock.h:46: error: expected declaration specifiers or ... before SSL_CTX
src/haproxy.c: In function display_build_opts:
src/haproxy.c:272: error: expected ) before OPENSSL_VERSION_TEXT
src/haproxy.c:274: warning: implicit declaration of function SSLeay_version
src/haproxy.c:274: error: SSLEAY_VERSION undeclared (first use in this function)
src/haproxy.c:274: error: (Each undeclared identifier is reported only once
src/haproxy.c:274: error: for each function it appears in.)
src/haproxy.c:275: error: OPENSSL_VERSION_NUMBER undeclared (first use in this function)
src/haproxy.c:275: warning: implicit declaration of function SSLeay
src/haproxy.c:275: warning: format %s expects type char *, but argument 2 has type int
src/haproxy.c: In function deinit:
src/haproxy.c:1188: error: struct bind_conf has no member named by_fe
src/haproxy.c:1188: error: struct bind_conf has no member named by_fe
src/haproxy.c:1188: error: struct bind_conf has no member named by_fe
src/haproxy.c:1188: warning: left-hand operand of comma expression has no effect
src/haproxy.c:1188: error: struct bind_conf has no member named by_fe
src/haproxy.c:1188: error: struct bind_conf has no member named by_fe
src/haproxy.c:1188: error: struct bind_conf has no member named by_fe
src/haproxy.c:1196: error: struct bind_conf has no member named file
src/haproxy.c:1197: error: struct bind_conf has no member named arg
src/haproxy.c:1198: error: struct bind_conf has no member named by_fe
src/haproxy.c:1198: warning: type defaults to int in declaration of __ret
src/haproxy.c:1198: error: struct bind_conf has no member named by_fe
src/haproxy.c:1198: error: struct bind_conf has no member named by_fe
src/haproxy.c:1198: error: struct bind_conf has no member named by_fe
src/haproxy.c:1198: error: struct bind_conf has no member named by_fe
src/haproxy.c:1198: error: struct bind_conf has no member named by_fe
make: *** [src/haproxy.o] Error 1
I'm I missing some libs or sources from OpenSSL ?
And/or need to point them out so that make/gcc can find them?
I have copy haproxy from another machine where I did the build process on.
But I would like to be able to build it on my SLES 11 SP3 installation.
Thank you in advance.

Originally Posted by smflood
On 17/10/2014 15:36, mattias bjork wrote:
> I don't know if this is the right "context" to submit this question.
>
> How ever I'm having problem with building haproxy 1.5.5 with SSL
> support.
>
> I'm running SLES 11 SP3 with the latest updates via YAST2.
>
> Building without SSL support works fine.
>
> I use the syntax:
>
> make TARGET=linux2628 USE_OPENSSL=1
>
> And here is the output:
>
> gcc -Iinclude -Iebtree -Wall -O2 -g -fno-strict-aliasing
> -DCONFIG_HAP_LINUX_SPLICE -DTPROXY -DCONFIG_HAP_LINUX_TPROXY
> -DCONFIG_HAP_CRYPT -DENABLE_POLL -DENABLE_EPOLL -DUSE_CPU_AFFINITY
> -DASSUME_SPLICE_WORKS -DUSE_ACCEPT4 -DNETFILTER -DUSE_GETSOCKNAME
> -DUSE_OPENSSL -DUSE_SYSCALL_FUTEX -DCONFIG_HAPROXY_VERSION=\"1.5.5\"
> -DCONFIG_HAPROXY_DATE=\"2014/10/07\" \
> -DBUILD_TARGET='"linux2628"' \
> -DBUILD_ARCH='""' \
> -DBUILD_CPU='"generic"' \
> -DBUILD_CC='"gcc"' \
> -DBUILD_CFLAGS='"-O2 -g -fno-strict-aliasing"' \
> -DBUILD_OPTIONS='"USE_OPENSSL=1"' \
> -c -o src/haproxy.o src/haproxy.c
> In file included from include/types/acl.h:33,
> from include/types/proxy.h:40,
> from include/proto/log.h:32,
> from
> includehttps://www.novell.comhttps://www.novell.comhttps://www.novell.comhttps://www.novell.comhttps://www.novell.comhttps://www.novell.com/common/cfgparse.h:29,
> from src/haproxy.c:61:
> include/types/server.h:29:25: error: openssl/ssl.h: No such file or
> directory
> In file included from include/types/connection.h:30,
> from include/types/server.h:36,
> from include/types/acl.h:33,
> from include/types/proxy.h:40,
> from include/proto/log.h:32,
> from
> includehttps://www.novell.comhttps://www.novell.comhttps://www.novell.comhttps://www.novell.comhttps://www.novell.comhttps://www.novell.com/common/cfgparse.h:29,
> from src/haproxy.c:61:
> include/types/listener.h:127: error: expected specifier-qualifier-list
> before �SSL_CTX�
> In file included from include/types/acl.h:33,
> from include/types/proxy.h:40,
> from include/proto/log.h:32,
> from
> includehttps://www.novell.comhttps://www.novell.comhttps://www.novell.comhttps://www.novell.comhttps://www.novell.comhttps://www.novell.com/common/cfgparse.h:29,
> from src/haproxy.c:61:
> include/types/server.h:207: error: expected specifier-qualifier-list
> before �SSL_CTX�
> In file included from src/haproxy.c:90:
> include/proto/listener.h: In function �bind_conf_alloc�:
> include/proto/listener.h:130: error: �struct bind_conf� has no member
> named �file�
> include/proto/listener.h:131: error: �struct bind_conf� has no member
> named �line�
> include/proto/listener.h:133: error: �struct bind_conf� has no member
> named �by_fe�
> include/proto/listener.h:133: error: �struct bind_conf� has no member
> named �by_fe�
> include/proto/listener.h:133: error: �struct bind_conf� has no member
> named �by_fe�
> include/proto/listener.h:133: error: �struct bind_conf� has no member
> named �by_fe�
> include/proto/listener.h:133: error: �struct bind_conf� has no member
> named �by_fe�
> include/proto/listener.h:135: error: �struct bind_conf� has no member
> named �arg�
> include/proto/listener.h:137: error: �struct bind_conf� has no member
> named �ux�
> include/proto/listener.h:138: error: �struct bind_conf� has no member
> named �ux�
> include/proto/listener.h:139: error: �struct bind_conf� has no member
> named �ux�
> include/proto/listener.h:141: error: �struct bind_conf� has no member
> named �listeners�
> include/proto/listener.h:141: error: �struct bind_conf� has no member
> named �listeners�
> include/proto/listener.h:141: error: �struct bind_conf� has no member
> named �listeners�
> In file included from src/haproxy.c:107:
> include/proto/ssl_sock.h: At top level:
> include/proto/ssl_sock.h:46: error: expected declaration specifiers or
> �...� before �SSL_CTX�
> src/haproxy.c: In function �display_build_opts�:
> src/haproxy.c:272: error: expected �)� before �OPENSSL_VERSION_TEXT�
> src/haproxy.c:274: warning: implicit declaration of function
> �SSLeay_version�
> src/haproxy.c:274: error: �SSLEAY_VERSION� undeclared (first use in this
> function)
> src/haproxy.c:274: error: (Each undeclared identifier is reported only
> once
> src/haproxy.c:274: error: for each function it appears in.)
> src/haproxy.c:275: error: �OPENSSL_VERSION_NUMBER� undeclared (first use
> in this function)
> src/haproxy.c:275: warning: implicit declaration of function �SSLeay�
> src/haproxy.c:275: warning: format �%s� expects type �char *�, but
> argument 2 has type �int�
> src/haproxy.c: In function �deinit�:
> src/haproxy.c:1188: error: �struct bind_conf� has no member named
> �by_fe�
> src/haproxy.c:1188: error: �struct bind_conf� has no member named
> �by_fe�
> src/haproxy.c:1188: error: �struct bind_conf� has no member named
> �by_fe�
> src/haproxy.c:1188: warning: left-hand operand of comma expression has
> no effect
> src/haproxy.c:1188: error: �struct bind_conf� has no member named
> �by_fe�
> src/haproxy.c:1188: error: �struct bind_conf� has no member named
> �by_fe�
> src/haproxy.c:1188: error: �struct bind_conf� has no member named
> �by_fe�
> src/haproxy.c:1196: error: �struct bind_conf� has no member named
> �file�
> src/haproxy.c:1197: error: �struct bind_conf� has no member named �arg�
> src/haproxy.c:1198: error: �struct bind_conf� has no member named
> �by_fe�
> src/haproxy.c:1198: warning: type defaults to �int� in declaration of
> �__ret�
> src/haproxy.c:1198: error: �struct bind_conf� has no member named
> �by_fe�
> src/haproxy.c:1198: error: �struct bind_conf� has no member named
> �by_fe�
> src/haproxy.c:1198: error: �struct bind_conf� has no member named
> �by_fe�
> src/haproxy.c:1198: error: �struct bind_conf� has no member named
> �by_fe�
> src/haproxy.c:1198: error: �struct bind_conf� has no member named
> �by_fe�
> make: *** [src/haproxy.o] Error 1
>
>
> I'm I missing some libs or sources from OpenSSL ?
>
> And/or need to point them out so that make/gcc can find them?
>
> I have copy haproxy from another machine where I did the build process
> on.
>
> But I would like to be able to build it on my SLES 11 SP3 installation.
So you're trying to build HAProxy 1.5.5 from source?
Do you have libopenssl and libopenssl-devel installed? What does "rpm
-qa | grep ssl" report?
You might have better luck installing HAProxy 1.5.5 already built for
SLES11 SP3 via the openSUSE Build Service @
https://build.opensuse.org/package/s...ackage=haproxy
HTH.
Simon
Novell Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
Hello Simon,
Yes I'm trying to build it from source.
Unfortunately I don't have them installed.
Here is the output:
sudo -i rpm -qa | grep -i ssl
openssl-0.9.8j-0.62.1
libopenssl0_9_8-0.9.8j-0.62.1
libopenssl0_9_8-32bit-0.9.8j-0.62.1
perl-IO-Socket-SSL-1.38-5.2.2
perl-Net-SSLeay-1.35-2.14
openssl-certs-1.97-0.3.1
Thank you for your speedy reply.

Self Signed Certificate Problems

I admit little knowledge of certificates and just need to get one installed to test the Web Proxy Server functionality.
I followed the procedures here first
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/custom-guide/s1-secureserver-selfsigned.html
And then tried to reuse this certificate for Web Proxy Server Version: 4.0.5 B04/18/2007 11:01
I received the following error:
Incorrect usage no private key. The server could not find the private key associated with this certificate.
I assume that this is because the keypair for this certificate is not in the certificate database I first created.
I then tried to follow the instructions here:
http://forum.java.sun.com/thread.jspa?threadID=5092677
but got an IO error. not sure why.
Would anyone know how I can either get Web Proxy Server to generate its own certificate or accept the one I generated using openssl?
I appreciate any ideas or insights.
Thanks,
Sean

Dear Sean,
From the "Request Certificate" page create a csr. You will get a string like this.
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICtDCCAZwCAQAwbzELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCWthcm5hdGFrYTES
ilrOO4an8WzQ2SfPl8ZleScPoIjhBbRkwOfweQVnmFkJIBYeHHuTPTC2U0pkZU0u
jCXt6mWJmt0Pe6GAcZ4SAj9AFzvtVm52DF9zvdnywU7WjjLxR7xCo2Hws6iiPCmc
DDG8hxd77ayzNg1spI6YjrJJ6kXWWGBM
-----END NEW CERTIFICATE REQUEST-----
save this in a file say csr.file for openssl cert generation.
run this openssl command:
openssl ca -in csr.file -out yourcert.pem
Install yourcert.pem. It should go through.

Decoding base64-encoded SSL files

There is a way to decode the base64 contents of .crt, .key, and .pem files to display human-readable text, but I can't remember how to do it. "base64 -d" doesn't work cause there's some garble in there. I think I used the openssl command for this. Anyone know?

Is this what you are looking for? http://www.madboa.com/geek/openssl/#cert-exam

Can't import an OpenSSL signed cert into a JKS using keytool

Hey everyone,
*[Update]* When I do a "openssl x509 -in server1.pem -issuer -noout" after I've supposedly signed it with the CA, the issuer is, for some reason, the DN string of server1. If server1 generated the CSR, and it is coming up as issued by server1, doesn't that indicate a self signed cert? How could the CA be producing a cert that has an issuer of another server?
I hope this is the right place for this, but I'm having some difficulty using the java keytool and OpenSSL tool on a Solaris system. Any help would be greatly appreciated.
I have a server (CA server) with OpenSSL installed that I would like to use as a Certificate Authority. The second server (server1) is a WebLogic server with JDK 1.6.0_21. I'm trying to configure it to use a certificate that has been signed by server1.
For some reason it keeps giving me this error when I try to import the signed SSL certificate: keytool error: java.lang.Exception: Public keys in reply and keystore don't match
Am I doing something wrong in this whole process?
1) Generate the Private Key for the CA server
openssl genrsa -out CA.key -des 2048
2) Generate the CSR on the CA
openssl req -new -key CA.key -out CA.csr
3) Sign the new CSR so that it can be used as the root certificate
openssl x509 -extensions v3_ca -trustout -signkey CA.key -days 730 -req -in CA.csr -out CA.pem -extfile /usr/local/ssl/openssl.cnf
4) On server1, create Server Private Key KeyStore
keytool -genkey -alias server1 -keysize 2048 -keyalg RSA -keystore server1.jks -dname "CN=server1.domain.com,OU=Organization,O=Company,L=City,ST=State,C=US"
5) On server1, create a CSR from the recently created Private Key
keytool -certreq -alias server1 -sigalg SHA1WithRSA -keystore server1.jks -file server1.csr
6) Transfer the CSR over to the CA (server1) so that it can be signed
openssl x509 -extensions v3_ca -trustout -signkey CA.key -days 365 -req -in server1.csr -out server1.pem -extfile /usr/local/ssl/openssl.cnf
7) Transfer CA Public Cert to server1 and Import into keytool
keytool -import -trustcacerts -alias CA_Public -file CA.pem -keystore server1.jks
8) Import recently signed CSR to app server keystore (This is where I receive the error)
keytool -import -trustcacerts -alias server1 -file server1.pem -keystore server1.jks
Thanks!
Edited by: user13378168 on Feb 11, 2011 2:03 PM

I got it! Here's how I resolved it.
1) Going back to the CA server I went and looked at the server1.pem that was produced. I tried to validate it against the CA's certificate
openssl verify -CAFile CA.pem server1.pem
server1.pem: /C=REDACTED/ST=REDACTED/L=REDACTED/O=REDACTED/OU=REDACTED/CN=server1.domain.com
error 18 at 0 depth lookup:self signed certificate
OK
Seemed to be a clear indication that the certificate was not properly signed by OpenSSL.
2) I tried signing it using a different command I found here: http://www.dylanbeattie.net/docs/openssl_iis_ssl_howto.html
openssl ca -policy policy_match -config openssl.cnf -extensions v3_ca -cert CA.pem -in server1.csr -keyfile CA.key -days 365 -out server1.pem
I received a much different set of responses from OpenSSL including
+Sign the certificate? [y/n]+
+1 out of 1 certificate requests certified, commit? [y/n]+
3) I tried my validate command again and got a plain "OK"
4) I now tried to import this new server1.pem using the keytool command and actually got the following error:
keytool error: java.security.cert.CertificateParsingException: invalid
DER-encoded certificate data
5) When I looked at the file it seems that OpenSSL had added quite a bit of extra certificate information to the file. I deleted everything up to (but not including) the -----BEGIN CERTIFICATE----- line and tried the import one more time and it imported successfully!
Sabre, thanks for helping me look into this one.
Edited by: user13378168 on Feb 14, 2011 12:50 PM - Added correct signing command

"Length is too big" IOException when using OpenSSL key/certs

Using WLS 5.1, SP6, Solaris
Hello one and all:
I am trying to test WLS with SSL. I am using the OpenSSL package to act as my
own CA and generate and sign my own server certs. I don't have any problem
with this part.
However, when I try to use my private key with WLS, I get this
error upon startup:
Java.io.IOException: Length is too big: takes 56 bytes
at weblogic.security.ASN1.ASN1Header.inputLength(ASN1Header.java:133)
at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:105)
at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:107)
at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:85)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:285)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:214)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java:1180)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.NmsIpServer.main(NmsIpServer.java:13)
Thu Mar 22 16:02:25 EET 2001:<E> <SSLListenThread> Security
Configuration Problem with SSL server encryption Key
(<path-to-key hidden for publication --scott>),
java.io.IOException: Length is too big: takes 56 bytesI have read many messages on this group that indicate this same
problem. Some of the suggestions included checking the formatting
of the server key file for extra linefeeds, etc. I have done this.
I even tried the OpenSSL "asn1-kludge" option. It didn't work
either.
So, I hope to hear from someone who has successfully used OpenSSL
keys and certs with WLS.
Thanks,
--scott

Hi.
I had the same problem when i specified a cakey.pem file that was encrypted. For
some reason, WLS doesnt seem to support a scheme where it prompts for a password
to use for decryption of the private key. Try to decrypt the private key:
openssl rsa -in cakey.pem -out ca_unsafe.pem and deploy this certificate instead,
then it will work ;-)
[email protected] (Scott Andrew Borton) wrote:
Using WLS 5.1, SP6, Solaris
Hello one and all:
I am trying to test WLS with SSL. I am using the OpenSSL package to act
as my
own CA and generate and sign my own server certs. I don't have any problem
with this part.
However, when I try to use my private key with WLS, I get this
error upon startup:
Java.io.IOException: Length is too big: takes 56 bytes
at weblogic.security.ASN1.ASN1Header.inputLength(ASN1Header.java:133)
at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:105)
at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:107)
at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:85)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:285)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:214)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java:1180)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.NmsIpServer.main(NmsIpServer.java:13)
Thu Mar 22 16:02:25 EET 2001:<E> <SSLListenThread> Security
Configuration Problem with SSL server encryption Key
(<path-to-key hidden for publication --scott>),
java.io.IOException: Length is too big: takes 56 bytesI have read many messages on this group that indicate this same
problem. Some of the suggestions included checking the formatting
of the server key file for extra linefeeds, etc. I have done this.
I even tried the OpenSSL "asn1-kludge" option. It didn't work
either.
So, I hope to hear from someone who has successfully used OpenSSL
keys and certs with WLS.
Thanks,
--scott

OpenSSL certs

Similar Messages

Maybe you are looking for