Re: [apache-ssl] SSLeay complains "bad ceritificate"

To: apache-ssl@lists.aldigital.co.uk, satya@dspsoft.com
Subject: Re: [apache-ssl] SSLeay complains "bad ceritificate"
From: "Ralf S. Engelschall" <rse@engelschall.com>
Date: Fri, 28 Aug 1998 21:10:39 +0200
Delivered-To: mailing list apache-ssl@lists.aldigital.co.uk
In-Reply-To: <Pine.BSF.4.01.9808281423380.12179-100000@srv.kapmail.com>; from Satya Devireddy on Fri, Aug 28, 1998 at 02:38:38PM -0400
Mailing-List: contact apache-ssl-help@lists.aldigital.co.uk; run by ezmlm
Organization: http://www.apache-ssl.org
Organization: Engelschall, Germany.
References: <19980828102341.A4960@engelschall.com> <Pine.BSF.4.01.9808281423380.12179-100000@srv.kapmail.com>
Reply-To: apache-ssl@lists.aldigital.co.uk
Reply-To: rse@engelschall.com

On Fri, Aug 28, 1998, Satya Devireddy wrote:

> > Perhaps this is again the problem of an incorrect Subject name in the
> > certificate. Make sure the name is not your personal name. It has to be the
> > FQDN of your webserver.
> 
> I think I did that correctly. 
> Anyway I regenerated the certificates again and I was able to get it up
> and running.
> 
> Can some one enlighten me on how to fill the 
> 
> SSLCertificateKeyFile /usr/local/ssl/certs/server.key
> SSLCertificateFile /usr/local/ssl/certs/server.pem
> SSLCACertificateFile /usr/local/ssl/certs/cacert.pem
> 
> entries in httsd.conf
> 
> for SSLCertificateKeyFile, I used the private key generated by
> CA.sh -newreq

Ok.

> for SSLCertificateFile, I combined the above key and certificate
> from newcert.pem

Not ok. Either use it this way and remove SSLCertifcateKeyFile or use
SSLCertificateKeyFile and only place the certifcate in the file under
SSLCertifcateFile.

> for SSLCACertificateFile, I used the demoCA/cacert.pem

Not needed for server authentication. It's only used for client authentication
(or SSLv3 certificate loading in case of certificate chains).

>[...] 
> But after a couple of hits, the httpsd core dumps
> 
> [Fri Aug 28 14:31:12 1998] ssl_gcache started
> [Fri Aug 28 14:31:16 1998] [info] mod_unique_id: using ip addr 127.0.0.1
> [Fri Aug 28 14:31:17 1998] [notice] Apache/1.3.1 (Unix) mod_ssl/2.0.5
> SSLeay/0.8.0 configured -- resuming normal operations
> [Fri Aug 28 14:31:17 1998] [info] Server built: Aug 26 1998 13:54:24
> [Fri Aug 28 14:32:12 1998] [notice] httpd: child pid 2523 exit signal
> Segmentation fault (11)
> 
> and Netscape(4.06,FreeBSD -Current) gives me the following
> "An I/O error occured during security authorization. please try agian ..."
> 
> I think this is an entirely different problem.

Yes, although I never got core dumps with 2.0.x perhaps SSLeay 0.8.0 is the
problem (BTW, or your FreeBSD-current?). I personally tried it all the times
only with SSLeay 0.8.1b and 0.9.0b.  And it's known that 0.8 has problems with
serving bigger files.  So I recommend you to do the following: 

1. Try to find the core file and try to analyze it by at least
   running "bt" to get a backtrace. If you get nothing, try
   to recompile with "-g -ggdb3" and try again.

2. Try to use SSLeay 0.9.0b. For FreeBSD the /usr/ports/security/SSLeay port
   was upgraded today to 0.9.0b, so you just have to reinstall the SSLeay
   port.
                                       Ralf S. Engelschall
                                       rse@engelschall.com
                                       www.engelschall.com

Follow-Ups:
- Compilation problems ssleay0.9.0b+apache_1.3.1+mod_ssl-2.05
  - From: Satya Devireddy <satya@dspsoft.com>

References:
- Re: [apache-ssl] SSLeay complains "bad ceritificate"
  - From: "Ralf S. Engelschall" <rse@engelschall.com>
- Re: [apache-ssl] SSLeay complains "bad ceritificate"
  - From: Satya Devireddy <satya@dspsoft.com>

Prev by Date: Re: [apache-ssl] SSLeay complains "bad ceritificate"
Next by Date: Compilation problems ssleay0.9.0b+apache_1.3.1+mod_ssl-2.05
Prev by thread: Re: [apache-ssl] SSLeay complains "bad ceritificate"
Next by thread: Compilation problems ssleay0.9.0b+apache_1.3.1+mod_ssl-2.05
Index(es):
- Date
- Thread