Awesome SSL client cert fun

Tuesday, May 31, 2011 

Client cert authentication is oddly elusive given the practical value. I found a neat bug:

SSLVerifyClient optional
SSLVerifyDepth 3
SSLCADNRequestPath /usr/local/openssl/certs/clientcerts/

I get a request for identification in firefox, no problem. If I choose the right certificate to respond with I get an instant child pid 61501 exit signal Bus error (10). Every click on the “OK” button gets another seg fault. Yay. Magic.


Posted at 00:36:09 UTC

Category: FreeBSDtechnology

OpenSSL 1.0.0_4 Install Issues

Sunday, January 16, 2011 

Updating my server’s install of OpenSSL on FreeBSD 8.1 to 1.0.0_4 (openssl-1.0.0c) I ran into a problem where some of the patch files had been updated but the distinfo file in /usr/ports/security/openssl hasn’t (hadn’t?) been updated to match.

The symptoms are that the update of OpenSSL fails with two errors:

  • tls-extractor.patch line count is 1235, distinfo says 1234,
  • dtls-sctp-20.patch SHA256 hash is wrong,
  • (the tls-extractor.patch hash is wrong too, but the line count hits first).

- SHA256 (openssl-1.0.0c/tls-extractor.patch) = bb1aa486327fd96f9d6b870f0a1ad2c83dd4c06a96284eb64dde3f833ba5e0d0
- SIZE (openssl-1.0.0c/tls-extractor.patch) = 1234
- SHA256 (openssl-1.0.0c/dtls-sctp-20.patch) = 3b451618b64d7dbc917942759c26cbc717be3077e9d73cb3c5bd12a82a132268
+ SHA256 (openssl-1.0.0c/tls-extractor.patch) = b7dfb15b6ab7d62348eaa191fc8ba06565c92ecdd5d08bb5e9eb01a2e7433bb2
+ SIZE (openssl-1.0.0c/tls-extractor.patch) = 1235
+ SHA256 (openssl-1.0.0c/dtls-sctp-20.patch) = f002b13fead7c08270a9cfaf556be49c62be5b46f492ad59db29af4d3e9a4e67

Posted at 19:28:58 UTC

Category: FreeBSDtechnology