Certificate verify failed on big-endian (Intel IXP425)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Certificate verify failed on big-endian (Intel IXP425)

Cesc Santa
Hi,

A few days ago I posted to openssl.users the message i attach below.

I have done some more research and after seeing that the ssl code works
on a little endian pc with 0.9.6, the problem is:
- with the big-endian Intel IXP425 ARM running 0.9.6
- the code of the application (SER, voip proxy, with TLS).

I have seen a few discussions about endiannes, about some test failing
...
The next thing i would like to try is to cross-compile OpenSSL 0.9.7
for the IXP425 and install the new libraries.
What is the safest way to avoid all conflicts, even big a
big-performance penalty?

Thanks!

Cesc

===========================================================================
Certificate verify failed ... incompatible versions 0.9.6m-engine and
0.9.7d?

Hi,

I am testing an application, which is a server and a client at the same
time, connecting or receiving connections from the same application
running on other machines.
It all worked fine as long as:
- All used v.0.9.7d
- All of them were running on a i386 pc on debian linux (kernel 2.6.x).

Now ... i managed to get the application to run on an ARM embedded
system (intel ixp425, but different host byte order), which for now
only has openssl version 0.9.6m installed.

As said, it all would work fine ... till this ARM with openssl 0.9.6
came into play. Now, I cannot connect or accept connections from/to the
ARM platform.
If i do an ssl_connect (to a pc-based host), i get:
* error: 14090086: SSL routines: SSL3_GET_SERVER_CERTIFICATE:
certificate verify failed  ... on the ARM-host

If i do an ssl_accept (incoming connect from a pc-based host to the
arm-host), i get:
* error: 140890B2: SSL routines: SSL3_GET_SERVER_CERTIFICATE: no
certificate returned  ... on the ARM-host

I have set VERIFY_PEER and VERIFY_PEER_ONCE, with no verification
callback (pointer set to NULL).

The certificates and configurations work (root CA is self-signed;
server certificates, also used as client certs, are directly signed by
root CA, and contain some private X509v3 extensions).
On the ARM host i cannot do "openssl verify" ... i only have the
libraries, not the binaries for the platform.

Things i thought about: i am missing something which 0.9.7 does
automatically and 0.9.6 doesn't; a question of byte-order on the hosts;
the x509v3 private extensions; the self-signed root ca cert in 0.9.6;
...

Any other ideas or solutions?

Thanks in advance!

Cesc.S
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Certificate verify failed on big-endian (Intel IXP425)

Mike Frysinger
On Wednesday 25 May 2005 09:11 am, Cesc wrote:
> I have done some more research and after seeing that the ssl code works
> on a little endian pc with 0.9.6, the problem is:
> - with the big-endian Intel IXP425 ARM running 0.9.6
> - the code of the application (SER, voip proxy, with TLS).

i posted some fixes a while ago for 0.9.7e which were accepted and are in
0.9.7g ... openssl configured all arm targets as little endian which is why
it was failing
-mike
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Certificate verify failed on big-endian (Intel IXP425)

Cesc Santa
Hi,

Ok, got the latest 0.9.7.

But i am trying to cross-compile for IXP425, intel, which is big_endian.
The development toolkit i have provides me with its own compiler
(armbe-gcc), and the target libraries and includes.

I am not very familiar with cross-compiling, so more detailed steps
than on the INSTALL file would be appreciated.

Details:
- compiler: armbe-linux
- big_endian (-mbig_endian compiler param)
- need to specify target library and include folders (/opt/....)

Thanks a lot!

Cesc


On 5/25/05, Mike Frysinger <[hidden email]> wrote:

> On Wednesday 25 May 2005 09:11 am, Cesc wrote:
> > I have done some more research and after seeing that the ssl code works
> > on a little endian pc with 0.9.6, the problem is:
> > - with the big-endian Intel IXP425 ARM running 0.9.6
> > - the code of the application (SER, voip proxy, with TLS).
>
> i posted some fixes a while ago for 0.9.7e which were accepted and are in
> 0.9.7g ... openssl configured all arm targets as little endian which is why
> it was failing
> -mike
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Certificate verify failed on big-endian (Intel IXP425)

vijay basav
In reply to this post by Cesc Santa
Hi
in Configure file chnge DL_ENDIAN(little endian) to DB_ENDIAN(big endian)  and EL to EB
 
hope this helps
vijay

Cesc <[hidden email]> wrote:
Hi,

Ok, got the latest 0.9.7.

But i am trying to cross-compile for IXP425, intel, which is big_endian.
The development toolkit i have provides me with its own compiler
(armbe-gcc), and the target libraries and includes.

I am not very familiar with cross-compiling, so more detailed steps
than on the INSTALL file would be appreciated.

Details:
- compiler: armbe-linux
- big_endian (-mbig_endian compiler param)
- need to specify target library and include folders (/opt/....)

Thanks a lot!

Cesc


On 5/25/05, Mike Frysinger wrote:

> On Wednesday 25 May 2005 09:11 am, Cesc wrote:
> > I have done some more research and after seeing that the ssl code works
> > on a little endian pc with 0.9.6, the problem is:
> > - with the big-endian Intel IXP425 ARM running 0.9.6
> > - the code of the application (SER, voip proxy, with TLS).
>
> i posted some fixes a while ago for 0.9.7e which were accepted and are in
> 0.9.7g ... openssl configured all arm targets as little endian which is why
> it was failing
> -mike
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [hidden email]
> Automated List Manager [hidden email]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [hidden email]
Automated List Manager [hidden email]


Do You Yahoo!?
Yahoo! Small Business - Try our new Resources site!
Reply | Threaded
Open this post in threaded view
|

Re: Certificate verify failed on big-endian (Intel IXP425)

Mike Frysinger
On Thursday 26 May 2005 08:43 am, vijay basav wrote:
> in Configure file chnge DL_ENDIAN(little endian) to DB_ENDIAN(big endian)
> and EL to EB

the Configure script in the latest 0.9.7 version (i.e. g) does not set ENDIAN
for arm targets ... it's been moved to the config script
-mike
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Certificate verify failed on big-endian (Intel IXP425)

Cesc Santa
Hi all,

Tks to all who replied.

I managed to compile it on the IXP425 big-endian platform, with the
specific compiler for the target.  :) (even the shared libs).

What I do?
I added a new "platform" to the Configure script:

"linux-elf-arm_mybe","armbe-linux-gcc: -mbig-endian
-I/opt/arcom/armbe-linux/include -L/opt/arcom/armbe-linux/lib
-malignment-traps -DTERMIO -O3 -fomit-frame-pointer
-Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

I do not supply the -DB_ENDIAN, or EB, as suggested. Where should i do that?

On the other hand, i had some problems.

> make
     No problem here except that it would not compile the openssl
apps. The .a and .so files were created, sitting in the base dir.
     When it failed, i then made a make install (it put all the libs
and includes in the a temp directory), took these library files
(stripped them with armbe-linux-strip), and copied them to
/opt/arcom/armbe-linux/lib (see that it is the folder supplied in the
configure file as -L ).  Once the library files where in this folder,
i executed again make, and voila, no problem.
It seems as if the -L.. does not work ...
For the record, the /opt/arcom.../lib folder was empty of libssl or
libcrypto file when i first executed make (and failed).
     

> make test
      It would not run :)  The target development kit has an
"armbe-linux-run" app, but i didn't try it ... any ideas on how to do
the tests on the host environment? or which files should i copy to the
target environment to run the tests directly on the target?

Regards,

Cesc


On 5/26/05, Mike Frysinger <[hidden email]> wrote:

> On Thursday 26 May 2005 08:43 am, vijay basav wrote:
> > in Configure file chnge DL_ENDIAN(little endian) to DB_ENDIAN(big endian)
> > and EL to EB
>
> the Configure script in the latest 0.9.7 version (i.e. g) does not set ENDIAN
> for arm targets ... it's been moved to the config script
> -mike
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]