[openssl.org #4529] Output of -hash option incompatible 64-bit Linux vs 32-bit Linux

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl.org #4529] Output of -hash option incompatible 64-bit Linux vs 32-bit Linux

Rich Salz via RT
To whom it may concern,

I have built OpenSSL 1.0.1s for 64-bit and 32-bit version of RHEL5.11.  The reasons for this are long and involve my employer, so I would detail them in this message.

I successfully built and deployed to a 64-bit RHEL 5.11 server (using a local installation path) and was able to configure the issuer certificate cache for my applications.  I built a separate package for 32-bit RHEL 5.11 (again, using a local installation path).  After installation, I observed that the -hash option of the openssl command (and hence the c_rehash utility) computed incorrect subject hashes for the issuer certificates in the cache.  Identical certificates from the 64-bit installation were installed but the hash values were different.  Tracing the operation of the s_client module with strace indicated that the hash values computed internally matched the hash values produced on the 64-bit system.  I replicated the symbolic links for the issuer certificates from the 64-bit system to the 32-bit system and the certificates presented by the remote server for my application were verified.

Thanks!

John Withers
Enterprise Operations
Directory Services Branch - OS:CTO:EO:ISD:DSB:PKI
Champaign, Illinois

Phone: (217) 974-7736

"A positive attitude may not solve all of your problems, but it will annoy enough people to make it worth the effort"


--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4529
Please log in as guest with password guest if prompted

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4529] Output of -hash option incompatible 64-bit Linux vs 32-bit Linux

Jan Just Keijser-2
Withers John Z via RT wrote:
> To whom it may concern,
>
> I have built OpenSSL 1.0.1s for 64-bit and 32-bit version of RHEL5.11.  The reasons for this are long and involve my employer, so I would detail them in this message.
>
> I successfully built and deployed to a 64-bit RHEL 5.11 server (using a local installation path) and was able to configure the issuer certificate cache for my applications.  I built a separate package for 32-bit RHEL 5.11 (again, using a local installation path).  After installation, I observed that the -hash option of the openssl command (and hence the c_rehash utility) computed incorrect subject hashes for the issuer certificates in the cache.  Identical certificates from the 64-bit installation were installed but the hash values were different.  Tracing the operation of the s_client module with strace indicated that the hash values computed internally matched the hash values produced on the 64-bit system.  I replicated the symbolic links for the issuer certificates from the 64-bit system to the 32-bit system and the certificates presented by the remote server for my application were verified.
>
>  

FWIW: I've downloaded and built openssl-1.0.1s on my EL 5.11 box in both
32bit and 64bit mode (I needed to hack ./Configure for that, BTW).  The
resulting
  openssl x509 -hash
command prints out the exact same hash for both the 32bit and 64bit
versions.

HTH,

JJK / Jan Just Keijser
Nikhef
Amsterdam


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4529] Output of -hash option incompatible 64-bit Linux vs 32-bit Linux

Rich Salz via RT
Withers John Z via RT wrote:
> To whom it may concern,
>
> I have built OpenSSL 1.0.1s for 64-bit and 32-bit version of RHEL5.11.  The reasons for this are long and involve my employer, so I would detail them in this message.
>
> I successfully built and deployed to a 64-bit RHEL 5.11 server (using a local installation path) and was able to configure the issuer certificate cache for my applications.  I built a separate package for 32-bit RHEL 5.11 (again, using a local installation path).  After installation, I observed that the -hash option of the openssl command (and hence the c_rehash utility) computed incorrect subject hashes for the issuer certificates in the cache.  Identical certificates from the 64-bit installation were installed but the hash values were different.  Tracing the operation of the s_client module with strace indicated that the hash values computed internally matched the hash values produced on the 64-bit system.  I replicated the symbolic links for the issuer certificates from the 64-bit system to the 32-bit system and the certificates presented by the remote server for my application were verified.
>
>  

FWIW: I've downloaded and built openssl-1.0.1s on my EL 5.11 box in both
32bit and 64bit mode (I needed to hack ./Configure for that, BTW).  The
resulting
  openssl x509 -hash
command prints out the exact same hash for both the 32bit and 64bit
versions.

HTH,

JJK / Jan Just Keijser
Nikhef
Amsterdam



--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4529
Please log in as guest with password guest if prompted

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4529] Output of -hash option incompatible 64-bit Linux vs 32-bit Linux

Rich Salz via RT
Thanks to all for their responses.

I repeated my testing several times before submitting my original comment.  Now, it appears, it was a classic case of 'user error' where the PATH was not set correctly.

My apologies for any inconvenience.

I was able to build the package into an RPM for both 32-bit and 64-bit RHEL 5.11.  I had to make a number of editorial changes to the RPMBUILD spec file as files were not included and paths were hard coded.

John Withers
Enterprise Operations
Directory Services Branch - OS:CTO:EO:ISD:DSB:PKI
Champaign, Illinois
 
Phone: (217) 974-7736

-----Original Message-----
From: Jan Just Keijser via RT [mailto:[hidden email]]
Sent: Tuesday, May 03, 2016 6:33 AM
To: Withers John Z
Cc: [hidden email]
Subject: Re: [openssl-dev] [openssl.org #4529] Output of -hash option incompatible 64-bit Linux vs 32-bit Linux

Withers John Z via RT wrote:
> To whom it may concern,
>
> I have built OpenSSL 1.0.1s for 64-bit and 32-bit version of RHEL5.11.  The reasons for this are long and involve my employer, so I would detail them in this message.
>
> I successfully built and deployed to a 64-bit RHEL 5.11 server (using a local installation path) and was able to configure the issuer certificate cache for my applications.  I built a separate package for 32-bit RHEL 5.11 (again, using a local installation path).  After installation, I observed that the -hash option of the openssl command (and hence the c_rehash utility) computed incorrect subject hashes for the issuer certificates in the cache.  Identical certificates from the 64-bit installation were installed but the hash values were different.  Tracing the operation of the s_client module with strace indicated that the hash values computed internally matched the hash values produced on the 64-bit system.  I replicated the symbolic links for the issuer certificates from the 64-bit system to the 32-bit system and the certificates presented by the remote server for my application were verified.
>
>  

FWIW: I've downloaded and built openssl-1.0.1s on my EL 5.11 box in both
32bit and 64bit mode (I needed to hack ./Configure for that, BTW).  The
resulting
  openssl x509 -hash
command prints out the exact same hash for both the 32bit and 64bit
versions.

HTH,

JJK / Jan Just Keijser
Nikhef
Amsterdam



--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4529
Please log in as guest with password guest if prompted


--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4529
Please log in as guest with password guest if prompted

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev