Forum OpenACS Q&A: Open SSL under 3.1

Collapse
1: Open SSL under 3.1
Posted by Chalu Kim on 02/09/01 11:26 PM
We are trying to use Open SSL under Aolserver 3.1.

We compiled from ScottG's 1_0 and are having a problem;

Warning:modload: failed to load '/usr/lib/aolserver/bin/nsopenssl.so':
'/usr/lib/aolserver/bin/nsopenssl.so: undefined symbol: OPENSSL_free'
Fatal: modload: failed load module 'nsopenssl.so'

What do you think we ought to do?

Collapse
2: Response to Open SSL under 3.1 (response to 1)
Posted by Chalu Kim on 02/10/01 02:23 AM
Scott's answer

Ok, you need to compile against OpenSSL 0.9.6. Looks like you're compiling
against OpenSSL 0.9.5.

/s.

And it worked.

Collapse
3: Response to Open SSL under 3.1 (response to 1)
Posted by Scott Goodwin on 02/10/01 07:10 PM

One other important note:

The key.pem file is typically encrypted by a passphrase. nsopenssl isn't set up to decrypt a key.pem file that is encrypted with a passphrase. If nsopenssl fails to load the key file, then this is probably the problem.

If your key.pem file has something like this at the beginning: 

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,C636A456899E9D41
...

then it's encrypted. If your key looks something like this: 

-----BEGIN RSA PRIVATE KEY-----
SNTEOmnsthaostuhsnts}OREU/ADHT+rPTx/DPRp3xGjHZ4GG6pCmvADIEtBtKBFAc
Z64n+Dy7NblahblahblahblahH1D/j8HlGE+q4TZ8OFk7BNBFazHxFbYI4OKMiC
...

then it isn't encrypted.

To enable nsopenssl to use your key, strip the passphrase from your key.pem file by doing the following: 

openssl rsa -in key.pem -out newkey.pem

newkey.pem is your unencrypted key -- use this as your certificate's key, just make sure it's well protected with file system perms.