From owner-freebsd-current@FreeBSD.ORG  Fri Mar 30 16:38:45 2012
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 2CCCF106566B
	for <freebsd-current@freebsd.org>; Fri, 30 Mar 2012 16:38:45 +0000 (UTC)
	(envelope-from ohartman@mail.zedat.fu-berlin.de)
Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de
	[130.133.4.66]) by mx1.freebsd.org (Postfix) with ESMTP id D44B08FC08
	for <freebsd-current@freebsd.org>; Fri, 30 Mar 2012 16:38:44 +0000 (UTC)
Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69])
	by outpost1.zedat.fu-berlin.de (Exim 4.69)
	for freebsd-current@freebsd.org with esmtp
	(envelope-from <ohartman@mail.zedat.fu-berlin.de>)
	id <1SDeqZ-0007GL-JT>; Fri, 30 Mar 2012 18:38:43 +0200
Received: from telesto.geoinf.fu-berlin.de ([130.133.86.198])
	by inpost2.zedat.fu-berlin.de (Exim 4.69)
	for freebsd-current@freebsd.org with esmtpsa
	(envelope-from <ohartman@mail.zedat.fu-berlin.de>)
	id <1SDeqZ-00044w-Fk>; Fri, 30 Mar 2012 18:38:43 +0200
Message-ID: <4F75E18D.8020304@mail.zedat.fu-berlin.de>
Date: Fri, 30 Mar 2012 18:38:37 +0200
From: "O. Hartmann" <ohartman@mail.zedat.fu-berlin.de>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
	rv:10.0.3) Gecko/20120314 Thunderbird/10.0.3
MIME-Version: 1.0
To: Current FreeBSD <freebsd-current@freebsd.org>
References: <4F75BA0F.4080602@mail.zedat.fu-berlin.de>
In-Reply-To: <4F75BA0F.4080602@mail.zedat.fu-berlin.de>
X-Enigmail-Version: 1.4
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enig4F43CD93F2224205802BDE72"
X-Originating-IP: 130.133.86.198
X-Mailman-Approved-At: Fri, 30 Mar 2012 16:53:21 +0000
Subject: Re: SSL: wrong/broken in FreeBSD 10.0-CURRENT?
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Mar 2012 16:38:45 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig4F43CD93F2224205802BDE72
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable

Am 03/30/12 15:50, schrieb O. Hartmann:
> Sorry for the naiv headline.
>=20
> I run into massive problems on all of my FreeBSD 10.0-CURRENT driven
> boxes. PostgreSQL rejects accessing OpenLDAP via SSL and all clients
> accessing the database and autheticating users via a SSL/TLS secured
> conection to OpenLDAP refuse working. This includes some very important=

> facilities like textproc/refdb, databases/pgadmin3, www/mediawiki.
>=20
> Mor scraing, I tried to generate for a our small network new SSL
> certificates. We use since FreeBSD 8.0 small scripts for that task.
> Creating a new CA certificate works fine, creating new certificate for
> clients including based on the new CA.
>=20
> Well, what worked half a year before doesn't anymore and I have no clue=

> what goes wrong.
>=20
> I created a set of new CA, key and host certificate (self signed, of
> course) for OpenLDAP.
> Using the CA and key/cert from backup - created with the same conf and
> scipts on FBSD 8/9 I use now on FBSD 10, goes "smooth", but fails
> starting the OpenLDAP server.
> The log output of the server is as follows:
>=20
>   TLS: could not use key file `/usr/local/etc/openldap/certs/server.key=
'.
> TLS: error:0B080074:x509 certificate routines:X509_check_private_key:ke=
y
> values mismatch
> /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/x509/x509_=
cmp.c:406
> main: TLS init def ctx failed: -1
> slapd stopped.
> connections_destroy: nothing to destroy.
> /usr/local/etc/rc.d/slapd: WARNING: failed to start slapd
>=20
>=20
> As far I can dig from the web this error code "TLS: error:0B080074:x509=

> certificate..." s due to mismatching CN names. But why out of the sudde=
n
> should that be wrong?
>=20
> Did something significantly changed in FreeBSD 10.0-CURRENT these days?=

>=20
> Regards,
> Oliver


Sorry for the noise!

I realized by a hint of a list member, that many of my ports, although I
thought I have rebuilt all of them, lack in several libraries libkrbXXX
I deleted by intension on FreeBSD 10.

After checkig for those ports, recompiling them, everything runs smooth
as expected now!

Regards,
Oliver


--------------enig4F43CD93F2224205802BDE72
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iQEcBAEBAgAGBQJPdeGSAAoJEOgBcD7A/5N8K6gH/1yVp0X9ukT13VHX/iwzChaP
dRSmimxhP8+GRFTYfzZ7lF1yOl0XQtEXXCh6HutcUXQoWh7zmGFzAxaEadCVOrOw
sADskuNKYzOmMQBfe5YwHmpAKPoionBsHkXrXx1wm/Pumr6KY4i79ZdAhnXD72iT
vjWhKp0oyhr+PNqReYrNHENaBZStGRMTX+uFy8FFI5dLvQ5nwxMVONEMwJuwSnJA
tLVQhu/WmOUBIBcGFUT61lwrnkqoWhClfihA1nEYLLr1SoPNnjHrn/0ifv8GqSEp
mniTU5rlnCLxhDbXXP6eb7B6Grt3Z0nrkbJB23YQvzzcbeCEzJo/LC2QLZ+7sn0=
=1Wgr
-----END PGP SIGNATURE-----

--------------enig4F43CD93F2224205802BDE72--