NeXT Computers Forum Index NeXT Computers
www.NeXTComputers.org
 
Log in to check your private messagesLog in to check your private messages

Log inLog in  RegisterRegister


Profile  Search  Memberlist  FAQ  Usergroups
Building openssl-1.0.2k on openstep42 on black and white

 
Post new topic   Reply to topic    NeXT Computers Forum Index -> NeXT Work Logs
View previous topic :: View next topic  
Author Message
rooprob



Joined: 20 Sep 2016
Posts: 9

PostPosted: Mon May 15, 2017 1:42 am    Post subject: Building openssl-1.0.2k on openstep42 on black and white Reply with quote

Almost success!
I'm writing this as an effort to rubber duck any thoughts to myself before putting this away.

I've been on a quest to update a few packages: Something like this:

openstep 4.2 on NeXTStation Turbo.
openstep 4.2 on virtualbox on an i7

So far..
    openssl 1.0.2k (gets TLS1.2)
    curl-7.54
    stunnel 4.57
    zlib-1.2.11


Ancillary extras
    - snprintf-2.1 for vsnprinf and family
    - putenv/getenv
    - tcsetattr/getattr
    - dirname
    - uname

So, the good:

$ uname -a
OPENSTEP os42comp1 4.2 NeXT Mach 4.2: Tue Jan 26 11:21:50 PST 1999; root(rcbuilder):Objects/mk-183.34.4.obj~2/RELEASE_I386 I386 Intel 486

$ openssl version
OpenSSL 1.0.2k 26 Jan 2017

$ stunnel -version
stunnel 4.57 on i386-next-openstep4 platform
Compiled/running with OpenSSL 1.0.2k 26 Jan 2017
Threading:FORK Sockets:SELECT,IPv4 SSL:ENGINE,OCSP,FIPS

$ curl --version
curl 7.54.0 (i386-next-openstep4) libcurl/7.54.0 OpenSSL/1.0.2k zlib/1.2.11
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: NTLM NTLM_WB SSL libz TLS-SRP UnixSockets HTTPS-proxy

$ openssl s_client -connect openssl.org:443 -CAfile /usr/local/etc/ssl/certs/cacert.pem

Code:
subject=/OU=Domain Control Validated/CN=*.openssl.org
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3094 bytes and written 433 bytes

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: C3B8451A5991DBAC0FAA17DE9F55DE05A8476BC0ED3261E63456B67E1CFD6798
    Session-ID-ctx:
    Master-Key: 3D0425708B074E5931F7EBF4FD4F0249F681F109E6BE486E93DCCA7A82CE747F3E96637C5E2A3CD7C3F9922911343ED6


Yay. Onto the NeXT Station.

$ uname -a
OPENSTEP next 4.2 NeXT Mach 4.2: Tue Jan 26 11:23:59 PST 1999; root(rcbuilder):Objects/mk-183.34.4.obj~2/RELEASE_M68K MC680x0 68040

$ openssl version
OpenSSL 1.0.2k 26 Jan 2017

$ stunnel -version
stunnel 4.57 on m68k-next-openstep4 platform
Compiled/running with OpenSSL 1.0.2k 26 Jan 2017
Threading:FORK Sockets:SELECT,IPv

Now the problem: While the NeXT engages with the TLS service, it throws out a

verify error:num=7:certificate signature failure
84633024:error:04091064:rsa routines:INT_RSA_VERIFY:algorithm mismatch:rsa_sign.c:263:
84633024:error:1408D07B:SSL routines:ssl3_get_key_exchange:bad signature:s3_clnt.c:2032:



Weirdly, it passes it's test suite (a good hour run of it)! I haven't looked too closely for tests particular to rsa though.

So works on i386, but not on the venerable m68k Sad Stunnel is sad. Self generated certs don't validate. I messed up something inside openssl.


Code:
subject=/OU=Domain Control Validated/CN=*.openssl.org
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2827 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:



PS black system has been rock solid, compiling away for days without a system fault or burning out a cap.
Back to top
View user's profile Send private message
rooprob



Joined: 20 Sep 2016
Posts: 9

PostPosted: Tue May 16, 2017 4:07 am    Post subject: Reply with quote

Hmm... The I replaced the old openssl-098za package and stunnel 4.25 packages back (noticing the openssl package also contains zlib 1.2.8.

stunnel is back working again, so I can pick up my mail.

openssl command line fails various cert operations - which write and read files - with the same error I was getting with my new 1.0.2k build Sad

First question I have to rule out is : Does the openssl-0.9.8 package listed here actually work on anyone's m68k NeXT machine?

https://drive.google.com/drive/u/0/folders/0B0gDYBETjc4WN083TUFGWkZHWUk

By "work", I mean can you generate a self-signed certificate in separate commands as shown here, taken from this SO post:

http://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl

# separately
openssl req -new > cert.csr
openssl rsa -in privkey.pem -out key.pem
openssl x509 -in cert.csr -out cert.pem -req -signkey key.pem -days 1001
Signature did not match the certificate request

it should say
openssl x509 -in cert.csr -out cert.pem -req -signkey key.pem -days 1001
Signature ok
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
Getting Private key


The one liner works (all versions, all platforms), which encourages me the openssl library is ok, just not the bits which writes, or probably "reads" key matterial from disk on the m68k box, which is big endian after all.

# in a single command
openssl req -x509 -newkey rsa:2048 -keyout self-signed-key.pem -out self-signed-cert.pem -days 365
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    NeXT Computers Forum Index -> NeXT Work Logs All times are GMT - 7 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2017 phpBB Group