[AG-TECH] Venue Server question

Thomas Uram turam at mcs.anl.gov
Fri Jan 29 19:07:57 CST 2010

It turns out that the problem is two-fold: the updated AGDev CA cert  
uses a large hex serial number, and this number overflows integer  
conversions used by m2crypto. While the serial number is legitimate,  
and the failure warrants an m2crypto patch, such a patch would not  
solve the problem for all users immediately (they'd have to discover  
the problem and apply the patch). In the interest of expediency, then,  
I've issued a new AGDev CA cert that uses a small integer serial  
number and will not encounter this problem. It is an update of the  
previous AGDev CA cert, so all certs issued previously will continue  
to validate against it.

I've attached the updated CA cert. If you could push it into your  
environments and confirm that no problems arise, I'll commit it to the  
AG SVN for inclusion with future builds.

Mike: If you import the attached cert and signing policy, you should  
be able to get your server running.

Let me know of any problems.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 45cc9e80.Jan2010.0
Type: application/octet-stream
Size: 904 bytes
Desc: not available
URL: <http://lists.mcs.anl.gov/pipermail/ag-tech/attachments/20100129/0f92725e/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 45cc9e80.signing_policy
Type: application/octet-stream
Size: 1334 bytes
Desc: not available
URL: <http://lists.mcs.anl.gov/pipermail/ag-tech/attachments/20100129/0f92725e/attachment-0001.obj>
-------------- next part --------------

On Jan 29, 2010, at 7:32 AM, Mike Weaver wrote:

> I've been playing for the past hour trying to get the dependencies  
> to work
> out, but too much in F12 requires libssl.so.10.  I figured I either  
> needed
> to drop down to F11 or figure out how to roll my own m2crypto  
> package.  As
> Chris has offered, I'll leave that effort to the experts ;-)
> Thanks for looking at this guys,
> Mike
> -----Original Message-----
> From: ag-tech-bounces at lists.mcs.anl.gov
> [mailto:ag-tech-bounces at lists.mcs.anl.gov] On Behalf Of Douglas  
> Kosovic
> Sent: Friday, January 29, 2010 7:59 AM
> To: AG-Tech at mcs.anl.gov
> Subject: Re: [AG-TECH] Venue Server question
> Hi Tom,
> Fedora 12 comes with OpenSSL 1.0.0 beta 4 and earlier versions of
> m2crypto just can't build against it.
> But Fedora 12's m2crypto-0.20.1 RPM includes an upstream patch to  
> build
> against OpenSSL 1.0.0, I might see if I can take the patch and apply  
> it
> to m2crypto-0.19.1.
> Doug
> On 01/29/2010 10:39 PM, Thomas Uram wrote:
>> Mike:
>> A suitable workaround for now would be to drop back to an earlier
>> m2crypto version.
>> Chris: Have you isolated the problem to a particular m2crypto  
>> version?
>> Tom

More information about the ag-tech mailing list