[AG-TECH] Venue Server question

Christoph Willing c.willing at uq.edu.au
Sat Jan 30 02:58:03 CST 2010

On 30/01/2010, at 11:07 AM, Thomas Uram wrote:

> It turns out that the problem is two-fold: the updated AGDev CA cert  
> uses a large hex serial number, and this number overflows integer  
> conversions used by m2crypto. While the serial number is legitimate,  
> and the failure warrants an m2crypto patch, such a patch would not  
> solve the problem for all users immediately (they'd have to discover  
> the problem and apply the patch). In the interest of expediency,  
> then, I've issued a new AGDev CA cert that uses a small integer  
> serial number and will not encounter this problem. It is an update  
> of the previous AGDev CA cert, so all certs issued previously will  
> continue to validate against it.
> I've attached the updated CA cert. If you could push it into your  
> environments and confirm that no problems arise, I'll commit it to  
> the AG SVN for inclusion with future builds.


Firstly, just to  support the "m2crypto is the culprit" theory, today  
I built & installed a new version (0.20.2) on a previously unaffected  
system (which had been using m2crypto-0.19.1). The original 45cc9e80.0  
was rejected and unable to be imported (giving the "long too large to  
convert" error).

Secondly, the new CA imports fine with the new m2crypto and also  
imports fine using the older m2crypto version. Its now running on the  
APAG server.


> <45cc9e80.Jan2010.0><45cc9e80.signing_policy>
> On Jan 29, 2010, at 7:32 AM, Mike Weaver wrote:
>> I've been playing for the past hour trying to get the dependencies  
>> to work
>> out, but too much in F12 requires libssl.so.10.  I figured I either  
>> needed
>> to drop down to F11 or figure out how to roll my own m2crypto  
>> package.  As
>> Chris has offered, I'll leave that effort to the experts ;-)
>> Thanks for looking at this guys,
>> Mike
>> -----Original Message-----
>> From: ag-tech-bounces at lists.mcs.anl.gov
>> [mailto:ag-tech-bounces at lists.mcs.anl.gov] On Behalf Of Douglas  
>> Kosovic
>> Sent: Friday, January 29, 2010 7:59 AM
>> To: AG-Tech at mcs.anl.gov
>> Subject: Re: [AG-TECH] Venue Server question
>> Hi Tom,
>> Fedora 12 comes with OpenSSL 1.0.0 beta 4 and earlier versions of
>> m2crypto just can't build against it.
>> But Fedora 12's m2crypto-0.20.1 RPM includes an upstream patch to  
>> build
>> against OpenSSL 1.0.0, I might see if I can take the patch and  
>> apply it
>> to m2crypto-0.19.1.
>> Doug
>> On 01/29/2010 10:39 PM, Thomas Uram wrote:
>>> Mike:
>>> A suitable workaround for now would be to drop back to an earlier
>>> m2crypto version.
>>> Chris: Have you isolated the problem to a particular m2crypto  
>>> version?
>>> Tom

Christoph Willing                       +61 7 3365 8316
QCIF Access Grid Manager
University of Queensland

More information about the ag-tech mailing list