[pacapona]

Hi

I have an issue with openssl on cubox.

The first sign of a problem is a curl error on yaourt output:
$this->bbcode_second_pass_code('', '
yaourt -Syua
:: Synchronisation des bases de données de paquets...
core est à jour ;
extra est à jour ;
community est à jour ;
alarm est à jour ;
aur est à jour ;
curl error: SSL connect error
')
Curl to get an https page:
$this->bbcode_second_pass_code('', '
curl https://google.ch
curl: (35) error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error
')
And wenn i try to creat a self-signed certificate:
$this->bbcode_second_pass_code('', '
openssl genrsa -des3 -out server.key 1024 --> OK
openssl req -new -key server.key -out server.csr --> OK
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key --> OK
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt --> NOT OK !
Signature verification error
3069396176:error:0D0C50C7:asn1 encoding routines:ASN1_item_verify:unknown signature algorithm:a_verify.c:154:
')
I don't no if i'm the only one with this problem but it's would be a surprise for me if i the only one with this problem...
My system run on an fresh install and is up to date...

Any idee?

Encrypt and decrypt file seem to be working:
$this->bbcode_second_pass_code('', '
openssl des3 -in toto.test -out toto.test.encrypted --> OK
openssl des3 -d -in toto.test.encrypted -out toto.test.decrypted --> OK
')

[pacapona]

The problem come from the hardward acceleration implementation from the openssl-cryptodev packet.
Install openssl without hardward accel and the bug go out... But i thing it will be better to resolve the problem from the openssl-cryptodev packet...

[pepedog]

It's best to replace openssl-cryptodev with openssl until this is resolved

[kmihelich]

New version of openssl-cryptodev is in the repositories, matches version of the normal openssl. Give that a shot and see if things work on there.

[pacapona]

$this->bbcode_second_pass_quote('kmihelich', 'N')ew version of openssl-cryptodev is in the repositories, matches version of the normal openssl. Give that a shot and see if things work on there.

[kmihelich]

Your /dev/cryptodev device on the system is world read/writable (mode 666), correct?

[pepedog]

I don't have that node, just /dev/crypto (666)
What's this note (on older kernel)?
https://github.com/rabeeh/linux-2.6.32.9/tree/master/cesa/openssl

[kmihelich]

You're right, its /dev/crypto. OCF is just another subsystem implementation of the same goal. I looked into way back when we were integrating all this into the kirkwood kernel, and the cryptodev source package we use is a lot simpler, cleaner, and until now worked without issue.

[pacapona]

Only /dev/crypto
and yes 666

Not sur but i think the bug was comming wenn i have updated the kernel...