Re: OpenSSL segmentation fault

This is a bug introduced in changes for OpenSSL 1.0.2g (PTFs SI59896 and
SI59895).

The problem occurs when OpenSSL prompts for a response, in this case
asking for the password. As a workaround you can use the -passin
parameter:

PASS PHRASE ARGUMENTS
Several commands accept password arguments, typically using -passin
and -passout for input and output passwords respectively. These allow the
password to be obtained
from a variety of sources. Both of these options take a single
argument whose format is described below. If no password argument is given
and a password is required
then the user is prompted to enter one: this will typically be read
from the current terminal with echoing turned off.

pass:password
the actual password is password. Since the password is
visible to utilities (like 'ps' under Unix) this form should only be used
where security is not
important.

env:var obtain the password from the environment variable var.
Since the environment of other processes is visible on certain platforms
(e.g. ps under certain Unix
OSes) this option should be used with caution.

file:pathname
the first line of pathname is the password. If the same
pathname argument is supplied to -passin and -passout arguments then the
first line will be used for
the input password and the next line for the output
password. pathname need not refer to a regular file: it could for example
refer to a device or named
pipe.

fd:number read the password from the file descriptor number. This
can be used to send the data via a pipe for example.

stdin read the password from standard input.

For example:
openssl pkcs12 -in "mycert.pfx" -clcerts -nokeys -out mycert.cer -passin
pass:mypassword
openssl pkcs12 -in "mycert.pfx" -nocerts -nodes -out mycert.key -passin
pass:mypassword

Another customer ran in to this and has opened a PMR and a fix is being
worked on. You can open a PMR if you like or use the workaround in the
meantime.

"MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx> wrote on 04/15/2016
03:24:12 PM:

From: Matt Lavinder <mlavinder@xxxxxxxxxxxxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 04/15/2016 03:25 PM
Subject: OpenSSL segmentation fault
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>

I have an an OpenSSL command I use to extract the components of a pfx
file. More or less, the commands I use are:

​openssl pkcs12 -in "mycert.pfx" -clcerts -nokeys -out mycert.cer
openssl pkcs12 -in "mycert.pfx" -nocerts -nodes -out mycert.key

I have to do this process when we ​renew our SSL certificate.

Typically, I

run these from a PASE terminal (QP2TERM) without issue; however, this

year,

I am getting a segmentation fault and core dump.

I was able to use openssl inside of cygwin to complete this process, but

it

bothers me that something that used to work is not working. I was able

to

run a few other openssl commands without issue, so it is not entirely
broken.

I am not sure where openssl falls. Is this something IBM would assist

me

with? Any ideas on what might cause this?

I noticed my openssl version is 1.0.2g and shows a date of "1 Mar 2016".
Cygwin is using the same version and works fine, but I suppose it could

be

PASE or AIX related. If someone else wants to test the above out, that
might be helpful. At least I would know if it is just me. We are

running

IBM i 7.1.

--

*Matt Lavinder *
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related

questions.