To fix it, I made the following patch:

--- ssldump-0.9b3/base/pcap-snoop.c.old	2005-11-18 16:16:02.000000000 +0100
+++ ssldump-0.9b3/base/pcap-snoop.c	2005-11-18 16:16:20.000000000 +0100
@@ -49,7 +49,7 @@

 #include

 #include 
-#include 
+#include

 #ifndef _WIN32
 #include 
 #endif

In this article I will describe how to use OpenSSL to set up a Certificate Authority (CA), how to generate private keys, generate certificate requests and sign them, using OpenSSL and the command-line on a Fedora Core 4 Linux system.

Configuring OpenSSL

Edit /etc/pki/tls/openssl.cnf and make sure the [ CA_default ] section looks like this:

[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
unique_subject  = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
#crlnumber      = $dir/crlnumber        # the current crl number must be
                                        # commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions        = crl_ext

default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = sha1                  # which md to use.
preserve        = no                    # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that.
policy          = policy_match

Creating the Certificate Authority (CA)

This step will create the CA private key and a self-signed certificate (the CA certificate).

The CA certificate will be stored in /etc/pki/CA/cacert.pem, while the CA private key will be stored in /etc/pki/CA/private/cakey.pem:

openssl req -new -x509 -days 365 -newkey rsa:1024 \
  -keyout /etc/pki/CA/private/cakey.pem \
  -out /etc/pki/CA/cacert.pem
chmod 600 /etc/pki/CA/private/cakey.pem

A copy of every signed certificate will be stored into /etc/pki/CA/newcerts, with a name matching the certificate serial number plus the .pem extension:

mkdir /etc/pki/CA/newcerts

The /etc/pki/CA/index.txt file holds a log of every signed certificate:

touch /etc/pki/CA/index.txt

The /etc/pki/CA/serial file holds the next available X.509 serial number:

echo 01 > /etc/pki/CA/serial

Generating a certificate request and its corresponding private key

The following command will generate a random, 1024-bit private RSA key and its corresponding public key will be wrapped into a PEM-encoded certificate. This certificate is still unsigned and will be submitted later to the CA for signing:

openssl req -new -days 365 -newkey rsa:1024 \
  -keyout /etc/pki/CA/sslkey.pem
  -out /etc/pki/CA/sslcert.pem

The private key will get written to /etc/pki/CA/sslkey.pem while the public key, encoded inside an unsigned certificate, will get written to /etc/pki/CA/sslcert.pem.

The -nodes option can be used to avoid using a pass-phrase to protect the private key. This is optional, but some applications are unable to read the private key if it was protected by a pass-phrase, while others like FreeRADIUS can do so with no problems at all.

Signing a certificate

To sign a certificate stored in /etc/pki/CA/sslcert.pem, use the following command:

openssl ca -in /etc/pki/CA/sslcert.pem -out /etc/pki/CA/cert.pem

The resulting signed certificate will get outputted to /etc/pki/CA/cert.pem. Once the certificate has been signed, the unsigned certificate can be safely deleted.