Scott, would you be so kind to enlighten me?
Certainly. Important parts of my test config are at the bottom of this message. Here's how it works:
At start time, nsopenssl reads the config sections for SSL contexts and SSL drivers. Each SSL context and each SSL driver has a unique name within that virtual server. You can reuse the same names in a different virtual server, but not a good idea for readability perhaps.
SSL contexts define the characteristics of SSL instances you want to create; they're essentially templates. You can have any number of templates. An SSL template can be associated with an SSL driver, an nsopenssl-created client or an nsopenssl-created server. Some confusion exists about these last two. nsopenssl works in two modes: local and nsd-driven. An SSL driver is tied to a core nsd connection, and all bytes are piped through the AOLserver HTTP processing engine. nsopenssl-created clients and servers are local to the nsopenssl module and are not associated with the core server at all. Using the nsopenssl Tcl API you can create incoming or outgoing SSL connections without the core server's HTTP engine being involved. If there's still confusion about the difference, let me know and I'll try to find a better way to explain it.
An SSL driver can listen on one and only one port. But you can have multiple drivers defined for a virtual server. Each driver most be associated with a single SSL context. When a connection comes in on a port that an SSL driver is listening in, it uses the SSL context it's associated with to generate an SSL instance, which contains the info about what ciphers are allowed etc.
In the config below I have two contexts and two drivers. One driver I've labeled as a user access point, the other as an admin access point.
The main goals of this release are to be virtual-server compliant, to decouple SSL contexts from SSL drivers and the nsopenssl-created connections, and to ensure that you only need to load one copy of an nsopenssl module to handle any number of virtual servers and ports.
Digest all this; more later if you need it. The config stuff at my site is out of date for this new release. I'm moving my site to a new hoster where I can run AOLserver.
/s.
config:
set vs1_servername "vs1" set vs1_serverdesc "Virtual Server 1" set vs1_httpport 7000 set vs1_hostname 127.0.0.1 set vs1_address 127.0.0.1 set vs1_pageroot ${homedir}/servers/${vs1_servername}/pages
# Global nsopenssl settings ns_section "ns/server/module/nsopenssl" ns_param RandomFile /some/file ns_param SeedBytes 1024
...normal AOLserver stuff here...
# # nsopenssl (HTTPS) #
# Virtual Server specific nsopenssl configurations
# SSL contexts. Each SSL context is intended to be a complete definition # of an SSL instance. An SSL context may be used by multiple drivers, # sockservers and sockclients.
ns_section "ns/server/${vs1_servername}/module/nsopenssl/sslcontexts"
ns_param vs1_users_ctx "SSL context used for regular user access"
ns_param vs1_admins_ctx "SSL context used for administrator
access"ns_section
"ns/server/${vs1_servername}/module/nsopenssl/sslcontext/vs1_users_ctx"
ns_param Role server
#ns_param ModuleDir /path/to/dir
ns_param CertFile server-cert.crt
ns_param KeyFile server-cert.key
#ns_param CADir serverca
#ns_param CAFile serverca.pem
ns_param Protocols "SSLv3, TLSv1"
ns_param CipherSuite
"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerify false
ns_param PeerVerifyDepth 3
ns_param Trace true
ns_param SessionCache true
ns_param SessionCacheSize 128
ns_param SessionCacheTimeout 300ns_section
"ns/server/${vs1_servername}/module/nsopenssl/sslcontext/vs1_admins_ctx"
ns_param Role server
#ns_param ModuleDir /path/to/dir
ns_param CertFile server-cert.crt
ns_param KeyFile server-cert.key
ns_param CADir serverca
ns_param CAFile serverca.pem
#ns_param Protocols "All"
ns_param Protocols "SSLv3, TLSv1"
ns_param CipherSuite
"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerify false
ns_param PeerVerifyDepth 3
ns_param Trace true
ns_param SessionCache true
ns_param SessionCacheSize 128
ns_param SessionCacheTimeout 300# SSL drivers. Each driver defines a port and a named SSL context to associate # with it.
ns_section "ns/server/${vs1_servername}/module/nsopenssl/ssldrivers"
ns_param vs1_users_drv "Driver for vs1 regular user access"
ns_param vs1_admins_drv "Driver for vs1 administrator access"ns_section
"ns/server/${vs1_servername}/module/nsopenssl/ssldriver/vs1_users_drv"
ns_param sslcontext vs1_users_ctx
ns_param port 7001
ns_param hostname 127.0.0.1
ns_param address 127.0.0.1ns_section
"ns/server/${vs1_servername}/module/nsopenssl/ssldriver/vs1_admins_drv"
ns_param sslcontext vs1_admins_ctx
ns_param port 7002
ns_param hostname 127.0.0.1
ns_param address 127.0.0.1#
# Modules to load
#
ns_section "ns/server/${vs1_servername}/modules"
ns_param nssock ${bindir}/nssock${ext}
ns_param nslog ${bindir}/nslog${ext}
ns_param nscgi ${bindir}/nscgi${ext}
ns_param nsopenssl ${bindir}/nsopenssl${ext}On Thursday, September 25, 2003, at 04:03 PM, Bart Teeuwisse wrote:
I'd like to experiment with nsopenssl 3.x on AOLServer 4.x. I'm aware that nsopenssl 3.x isn't production ready yet. Still, I'd like run some experiments but I'm not quite clear how to use the new design.
Following the README file, I've configured nsd.tcl as per the 2.x instructions. However, I'm at a loss how to define contexts and drivers for virtual servers. The Design paragraph at the end of the README file mentions how the new workflow uses the contexts and drivers defined in nsd.tcl but doesn't include examples.
Scott, would you be so kind to enlighten me?
Thanks,
/Bart
-- AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
-- AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
