Of course
ns_section "ns/server/${server}/module/nsopenssl"
# this is used by acs-tcl/tcl/security-procs.tcl to get the https port.
ns_param ServerPort $httpsport
# setting maxinput higher than practical may leave the server
vulnerable to resource DoS attacks
# see http://www.panoptic.com/wiki/aolserver/166
# must set maxinput for nsopenssl as well as nssock
ns_param maxinput [expr {$max_file_upload_mb * 1024 *
1024}] ;# Maximum File Size for uploads in bytes
# We explicitly tell the server which SSL contexts to use as defaults
when an
# SSL context is not specified for a particular client or server SSL
# connection. Driver connections do not use defaults; they must be
explicitly
# specificied in the driver section. The Tcl API will use the defaults
as there
# is currently no provision to specify which SSL context to use for a
# particular connection via an ns_openssl Tcl command.
ns_section "ns/server/${server}/module/nsopenssl/sslcontexts"
ns_param users "SSL context used for regular user access"
# ns_param admins "SSL context used for administrator access"
ns_param client "SSL context used for outgoing script socket
connections"
ns_section "ns/server/${server}/module/nsopenssl/defaults"
ns_param server users
ns_param client client
ns_section "ns/server/${server}/module/nsopenssl/sslcontext/users"
ns_param Role server
ns_param ModuleDir ${serverroot}/etc/certs
# ns_param CertFile users-certfile.pem
ns_param CertFile cnauto-cert.pem
# ns_param KeyFile users-keyfile.pem
ns_param KeyFile cnauto-key.pem
# CADir/CAFile can be commented out, if CA chain cert is appended to
CA issued server cert.
ns_param CADir ${serverroot}/etc/certs
# ns_param CADir
/usr/local/src/nsopenssl-3.0beta26/ca/ca1/
# ns_param CAFile users-ca.crt
ns_param CAFile ca1.pem
# for Protocols "ALL" = "SSLv2, SSLv3, TLSv1"
ns_param Protocols "SSLv3, TLSv1"
ns_param CipherSuite
"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerify false
ns_param PeerVerifyDepth 3
ns_param Trace false
# following helps to stablize some openssl connections from buggy
clients.
ns_param SessionCache true
ns_param SessionCacheID 1
ns_param SessionCacheSize 512
ns_param SessionCacheTimeout 300
ns_section "ns/server/${server}/module/nsopenssl/sslcontext/client"
ns_param Role client
ns_param ModuleDir ${serverroot}/etc/certs
ns_param CertFile cnauto-cert.pem
ns_param KeyFile cnauto-key.pem
# CADir/CAFile can be commented out, if CA chain cert is appended to CA
issued server cert.
ns_param CADir ${serverroot}/etc/certs
ns_param CAFile ca1.pem
# for Protocols "ALL" = "SSLv2, SSLv3, TLSv1"
ns_param Protocols "SSLv2, SSLv3, TLSv1"
ns_param CipherSuite
"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerify false
ns_param PeerVerifyDepth 3
ns_param Trace false
On Wed, Jun 20, 2012 at 2:01 AM, Sep Ng <thejackschm...@gmail.com> wrote:
> My guess is it has something to do with your keys and certificates,
> maybe. Maybe you should post relevant sections of your config.tcl.
>
>
> On Monday, June 18, 2012 8:11:18 PM UTC+8, Iuri Sampaio wrote:
>>
>> Hi there,
>>
>> After setting up nsopenssl on aolserver I got the following error.
>>
>>
>>
>> SSL connection error
>> Unable to make a secure connection to the server. This may be a problem
>> with the server, or it may be requiring a client authentication certificate
>> that you don't have.
>> Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
>>
>>
>>
>> Though, 1) config.tcl is properly set
>> 2) paths and permissions are properly set
>> 3) and logs show the libs and certs were loaded sucessfully
>>
>>
>> [17/Jun/2012:20:20:45][30618.
>> 3074823872][-main-] Notice: modload: loading '/usr/lib/aolserver4/bin/**
>> nssha1.so'
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: modload:
>> loading '/usr/lib/aolserver4/bin/**nsopenssl-3.0/nsopenssl.so'
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: nsopenssl:
>> generating 512-bit temporary RSA key ...
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: nsopenssl:
>> generating 1024-bit temporary RSA key ...
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: nsopenssl
>> (cnauto): loading SSL context 'users'
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: nsopenssl
>> (cnauto): 'users' ciphers loaded successfully
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: nsopenssl
>> (cnauto): 'users' using SSLv3 protocol
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: nsopenssl
>> (cnauto): 'users' using TLSv1 protocol
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: nsopenssl
>> (cnauto): 'users' certificate and key loaded successfully
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: nsopenssl
>> (cnauto): 'users' CA file loaded successfully
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: users
>> (nsopenssl): session cache is turned on for sslcontext 'cnauto'
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: nsopenssl
>> (cnauto): loading SSL context 'client'
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: nsopenssl
>> (cnauto): 'client' ciphers loaded successfully
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: nsopenssl
>> (cnauto): 'client' using SSLv2 protocol
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: nsopenssl
>> (cnauto): 'client' using SSLv3 protocol
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: nsopenssl
>> (cnauto): 'client' using TLSv1 protocol
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: nsopenssl
>> (cnauto): 'client' certificate and key loaded successfully
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: nsopenssl
>> (cnauto): 'client' CA file loaded successfully
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: client
>> (nsopenssl): session cache is turned on for sslcontext 'cnauto'
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: nsopenssl
>> (cnauto): default SSL context for server is users
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: default
>> server SSL context: users
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: nsopenssl
>> (cnauto): default SSL context for client is client
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: default
>> client SSL context: client
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: nsopenssl
>> (cnauto): loading 'users' SSL driver
>> ...
>> [17/Jun/2012:20:20:56][30618.**3052837744][-nsopenssl:driver-**] Notice:
>> starting
>> [17/Jun/2012:20:20:56][30618.**3052837744][-nsopenssl:driver-**] Notice:
>> nsopenssl: listening on 127.0.0.1:8443
>> #######
>>
>>
>> I believe the error is related to the 'client' certificate. Before I
>> got the error:
>>
>>
>> ########
>> [17/Jun/2012:20:00:42][30405.**3074971328][-main-] Notice: nsopenssl
>> (cnauto): loading SSL context 'client'
>> [17/Jun/2012:20:00:42][30405.**3074971328][-main-] Notice: nsopenssl
>> (cnauto): 'client' ciphers loaded successfully
>> [17/Jun/2012:20:00:42][30405.**3074971328][-main-] Notice: nsopenssl
>> (cnauto): 'client' using SSLv2 protocol
>> [17/Jun/2012:20:00:42][30405.**3074971328][-main-] Notice: nsopenssl
>> (cnauto): 'client' using SSLv3 protocol
>> [17/Jun/2012:20:00:42][30405.**3074971328][-main-] Notice: nsopenssl
>> (cnauto): 'client' using TLSv1 protocol
>> [17/Jun/2012:20:00:42][30405.**3074971328][-main-] Error: nsopenssl
>> (cnauto): 'client' certificate file is not readable or does not exist
>> [17/Jun/2012:20:00:42][30405.**3074971328][-main-] Error: nsopenssl
>> (cnauto): SSL context 'client' left uninitialized
>> [17/Jun/2012:20:00:42][30405.**3074971328][-main-] Notice: nsopenssl
>> (cnauto): default SSL context for server is users
>> [17/Jun/2012:20:00:42][30405.**3074971328][-main-] Notice: default
>> server SSL context: users
>> [17/Jun/2012:20:00:42][30405.**3074971328][-main-] Notice: nsopenssl
>> (cnauto): default SSL context for client is client
>> [17/Jun/2012:20:00:42][30405.**3074971328][-main-] Notice: default
>> client SSL context: client
>> [17/Jun/2012:20:00:42][30405.**3074971328][-main-] Notice: nsopenssl
>> (cnauto): loading 'users' SSL driver
>> #########
>>
>> Then I changed the 'client' cert's paths within config.tcl to the same of
>> users
>>
>>
>>
>> Would that be the issue?
>>
>> Best wishes,
>> Iuri
>>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> aolserver-talk mailing list
> aolserver-talk@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/aolserver-talk
>
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
aolserver-talk mailing list
aolserver-talk@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/aolserver-talk
