I’m fairly certain that you can’t have multiple listeners on the same IP address and port number on a NIC simultaneously, even if they’re all binding from the same process. All three of the virtual servers below are configured to use the same IP address and port number, and the first nsopenssl instance to bind to it, ‘owns’ it. The rest get EPERM from the operating system. I think the way multiple SSL certificates are bound to a single IP address and port: the server listens on the IP and port, and looks at the Host header of the incoming connection to determine which SSL certificate to use for that particular connection. I don’t think AOLserver has the ability to do this today. The other way to do it is to create three distinct IP addresses on your NIC and use one for each SSL instance. There may be other ways to make this work, but any of them will probably require rewiring AOLserver and nsopenssl.
Aside: the direct email to your address above bounced — see here: <tma...@ecognizant.net <mailto:tma...@ecognizant.net>>: host ecognizant.net <http://ecognizant.net/>[23.253.246.52] said: 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) (in reply to RCPT TO command) Reporting-MTA: dns; mailout.nyi.internal X-Postfix-Queue-ID: 4732622053 X-Postfix-Sender: rfc822; sc...@scottg.net <mailto:sc...@scottg.net> Arrival-Date: Sun, 16 Aug 2015 09:04:30 -0400 (EDT) /s. > On Aug 15, 2015, at 8:17 PM, Thorpe Mayes <tma...@ecognizant.net> wrote: > > Hi, > > I have AOLserver 4.5.2 running with virtual servers - main.tcl with several > sub config files. > > Three of the domain names are using SSL. The certificate is a UCC SSL > Certificate that will accommodate up to 5 domain names. > > If I activate the virtual server for just one of the three domains that are > using SSL, then everything works fine. When I activate two or more of the sub > files that need ssl, the server fails to start. Here is the tail end of the > log file: > > [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: nsmain: > AOLserver/4.5.2 running > [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: nsmain: > security info: uid=502, euid=502, gid=502\ > , egid=502 > [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: > starting: nssock > [15/Aug/2015:18:39:13][3924.18446744073356683008][-sched-] Notice: sched: > starting > [15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] Notice: > starting > [15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] Notice: > nssock: listening on 23.253.246.52:80 > [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: > starting: nsopenssl > [15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-] Notice: > starting > [15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-] Notice: > nsopenssl: listening on 23.253.246.52\ > :443 > [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: > starting: nsopenssl > [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] Notice: > starting > [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] Error: > nsopenssl: failed to listen on 23.253.\ > 246.52:443: Permission denied > [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] Notice: > exiting > [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: > starting: nsopenssl > [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] Notice: > starting > [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] Error: > nsopenssl: failed to listen on 23.253.\ > 246.52:443: Permission denied > [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] Notice: > exiting > [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Fatal: could not > start drivers > > > Here is the ssl portion of the main.tcl file: > > ns_section "ns/server/module/nsopenssl" > # ns_param RandomFile /some/file > > ns_param SeedBytes 2048; # was 1024 > > > Here is what the ssl portion of the sub files (all appear to load > successfully - see below): > > #--------------------------------------------------------------------- > > # OpenSSL and nsopenssl > > # http://openacs.org/forums/message-view?message_id=320064 > <http://openacs.org/forums/message-view?message_id=320064> - for nsd code - > note: must use port 443 > # http://openacs.org/doc/install-nsopenssl.html > <http://openacs.org/doc/install-nsopenssl.html> - binding port 443 in > daemontools > #--------------------------------------------------------------------- > > > ns_section "ns/server/${ecognizant}/module/nsopenssl/sslcontexts" > ns_param ${ecognizant}_users_ctx "SSL context used for $ecognizant regular > user access" > # ns_param admins_ctx "SSL context used for administrator access" > > ns_param ${ecognizant}_client_ctx "SSL context used for $ecognizant outgoing > script socket connections" > > > ns_section "ns/server/${ecognizant}/module/nsopenssl/defaults" > ns_param server ${ecognizant}_users_ctx > ns_param client ${ecognizant}_client_ctx > > > ns_section > "ns/server/${ecognizant}/module/nsopenssl/sslcontext/${ecognizant}_users_ctx" > ns_param Role server > ns_param ModuleDir $ssldocdir > ns_param CertFile cert.pem > ns_param KeyFile key.pem > ns_param CAFile ca.pem > ns_param Protocols "All" > ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" > ns_param PeerVerify false > ns_param PeerVerifyDepth 3 > ns_param Trace false > > > ns_section > "ns/server/${ecognizant}/module/nsopenssl/sslcontext/${ecognizant}_client_ctx" > ns_param Role client > ns_param ModuleDir $ssldocdir > ns_param CertFile cert.pem > ns_param KeyFile key.pem > ns_param CAFile ca.pem > ns_param Protocols "All" > ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" > ns_param PeerVerify false > ns_param PeerVerifyDepth 3 > ns_param Trace false > > > ns_section "ns/server/${ecognizant}/module/nsopenssl/ssldrivers" > ns_param ${ecognizant}_users_drv "Driver for regular $ecognizant user access" > > > ns_section > "ns/server/${ecognizant}/module/nsopenssl/ssldriver/${ecognizant}_users_drv" > ns_param sslcontext ${ecognizant}_users_ctx > ns_param port $httpsport > ns_param hostname $hostname > ns_param address $address > ns_param maxinput [expr {1024 * 1000 * 10}] ;# 10 MB upload limit > > > > ns_section "ns/server/${ecognizant}/modules" > ns_param nslog ${bindir}/nslog${ext} > ns_param nsdb ${bindir}/nsdb${ext} > ns_param nscache ${bindir}/nscache${ext} > ns_param nssha1 ${bindir}/nssha1${ext} > ns_param nsopenssl ${bindir}/nsopenssl${ext} > > > The log file portion of one of the sub files that have ssl: > > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > fastpath[server10]: mapped GET / > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > fastpath[server10]: mapped HEAD / > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > fastpath[server10]: mapped POST / > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nslog: > opened '/usr/local/aolserver/servers/server10/access.log' > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nscache > module version 1.5 server: server10 > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: modload: > loading '/usr/local/aolserver/bin/nsopenssl.so' > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl: > generating 512-bit temporary RSA key ... > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl: > generating 1024-bit temporary RSA key ... > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl > (server10): loading SSL context 'server10_users_ctx' > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl > (server10): 'server10_users_ctx' ciphers loaded successfully > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl > (server10): 'server10_users_ctx' using all protocols: SSLv2, SSLv3 and TLSv1 > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl > (server10): 'server10_users_ctx' certificate and key loaded successfully > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl > (server10): 'server10_users_ctx' CA file loaded successfully > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > server10_users_ctx (nsopenssl): session cache is turned on for sslcontext > 'server10' > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl > (server10): loading SSL context 'server10_client_ctx' > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl > (server10): 'server10_client_ctx' ciphers loaded successfully > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl > (server10): 'server10_client_ctx' using all protocols: SSLv2, SSLv3 and TLSv1 > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl > (server10): 'server10_client_ctx' certificate and key loaded successfully > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl > (server10): 'server10_client_ctx' CA file loaded successfully > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: > server10_client_ctx (nsopenssl): session cache is turned on for sslcontext > 'server10' > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl > (server10): default SSL context for server is server10_users_ctx > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: default > server SSL context: server10_users_ctx > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl > (server10): default SSL context for client is server10_client_ctx > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: default > client SSL context: server10_client_ctx > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl > (server10): loading 'server10_users_drv' SSL driver > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: conf: > [ns/server/server10]enabletclpages = 1 > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: tcl: > enabling .tcl pages > [15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: default > thread pool: minthreads 0 maxthreads 10 idle 0 current 0 maxconns 4000 queued > 0 timeout 1000\ > 000 spread 20 > > Here is what the command that starts the server looks like: > > /usr/local/aolserver/bin/nsd -u nsadmin -g nsadmin -it > /usr/local/aolserver/front_end.tcl -b 23.253.246.52:80,23\ > .253.246.52:443 > > It looks like the ssl connection (port 443) is being loaded three times, with > the last two failing and preventing the server from starting. > > Does anyone have an insight for me? > > Thank you, > > Thorpe > > > > > > > ------------------------------------------------------------------------------ > _______________________________________________ > aolserver-talk mailing list > aolserver-talk@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/aolserver-talk
------------------------------------------------------------------------------
_______________________________________________ aolserver-talk mailing list aolserver-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/aolserver-talk
