Why are you using the same file for both your Certificates and your list of CA Certificates to validate incoming certificates with?
This variation of the configuration is the most recent, and most disparate (pun intended). =)
I cannot find docs on how to configure the openssl (*CAFile and *CADir) parameters (usually leaving their values as CA/CA.pem). Is there a section in the docs somewhere that relates to this?
Are these only used with peer-to-peer server connections that require a valid CA?
Torben
> When a
...client passes you their certificate, nsopenssl uses the CA certificates in the CAFile to validate that client certificate. Based on what I see below, you're using your own certificate as if it were a CA certificate, which means you'll never be able to validate any certificates.
SockServerCertFile = /usr/local/www/service463/etc/certs/dekka.crt.pem SockServerKeyFile = /usr/local/www/service463/etc/certs/dekka.key.pem SockServerCAFile = /usr/local/www/service463/etc/certs/dekka.crt.pem
SockClientCertFile = /usr/local/www/service463/etc/certs/dekka.crt.pem SockClientKeyFile = /usr/local/www/service463/etc/certs/dekka.key.pem SockClientCAFile = /usr/local/www/service463/etc/certs/dekka.crt.pem
Secondly, nsopenssl does not abort a connection because of invalid certs -- it just logs them. Your response to the invalid cert is your application's responsibility. The reason is that you might want to return a useful error page to the user or application on the other end; if you barf on the SSL handshake, the user gets whatever error page the browser generates because no content ever passes between the two.
The SSL handshake completes successfully, meaning that you have established a good SSL connection. Your problem is the database operation. Without seeing the schema and code, can't really say much about that.
-- AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
