I am trying to get the latest nsopenssl (3.0beta17) to work with
AOLserver 4.0.5 and a self-signed certificate (for testing). This is
the first time I've used nsopenssl in quite some time, and boy have
things changed! I am getting this error and I'm not sure where to go
from here:
[12/Jul/2004:18:40:33][16911.1024][-main-] Notice: nsopenssl
(staging-nybooks): 'users' failed to load CA certificate file
'/export/aolserver4/servers/staging-nybooks/modules/nsopenssl/ca.pem'
I realize that this is a default, caused by my not specifying
something. The following is the relevant section of my config file;
it is mostly the one from the HEAD version of config.tcl from OpenACS,
but I had to add the sslcontexts section from Scott's sample nsd.tcl
to get as far as I did.
My hunch is that I'm having trouble because CADir and CAFile are
commented out, but I don't know how to set them. I don't have a file
called ca.pem anywhere on my system.
Suggestions, anyone? Thanks in advance!
janine
# ---------------------------------------------------------
# this is used by acs-tcl/tcl/security-procs.tcl to get the
# https port.
# ---------------------------------------------------------
ns_param ServerPort $httpsport
ns_section "ns/server/${server}/module/nsopenssl/sslcontexts"
ns_param users "SSL context used for regular user access"
ns_param admins "SSL context used for administrator access"
ns_param client "SSL context used for outgoing script socket
connections"
ns_section "ns/server/${server}/module/nsopenssl/defaults"
ns_param server users
ns_param client client
ns_section "ns/server/${server}/module/nsopenssl/sslcontext/users"
ns_param Role server
ns_param ModuleDir ${homedir}/${server}/etc/certs
ns_param CertFile certfile.pem
ns_param KeyFile keyfile.pem
#ns_param CADir ca-client/dir
#ns_param CAFile ca-client/ca-client.crt
ns_param Protocols "SSLv3, TLSv1"
ns_param CipherSuite
"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerify false
ns_param PeerVerifyDepth 3
ns_param Trace false
#ns_section "ns/server/${server}/module/nsopenssl/sslcontext/admins"
#ns_param Role server
#ns_param ModuleDir /path/to/dir
#ns_param CertFile server/server.crt
#ns_param KeyFile server/server.key
#ns_param CADir ca-client/dir
#ns_param CAFile ca-client/ca-client.crt
#ns_param Protocols "All"
#ns_param CipherSuite
"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
#ns_param PeerVerify false
#ns_param PeerVerifyDepth 3
#ns_param Trace false
ns_section "ns/server/${server}/module/nsopenssl/sslcontext/client"
ns_param Role client
ns_param ModuleDir ${homedir}/${server}/etc/certs
ns_param CertFile certfile.pem
ns_param KeyFile keyfile.pem
#ns_param CADir ${serverroot}/etc/certs
#ns_param CAFile certfile.pem
ns_param Protocols "SSLv2, SSLv3, TLSv1"
ns_param CipherSuite
"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerify false
ns_param PeerVerifyDepth 3
ns_param Trace false
# SSL drivers. Each driver defines a port to listen on and an
explitictly named
# SSL context to associate with it. Note that you can now have
multiple driver
# connections within a single virtual server, which can be tied to
different
# SSL contexts. Isn't that cool?
ns_section "ns/server/${server}/module/nsopenssl/ssldrivers"
ns_param users "Driver for regular user access"
ns_param admins "Driver for administrator access"
ns_section "ns/server/${server}/module/nsopenssl/ssldriver/users"
ns_param sslcontext users
# ns_param port $httpsport_users
ns_param port $httpsport
ns_param hostname $hostname
ns_param address $address
ns_section "ns/server/${server}/module/nsopenssl/ssldriver/admins"
ns_param sslcontext admins
# ns_param port $httpsport_admins
ns_param port $httpsport
ns_param hostname $hostname
ns_param address $address
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of
your email blank.
