Well, I got further by using these values:
ns_param CADir /usr/share/ssl
ns_param CAFile /usr/share/ssl/cert.pem
(seemed reasonable to try since I used /usr/share/ssl/misc/CA to sign
my certificate)
And also commented out all of the uses of the admins context, which was
causing errors. I now get a clean initialization of nsopenssl, but I
am still getting a "connection refused" to any access to it, even
telnet. I've had the firewall checked and it's supposed to be open.
Anything else I've got wrong? Here's the section again with my latest
edits, in case I've messed something up:
ns_param ServerPort $httpsport
ns_section "ns/server/${server}/module/nsopenssl/sslcontexts"
ns_param users "SSL context used for regular user access"
# ns_param admins "SSL context used for administrator access"
ns_param client "SSL context used for outgoing script socket
connections"
ns_section "ns/server/${server}/module/nsopenssl/defaults"
ns_param server users
ns_param client client
ns_section "ns/server/${server}/module/nsopenssl/sslcontext/users"
ns_param Role server
ns_param ModuleDir ${homedir}/${server}/etc/certs
ns_param CertFile certfile.pem
ns_param KeyFile keyfile.pem
ns_param CADir /usr/share/ssl
ns_param CAFile /usr/share/ssl/cert.pem
ns_param Protocols "SSLv3, TLSv1"
ns_param CipherSuite
"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerify false
ns_param PeerVerifyDepth 3
ns_param Trace false
#ns_section "ns/server/${server}/module/nsopenssl/sslcontext/admins"
#ns_param Role server
#ns_param ModuleDir /path/to/dir
#ns_param CertFile server/server.crt
#ns_param KeyFile server/server.key
#ns_param CADir ca-client/dir
#ns_param CAFile ca-client/ca-client.crt
#ns_param Protocols "All"
#ns_param CipherSuite
"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
#ns_param PeerVerify false
#ns_param PeerVerifyDepth 3
#ns_param Trace false
ns_section "ns/server/${server}/module/nsopenssl/sslcontext/client"
ns_param Role client
ns_param ModuleDir ${homedir}/${server}/etc/certs
ns_param CertFile certfile.pem
ns_param KeyFile keyfile.pem
ns_param CADir /usr/share/ssl
ns_param CAFile /usr/share/ssl/cert.pem
ns_param Protocols "SSLv2, SSLv3, TLSv1"
ns_param CipherSuite
"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerify false
ns_param PeerVerifyDepth 3
ns_param Trace false
# SSL drivers. Each driver defines a port to listen on and an
explitictly named
# SSL context to associate with it. Note that you can now have
multiple driver
# connections within a single virtual server, which can be tied to
different
# SSL contexts. Isn't that cool?
ns_section "ns/server/${server}/module/nsopenssl/ssldrivers"
ns_param users "Driver for regular user access"
# ns_param admins "Driver for administrator access"
ns_section "ns/server/${server}/module/nsopenssl/ssldriver/users"
ns_param sslcontext users
# ns_param port $httpsport_users
ns_param port $httpsport
ns_param hostname $hostname
ns_param address $address
ns_section "ns/server/${server}/module/nsopenssl/ssldriver/admins"
ns_param sslcontext admins
# ns_param port $httpsport_admins
ns_param port $httpsport
ns_param hostname $hostname
ns_param address $address
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of
your email blank.
