To add a bit more data to the fire, here is the config section I was
using for nsopenssl with AOLserver 4. it is basically straight out of
the latest version of the OpenACS suggested config file.
The *.pem files do exist; I believe I changed the client cert section
to point to the same files as the server cert because it got rid of
some errors.
This config has SSLv2 in the Protocols for the client but not for the
server. I don't really understand how this all works, so I don't know
if that's ok or not?
With this config section I saw no errors in the log on startup, but of
course I did have other, more serious problems.
janine
# ---------------------------------------------------------
# this is used by acs-tcl/tcl/security-procs.tcl to get the
# https port.
# ---------------------------------------------------------
ns_param ServerPort $httpsport
ns_section "ns/server/${server}/module/nsopenssl/sslcontexts"
ns_param users "SSL context used for regular user access"
# ns_param admins "SSL context used for administrator access"
ns_param client "SSL context used for outgoing script socket
connections"
ns_section "ns/server/${server}/module/nsopenssl/defaults"
ns_param server users
ns_param client client
ns_section "ns/server/${server}/module/nsopenssl/sslcontext/users"
ns_param Role server
ns_param ModuleDir ${homedir}/${server}/etc/certs
ns_param CertFile certfile.pem
ns_param KeyFile keyfile.pem
ns_param CADir /usr/share/ssl
ns_param CAFile /usr/share/ssl/cert.pem
ns_param Protocols "SSLv3, TLSv1"
ns_param CipherSuite
"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerify false
ns_param PeerVerifyDepth 3
ns_param Trace false
#ns_section "ns/server/${server}/module/nsopenssl/sslcontext/admins"
#ns_param Role server
#ns_param ModuleDir /path/to/dir
#ns_param CertFile server/server.crt
#ns_param KeyFile server/server.key #ns_param
CADir ca-client/dir
#ns_param CAFile ca-client/ca-client.crt
#ns_param Protocols "All" #ns_param CipherSuite
"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" #ns_param
PeerVerify false
#ns_param PeerVerifyDepth 3
#ns_param Trace false
ns_section "ns/server/${server}/module/nsopenssl/sslcontext/client"
ns_param Role client
ns_param ModuleDir ${homedir}/${server}/etc/certs
ns_param CertFile certfile.pem
ns_param KeyFile keyfile.pem
ns_param CADir /usr/share/ssl
ns_param CAFile /usr/share/ssl/cert.pem
ns_param Protocols "SSLv2, SSLv3, TLSv1"
ns_param CipherSuite
"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerify false
ns_param PeerVerifyDepth 3
ns_param Trace false
# SSL drivers. Each driver defines a port to listen on and an
explitictly named
# SSL context to associate with it. Note that you can now have
multiple driver
# connections within a single virtual server, which can be tied to
different
# SSL contexts. Isn't that cool?
ns_section "ns/server/${server}/module/nsopenssl/ssldrivers"
ns_param users "Driver for regular user access"
# ns_param admins "Driver for administrator access"
ns_section "ns/server/${server}/module/nsopenssl/ssldriver/users"
ns_param sslcontext users
# ns_param port $httpsport_users
ns_param port $httpsport
ns_param hostname $hostname
ns_param address $address
ns_section "ns/server/${server}/module/nsopenssl/ssldriver/admins"
ns_param sslcontext admins
# ns_param port $httpsport_admins
ns_param port $httpsport
ns_param hostname $hostname
ns_param address $address
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of
your email blank.
