Re: [AOLSERVER] nsopenssl errors

Dossy Shiobara Wed, 18 Aug 2004 06:56:41 -0700

On 2004.08.18, Janine Sisk <[EMAIL PROTECTED]> wrote:
> To add a bit more data to the fire, here is the config section I was
> using for nsopenssl with AOLserver 4.  it is basically straight out of
> the latest version of the OpenACS suggested config file.
>
> The *.pem files do exist;  I believe I changed the client cert section
> to point to the same files as the server cert because it got rid of
> some errors.


I vaguely recall some issues where you cannot use the same certificate
as both the server and client cert, but I can't find it in the archives
so maybe I'm just making this up.

> This config has SSLv2 in the Protocols for the client but not for the
> server.  I don't really understand how this all works, so I don't know
> if that's ok or not?

The client config is used when you initiate outbound SSL connections
frmo AOLserver.  The server cert is used for serving inbound connections
from web browsers/SSL clients.

You definitely need to add "SSLv2" to the "protocols" list for the
"server" config!  Ahh ...

>     ns_section "ns/server/${server}/module/nsopenssl/sslcontext/users"
>     ns_param Role                  server
>     ns_param ModuleDir             ${homedir}/${server}/etc/certs
>     ns_param CertFile              certfile.pem
>     ns_param KeyFile               keyfile.pem
>     ns_param CADir                 /usr/share/ssl
>     ns_param CAFile                /usr/share/ssl/cert.pem
>     ns_param Protocols             "SSLv3, TLSv1"

Yes, this is the problem, for sure.  Need to add "SSLv2" there.

>     ns_param CipherSuite
> "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
>     ns_param PeerVerify            false
>     ns_param PeerVerifyDepth       3
>     ns_param Trace                 false

I wonder if the reason we're seeing this problem is the default setting
for "ciphersuite" includes "+SSLv2" but "protocols" doesn't.  If you want
to refuse to use SSLv2, maybe "+SSLv2" should come out of the
"ciphersuite" param.

I don't see any good reason to refuse SSLv2 connections, so I'd rather
just add it into the "protocols" param.

If you can, make the change and give it a test ... let us know if that
solves the mystery for you.  :-)

-- Dossy

--
Dossy Shiobara                       mail: [EMAIL PROTECTED]
Panoptic Computer Network             web: http://www.panoptic.com/
  "He realized the fastest way to change is to laugh at your own
    folly -- then you can let go and quickly move on." (p. 70)


--
AOLserver - http://www.aolserver.com/

To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of 
your email blank.

Re: [AOLSERVER] nsopenssl errors

Reply via email to