If you don't need AOLserver to act as a client then simply don't register a client context. As far as I recall it isn't required.
As for SSL2, I wouldn't trust it for e-commerce myself. I do agree that if only for clarity that SSL2 should be enabled/disabled in both places. It is very possible that openSSL isn't doing the "right" thing here.
rob
Dossy Shiobara wrote:
On 2004.08.18, Janine Sisk <[EMAIL PROTECTED]> wrote:
To add a bit more data to the fire, here is the config section I was using for nsopenssl with AOLserver 4. it is basically straight out of the latest version of the OpenACS suggested config file.
The *.pem files do exist; I believe I changed the client cert section to point to the same files as the server cert because it got rid of some errors.
I vaguely recall some issues where you cannot use the same certificate as both the server and client cert, but I can't find it in the archives so maybe I'm just making this up.
This config has SSLv2 in the Protocols for the client but not for the server. I don't really understand how this all works, so I don't know if that's ok or not?
The client config is used when you initiate outbound SSL connections frmo AOLserver. The server cert is used for serving inbound connections from web browsers/SSL clients.
You definitely need to add "SSLv2" to the "protocols" list for the "server" config! Ahh ...
ns_section "ns/server/${server}/module/nsopenssl/sslcontext/users" ns_param Role server ns_param ModuleDir ${homedir}/${server}/etc/certs ns_param CertFile certfile.pem ns_param KeyFile keyfile.pem ns_param CADir /usr/share/ssl ns_param CAFile /usr/share/ssl/cert.pem ns_param Protocols "SSLv3, TLSv1"
Yes, this is the problem, for sure. Need to add "SSLv2" there.
ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" ns_param PeerVerify false ns_param PeerVerifyDepth 3 ns_param Trace false
I wonder if the reason we're seeing this problem is the default setting for "ciphersuite" includes "+SSLv2" but "protocols" doesn't. If you want to refuse to use SSLv2, maybe "+SSLv2" should come out of the "ciphersuite" param.
I don't see any good reason to refuse SSLv2 connections, so I'd rather just add it into the "protocols" param.
If you can, make the change and give it a test ... let us know if that solves the mystery for you. :-)
-- Dossy
-- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70)
-- AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
-- AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
