Re: [AOLSERVER] SSL connection error
I see that you have cnauto-cert.pem and cnauto-key.pem. Can you look into the files and make sure that the contents are correctly tagged as certificate and key? Maybe also try Protocols="All" for the sslcontext. I'm not sure what's the problem, but hope that might help you. On Monday, June 18, 2012 8:11:18 PM UTC+8, Iuri Sampaio wrote: > > Hi there, > > After setting up nsopenssl on aolserver I got the following error. > > > > SSL connection error > Unable to make a secure connection to the server. This may be a problem > with the server, or it may be requiring a client authentication certificate > that you don't have. > Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error. > > > > Though, 1) config.tcl is properly set > 2) paths and permissions are properly set > 3) and logs show the libs and certs were loaded sucessfully > > > [17/Jun/2012:20:20:45][30618. > 3074823872][-main-] Notice: modload: loading > '/usr/lib/aolserver4/bin/nssha1.so' > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: modload: loading > '/usr/lib/aolserver4/bin/nsopenssl-3.0/nsopenssl.so' > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl: > generating 512-bit temporary RSA key ... > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl: > generating 1024-bit temporary RSA key ... > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): loading SSL context 'users' > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): 'users' ciphers loaded successfully > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): 'users' using SSLv3 protocol > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): 'users' using TLSv1 protocol > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): 'users' certificate and key loaded successfully > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): 'users' CA file loaded successfully > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: users > (nsopenssl): session cache is turned on for sslcontext 'cnauto' > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): loading SSL context 'client' > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): 'client' ciphers loaded successfully > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): 'client' using SSLv2 protocol > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): 'client' using SSLv3 protocol > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): 'client' using TLSv1 protocol > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): 'client' certificate and key loaded successfully > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): 'client' CA file loaded successfully > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: client > (nsopenssl): session cache is turned on for sslcontext 'cnauto' > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): default SSL context for server is users > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: default server > SSL context: users > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): default SSL context for client is client > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: default client > SSL context: client > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): loading 'users' SSL driver > ... > [17/Jun/2012:20:20:56][30618.3052837744][-nsopenssl:driver-] Notice: > starting > [17/Jun/2012:20:20:56][30618.3052837744][-nsopenssl:driver-] Notice: > nsopenssl: listening on 127.0.0.1:8443 > ### > > > I believe the error is related to the 'client' certificate. Before I got > the error: > > > > [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl > (cnauto): loading SSL context 'client' > [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl > (cnauto): 'client' ciphers loaded successfully > [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl > (cnauto): 'client' using SSLv2 protocol > [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl > (cnauto): 'client' using SSLv3 protocol > [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl > (cnauto): 'client' using TLSv1 protocol > [17/Jun/2012:20:00:42][30405.3074971328][-main-] Error: nsopenssl > (cnauto): 'client' certificate file is not readable or does not exist > [17/Jun/2012:20:00:42][30405.3074971328][-main-] Error: nsopenssl > (cnauto): SSL context 'client' left uninitialized > [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl > (cnauto): default SSL context for server is users > [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notic
Re: [AOLSERVER] SSL connection error
Of course
ns_section "ns/server/${server}/module/nsopenssl"
# this is used by acs-tcl/tcl/security-procs.tcl to get the https port.
ns_param ServerPort$httpsport
# setting maxinput higher than practical may leave the server
vulnerable to resource DoS attacks
# see http://www.panoptic.com/wiki/aolserver/166
# must set maxinput for nsopenssl as well as nssock
ns_param maxinput [expr {$max_file_upload_mb * 1024 *
1024}] ;# Maximum File Size for uploads in bytes
# We explicitly tell the server which SSL contexts to use as defaults
when an
# SSL context is not specified for a particular client or server SSL
# connection. Driver connections do not use defaults; they must be
explicitly
# specificied in the driver section. The Tcl API will use the defaults
as there
# is currently no provision to specify which SSL context to use for a
# particular connection via an ns_openssl Tcl command.
ns_section "ns/server/${server}/module/nsopenssl/sslcontexts"
ns_param users"SSL context used for regular user access"
# ns_param admins "SSL context used for administrator access"
ns_param client "SSL context used for outgoing script socket
connections"
ns_section "ns/server/${server}/module/nsopenssl/defaults"
ns_param server users
ns_param client client
ns_section "ns/server/${server}/module/nsopenssl/sslcontext/users"
ns_param Role server
ns_param ModuleDir ${serverroot}/etc/certs
#ns_param CertFile users-certfile.pem
ns_param CertFile cnauto-cert.pem
#ns_param KeyFile users-keyfile.pem
ns_param KeyFile cnauto-key.pem
# CADir/CAFile can be commented out, if CA chain cert is appended to
CA issued server cert.
ns_param CADir ${serverroot}/etc/certs
#ns_param CADir
/usr/local/src/nsopenssl-3.0beta26/ca/ca1/
# ns_param CAFileusers-ca.crt
ns_param CAFileca1.pem
# for Protocols"ALL" = "SSLv2, SSLv3, TLSv1"
ns_param Protocols "SSLv3, TLSv1"
ns_param CipherSuite
"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerifyfalse
ns_param PeerVerifyDepth 3
ns_param Trace false
# following helps to stablize some openssl connections from buggy
clients.
ns_param SessionCache true
ns_param SessionCacheID 1
ns_param SessionCacheSize 512
ns_param SessionCacheTimeout 300
ns_section "ns/server/${server}/module/nsopenssl/sslcontext/client"
ns_param Role client
ns_param ModuleDir ${serverroot}/etc/certs
ns_param CertFile cnauto-cert.pem
ns_param KeyFile cnauto-key.pem
# CADir/CAFile can be commented out, if CA chain cert is appended to CA
issued server cert.
ns_param CADir ${serverroot}/etc/certs
ns_param CAFileca1.pem
# for Protocols"ALL" = "SSLv2, SSLv3, TLSv1"
ns_param Protocols "SSLv2, SSLv3, TLSv1"
ns_param CipherSuite
"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerifyfalse
ns_param PeerVerifyDepth 3
ns_param Trace false
On Wed, Jun 20, 2012 at 2:01 AM, Sep Ng wrote:
> My guess is it has something to do with your keys and certificates,
> maybe. Maybe you should post relevant sections of your config.tcl.
>
>
> On Monday, June 18, 2012 8:11:18 PM UTC+8, Iuri Sampaio wrote:
>>
>> Hi there,
>>
>> After setting up nsopenssl on aolserver I got the following error.
>>
>>
>>
>> SSL connection error
>> Unable to make a secure connection to the server. This may be a problem
>> with the server, or it may be requiring a client authentication certificate
>> that you don't have.
>> Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
>>
>>
>>
>> Though, 1) config.tcl is properly set
>> 2) paths and permissions are properly set
>> 3) and logs show the libs and certs were loaded sucessfully
>>
>>
>> [17/Jun/2012:20:20:45][30618.
>> 3074823872][-main-] Notice: modload: loading '/usr/lib/aolserver4/bin/**
>> nssha1.so'
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: modload:
>> loading '/usr/lib/aolserver4/bin/**nsopenssl-3.0/nsopenssl.so'
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: nsopenssl:
>> generating 512-bit temporary RSA key ...
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: nsopenssl:
>> generating 1024-bit temporary RSA key ...
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: nsopenssl
>> (cnauto): loading SSL context 'users'
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: nsopenssl
>> (cnauto): 'users' ciphers loaded successfully
>> [17/Jun/2012:20:20:45][30618.**3074823872][-main-] Notice: nsopenssl
Re: [AOLSERVER] SSL connection error
My guess is it has something to do with your keys and certificates, maybe. Maybe you should post relevant sections of your config.tcl. On Monday, June 18, 2012 8:11:18 PM UTC+8, Iuri Sampaio wrote: > > Hi there, > > After setting up nsopenssl on aolserver I got the following error. > > > > SSL connection error > Unable to make a secure connection to the server. This may be a problem > with the server, or it may be requiring a client authentication certificate > that you don't have. > Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error. > > > > Though, 1) config.tcl is properly set > 2) paths and permissions are properly set > 3) and logs show the libs and certs were loaded sucessfully > > > [17/Jun/2012:20:20:45][30618. > 3074823872][-main-] Notice: modload: loading > '/usr/lib/aolserver4/bin/nssha1.so' > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: modload: loading > '/usr/lib/aolserver4/bin/nsopenssl-3.0/nsopenssl.so' > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl: > generating 512-bit temporary RSA key ... > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl: > generating 1024-bit temporary RSA key ... > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): loading SSL context 'users' > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): 'users' ciphers loaded successfully > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): 'users' using SSLv3 protocol > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): 'users' using TLSv1 protocol > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): 'users' certificate and key loaded successfully > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): 'users' CA file loaded successfully > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: users > (nsopenssl): session cache is turned on for sslcontext 'cnauto' > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): loading SSL context 'client' > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): 'client' ciphers loaded successfully > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): 'client' using SSLv2 protocol > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): 'client' using SSLv3 protocol > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): 'client' using TLSv1 protocol > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): 'client' certificate and key loaded successfully > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): 'client' CA file loaded successfully > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: client > (nsopenssl): session cache is turned on for sslcontext 'cnauto' > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): default SSL context for server is users > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: default server > SSL context: users > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): default SSL context for client is client > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: default client > SSL context: client > [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl > (cnauto): loading 'users' SSL driver > ... > [17/Jun/2012:20:20:56][30618.3052837744][-nsopenssl:driver-] Notice: > starting > [17/Jun/2012:20:20:56][30618.3052837744][-nsopenssl:driver-] Notice: > nsopenssl: listening on 127.0.0.1:8443 > ### > > > I believe the error is related to the 'client' certificate. Before I got > the error: > > > > [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl > (cnauto): loading SSL context 'client' > [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl > (cnauto): 'client' ciphers loaded successfully > [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl > (cnauto): 'client' using SSLv2 protocol > [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl > (cnauto): 'client' using SSLv3 protocol > [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl > (cnauto): 'client' using TLSv1 protocol > [17/Jun/2012:20:00:42][30405.3074971328][-main-] Error: nsopenssl > (cnauto): 'client' certificate file is not readable or does not exist > [17/Jun/2012:20:00:42][30405.3074971328][-main-] Error: nsopenssl > (cnauto): SSL context 'client' left uninitialized > [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl > (cnauto): default SSL context for server is users > [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: default server > SSL context: users > [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl > (cnauto): default SSL context f
[AOLSERVER] SSL connection error
Hi there, After setting up nsopenssl on aolserver I got the following error. SSL connection error Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have. Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error. Though, 1) config.tcl is properly set 2) paths and permissions are properly set 3) and logs show the libs and certs were loaded sucessfully [17/Jun/2012:20:20:45][30618. 3074823872][-main-] Notice: modload: loading '/usr/lib/aolserver4/bin/nssha1.so' [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: modload: loading '/usr/lib/aolserver4/bin/nsopenssl-3.0/nsopenssl.so' [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl: generating 512-bit temporary RSA key ... [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl: generating 1024-bit temporary RSA key ... [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): loading SSL context 'users' [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'users' ciphers loaded successfully [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'users' using SSLv3 protocol [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'users' using TLSv1 protocol [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'users' certificate and key loaded successfully [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'users' CA file loaded successfully [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: users (nsopenssl): session cache is turned on for sslcontext 'cnauto' [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): loading SSL context 'client' [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'client' ciphers loaded successfully [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'client' using SSLv2 protocol [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'client' using SSLv3 protocol [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'client' using TLSv1 protocol [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'client' certificate and key loaded successfully [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'client' CA file loaded successfully [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: client (nsopenssl): session cache is turned on for sslcontext 'cnauto' [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): default SSL context for server is users [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: default server SSL context: users [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): default SSL context for client is client [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: default client SSL context: client [17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): loading 'users' SSL driver ... [17/Jun/2012:20:20:56][30618.3052837744][-nsopenssl:driver-] Notice: starting [17/Jun/2012:20:20:56][30618.3052837744][-nsopenssl:driver-] Notice: nsopenssl: listening on 127.0.0.1:8443 ### I believe the error is related to the 'client' certificate. Before I got the error: [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): loading SSL context 'client' [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): 'client' ciphers loaded successfully [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): 'client' using SSLv2 protocol [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): 'client' using SSLv3 protocol [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): 'client' using TLSv1 protocol [17/Jun/2012:20:00:42][30405.3074971328][-main-] Error: nsopenssl (cnauto): 'client' certificate file is not readable or does not exist [17/Jun/2012:20:00:42][30405.3074971328][-main-] Error: nsopenssl (cnauto): SSL context 'client' left uninitialized [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): default SSL context for server is users [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: default server SSL context: users [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): default SSL context for client is client [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: default client SSL context: client [17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): loading 'users' SSL driver # Then I changed the 'client' cert's paths within config.tcl to the same of users Would that be the issue? Best wishes, Iuri -- Li
