Re: [AOLSERVER] AOL server 4.5.2 w/ virtual servers - SSL not working

2015-08-16 Thread Jeff Rogers
The feature of having multiple certificates served on the same ip/port 
is Server Name Indication (SNI) and the nsopenssl driver does not 
support it.  As you said, getting that to work would require some rewiring.

However, I think the certificate described by Thorpe was a single 
certificate that is valid for multiple domains - Service Alternate Name 
(SAN), somewhat similar to a wildcard cert.  Since it's just one 
certificate, it doesn't need multiple different ips/ports.  The downside 
of a SAN cert is that if any of the hosts changes, the whole cert needs 
to be reissued, versus with SNI each host has its own cert.

So since it's just one certificate, I think that also means it doesn't 
need multiple contexts to be set up.  Just set up the single context 
with the SAN certificate, and set up the virtual servers as you would 
for a non-ssl setup.

-J

Scott Goodwin wrote:
> I’m fairly certain that you can’t have multiple listeners on the same IP
> address and port number on a NIC simultaneously, even if they’re all
> binding from the same process. All three of the virtual servers below
> are configured to use the same IP address and port number, and the first
> nsopenssl instance to bind to it, ‘owns’ it. The rest get EPERM from the
> operating system. I think the way multiple SSL certificates are bound to
> a single IP address and port: the server listens on the IP and port, and
> looks at the Host header of the incoming connection to determine which
> SSL certificate to use for that particular connection. I don’t think
> AOLserver has the ability to do this today. The other way to do it is to
> create three distinct IP addresses on your NIC and use one for each SSL
> instance. There may be other ways to make this work, but any of them
> will probably require rewiring AOLserver and nsopenssl.
>

--
___
aolserver-talk mailing list
aolserver-talk@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/aolserver-talk


Re: [AOLSERVER] AOL server 4.5.2 w/ virtual servers - SSL not working

2015-08-16 Thread Scott Goodwin
So OpenSSL will look at the domain names in the cert and if one of them 
matches, the SSL connection is accepted? I am behind the times. Thanks for 
pointing this out.

/s.

> On Aug 16, 2015, at 12:59 PM, Jeff Rogers  wrote:
> 
> The feature of having multiple certificates served on the same ip/port is 
> Server Name Indication (SNI) and the nsopenssl driver does not support it.  
> As you said, getting that to work would require some rewiring.
> 
> However, I think the certificate described by Thorpe was a single certificate 
> that is valid for multiple domains - Service Alternate Name (SAN), somewhat 
> similar to a wildcard cert.  Since it's just one certificate, it doesn't need 
> multiple different ips/ports.  The downside of a SAN cert is that if any of 
> the hosts changes, the whole cert needs to be reissued, versus with SNI each 
> host has its own cert.
> 
> So since it's just one certificate, I think that also means it doesn't need 
> multiple contexts to be set up.  Just set up the single context with the SAN 
> certificate, and set up the virtual servers as you would for a non-ssl setup.
> 
> -J
> 
> Scott Goodwin wrote:
>> I’m fairly certain that you can’t have multiple listeners on the same IP
>> address and port number on a NIC simultaneously, even if they’re all
>> binding from the same process. All three of the virtual servers below
>> are configured to use the same IP address and port number, and the first
>> nsopenssl instance to bind to it, ‘owns’ it. The rest get EPERM from the
>> operating system. I think the way multiple SSL certificates are bound to
>> a single IP address and port: the server listens on the IP and port, and
>> looks at the Host header of the incoming connection to determine which
>> SSL certificate to use for that particular connection. I don’t think
>> AOLserver has the ability to do this today. The other way to do it is to
>> create three distinct IP addresses on your NIC and use one for each SSL
>> instance. There may be other ways to make this work, but any of them
>> will probably require rewiring AOLserver and nsopenssl.
>> 

--
___
aolserver-talk mailing list
aolserver-talk@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/aolserver-talk


Re: [AOLSERVER] AOL server 4.5.2 w/ virtual servers - SSL not working

2015-08-16 Thread Scott Goodwin
I’m fairly certain that you can’t have multiple listeners on the same IP 
address and port number on a NIC simultaneously, even if they’re all binding 
from the same process. All three of the virtual servers below are configured to 
use the same IP address and port number, and the first nsopenssl instance to 
bind to it, ‘owns’ it. The rest get EPERM from the operating system. I think 
the way multiple SSL certificates are bound to a single IP address and port: 
the server listens on the IP and port, and looks at the Host header of the 
incoming connection to determine which SSL certificate to use for that 
particular connection. I don’t think AOLserver has the ability to do this 
today. The other way to do it is to create three distinct IP addresses on your 
NIC and use one for each SSL instance. There may be other ways to make this 
work, but any of them will probably require rewiring AOLserver and nsopenssl.

Aside: the direct email to your address above bounced — see here:


mailto:tma...@ecognizant.net>>: host ecognizant.net 
[23.253.246.52] said: 553 sorry,
   that domain isn't in my list of allowed rcpthosts (#5.7.1) (in reply to
   RCPT TO command)
Reporting-MTA: dns; mailout.nyi.internal
X-Postfix-Queue-ID: 4732622053
X-Postfix-Sender: rfc822; sc...@scottg.net 
Arrival-Date: Sun, 16 Aug 2015 09:04:30 -0400 (EDT)

/s.


> On Aug 15, 2015, at 8:17 PM, Thorpe Mayes  wrote:
> 
> Hi,
> 
> I have AOLserver 4.5.2 running with virtual servers - main.tcl with several 
> sub config files. 
> 
> Three of the domain names are using SSL. The certificate is a UCC SSL 
> Certificate that will accommodate up to 5 domain names. 
> 
> If I activate the virtual server for just one of the three domains that are 
> using SSL, then everything works fine. When I activate two or more of the sub 
> files that need ssl, the server fails to start. Here is the tail end of the 
> log file:
> 
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: nsmain: 
> AOLserver/4.5.2 running
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: nsmain: 
> security info: uid=502, euid=502, gid=502\
> , egid=502
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: 
> starting: nssock
> [15/Aug/2015:18:39:13][3924.18446744073356683008][-sched-] Notice: sched: 
> starting
> [15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] Notice: 
> starting
> [15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] Notice: 
> nssock: listening on 23.253.246.52:80
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: 
> starting: nsopenssl
> [15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-] Notice: 
> starting
> [15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-] Notice: 
> nsopenssl: listening on 23.253.246.52\
> :443
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: 
> starting: nsopenssl
> [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] Notice: 
> starting
> [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] Error: 
> nsopenssl: failed to listen on 23.253.\
> 246.52:443: Permission denied
> [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] Notice: 
> exiting
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: 
> starting: nsopenssl
> [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] Notice: 
> starting
> [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] Error: 
> nsopenssl: failed to listen on 23.253.\
> 246.52:443: Permission denied
> [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] Notice: 
> exiting
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Fatal: could not 
> start drivers
> 
> 
> Here is the ssl portion of the main.tcl file:
> 
> ns_section "ns/server/module/nsopenssl"
> # ns_param RandomFile /some/file  
>   
> ns_param SeedBytes  2048;  # was 1024   
> 
> 
> Here is what the ssl portion of the sub files (all appear to load 
> successfully - see below):
> 
> #-
>   
> # OpenSSL and nsopenssl   
>   
> # http://openacs.org/forums/message-view?message_id=320064 
>  - for nsd code - 
> note: must use port 443 
> # http://openacs.org/doc/install-nsopenssl.html 
>  - binding port 443 in 
> daemontools   
> #-
>   
> 
> ns_section "ns/server/${ecogni

Re: [AOLSERVER] AOL server 4.5.2 w/ virtual servers - SSL not working

2015-08-16 Thread Scott Goodwin
The backslash shows line continuation — the IP address below is 23.253.246.52 
(and :443 for the port).

/s.


> On Aug 16, 2015, at 1:22 AM, Sep  wrote:
> 
> Could your IP address be the one failing? 
> 
> Error: nsopenssl: failed to listen on 23.253.\
> 
> 246.52:443: Permission denied
> 
> What's the stray back slash for?
> 
> On Aug 16, 2015 9:17 AM, "Scott Goodwin"  > wrote:
> Has this ever worked in the past? It's been a long time since I've looked at 
> the module and I don't recall if it worked for multiple SSL listening ports 
> as virtual servers on the same AOLserver instance. I never had an occasion to 
> use it that way. If it's not capable of doing that in its last incarnation it 
> will probably take some work to modify it to do it properly.
> 
> /s.
> 
> On Aug 15, 2015, at 8:17 PM, Thorpe Mayes  > wrote:
> 
>> Hi,
>> 
>> I have AOLserver 4.5.2 running with virtual servers - main.tcl with several 
>> sub config files. 
>> 
>> Three of the domain names are using SSL. The certificate is a UCC SSL 
>> Certificate that will accommodate up to 5 domain names. 
>> 
>> If I activate the virtual server for just one of the three domains that are 
>> using SSL, then everything works fine. When I activate two or more of the 
>> sub files that need ssl, the server fails to start. Here is the tail end of 
>> the log file:
>> 
>> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: nsmain: 
>> AOLserver/4.5.2 running
>> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: nsmain: 
>> security info: uid=502, euid=502, gid=502\
>> , egid=502
>> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: 
>> starting: nssock
>> [15/Aug/2015:18:39:13][3924.18446744073356683008][-sched-] Notice: sched: 
>> starting
>> [15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] Notice: 
>> starting
>> [15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] Notice: 
>> nssock: listening on 23.253.246.52:80 
>> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: 
>> starting: nsopenssl
>> [15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-] 
>> Notice: starting
>> [15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-] 
>> Notice: nsopenssl: listening on 23.253.246.52\
>> :443
>> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: 
>> starting: nsopenssl
>> [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] 
>> Notice: starting
>> [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] Error: 
>> nsopenssl: failed to listen on 23.253.\
>> 246.52:443: Permission denied
>> [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] 
>> Notice: exiting
>> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: 
>> starting: nsopenssl
>> [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] 
>> Notice: starting
>> [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] Error: 
>> nsopenssl: failed to listen on 23.253.\
>> 246.52:443: Permission denied
>> [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] 
>> Notice: exiting
>> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Fatal: could not 
>> start drivers
>> 
>> 
>> Here is the ssl portion of the main.tcl file:
>> 
>> ns_section "ns/server/module/nsopenssl"
>> # ns_param RandomFile /some/file 
>>
>> ns_param SeedBytes  2048;  # was 1024   
>> 
>> 
>> Here is what the ssl portion of the sub files (all appear to load 
>> successfully - see below):
>> 
>> #-   
>>
>> # OpenSSL and nsopenssl  
>>
>> # http://openacs.org/forums/message-view?message_id=320064 
>>  - for nsd code - 
>> note: must use port 443 
>> # http://openacs.org/doc/install-nsopenssl.html 
>>  - binding port 443 in 
>> daemontools   
>> #-   
>>
>> 
>> ns_section "ns/server/${ecognizant}/module/nsopenssl/sslcontexts"
>> ns_param ${ecognizant}_users_ctx "SSL context used for $ecognizant regular 
>> user access"
>> # ns_param admins_ctx "SSL context used for administrator access"
>>
>> ns_param ${ecognizant}_client_ctx "SSL context used for $ecognizant outgoing 
>> script socket connections"
>> 
>> 
>> ns_section "ns/server/${ecognizant}/module/nsopenssl/defaults"
>> ns_param server 

Re: [AOLSERVER] AOL server 4.5.2 w/ virtual servers - SSL not working

2015-08-15 Thread Sep
Could your IP address be the one failing?

Error: nsopenssl: failed to listen on 23.253.\

246.52:443: Permission denied

What's the stray back slash for?
On Aug 16, 2015 9:17 AM, "Scott Goodwin"  wrote:

> Has this ever worked in the past? It's been a long time since I've looked
> at the module and I don't recall if it worked for multiple SSL listening
> ports as virtual servers on the same AOLserver instance. I never had an
> occasion to use it that way. If it's not capable of doing that in its last
> incarnation it will probably take some work to modify it to do it properly.
>
> /s.
>
> On Aug 15, 2015, at 8:17 PM, Thorpe Mayes  wrote:
>
> Hi,
>
> I have AOLserver 4.5.2 running with virtual servers - main.tcl with
> several sub config files.
>
> Three of the domain names are using SSL. The certificate is a UCC SSL
> Certificate that will accommodate up to 5 domain names.
>
> If I activate the virtual server for just one of the three domains that
> are using SSL, then everything works fine. When I activate two or more of
> the sub files that need ssl, the server fails to start. Here is the tail
> end of the log file:
>
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: nsmain:
> AOLserver/4.5.2 running
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: nsmain:
> security info: uid=502, euid=502, gid=502\
> , egid=502
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver:
> starting: nssock
> [15/Aug/2015:18:39:13][3924.18446744073356683008][-sched-] Notice: sched:
> starting
> [15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] Notice:
> starting
> [15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] Notice:
> nssock: listening on 23.253.246.52:80
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver:
> starting: nsopenssl
> [15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-]
> Notice: starting
> [15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-]
> Notice: nsopenssl: listening on 23.253.246.52\
> :443
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver:
> starting: nsopenssl
> [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-]
> Notice: starting
> [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-]
> Error: nsopenssl: failed to listen on 23.253.\
> 246.52:443: Permission denied
> [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-]
> Notice: exiting
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver:
> starting: nsopenssl
> [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-]
> Notice: starting
> [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-]
> Error: nsopenssl: failed to listen on 23.253.\
> 246.52:443: Permission denied
> [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-]
> Notice: exiting
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Fatal: could not
> start drivers
>
>
> Here is the ssl portion of the main.tcl file:
>
> ns_section "ns/server/module/nsopenssl"
> # ns_param RandomFile /some/file
>
> ns_param SeedBytes  2048;  # was 1024
>
>
> Here is what the ssl portion of the sub files (all appear to load
> successfully - see below):
>
> #-
>
> # OpenSSL and nsopenssl
>
> # http://openacs.org/forums/message-view?message_id=320064 - for nsd code
> - note: must use port 443
> # http://openacs.org/doc/install-nsopenssl.html - binding port 443 in
> daemontools
> #-
>
>
> ns_section "ns/server/${ecognizant}/module/nsopenssl/sslcontexts"
> ns_param ${ecognizant}_users_ctx "SSL context used for $ecognizant
> regular user access"
> # ns_param admins_ctx "SSL context used for administrator access"
>
> ns_param ${ecognizant}_client_ctx "SSL context used for $ecognizant
> outgoing script socket connections"
>
>
> ns_section "ns/server/${ecognizant}/module/nsopenssl/defaults"
> ns_param server ${ecognizant}_users_ctx
> ns_param client ${ecognizant}_client_ctx
>
>
> ns_section
> "ns/server/${ecognizant}/module/nsopenssl/sslcontext/${ecognizant}_users_ctx"
> ns_param Role server
> ns_param ModuleDir $ssldocdir
> ns_param CertFile cert.pem
> ns_param KeyFile key.pem
> ns_param CAFile ca.pem
> ns_param Protocols "All"
> ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
> ns_param PeerVerify false
> ns_param PeerVerifyDepth 3
> ns_param Trace false
>
>
> ns_section
> "ns/server/${ecognizant}/module/nsopenssl/sslcontext/${ecognizant}_client_ctx"
> ns_param Role client
> ns_param ModuleDir $ssldocdir
> ns_param CertFile cert.pem
> ns_param KeyFile key.pem
> ns_param CAFile ca.pem
> ns_param Protocols "All"
> ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
> ns_param PeerVerify false
> ns_param PeerVerifyDepth 3
> ns_param Trace fals

Re: [AOLSERVER] AOL server 4.5.2 w/ virtual servers - SSL not working

2015-08-15 Thread Scott Goodwin
Has this ever worked in the past? It's been a long time since I've looked at 
the module and I don't recall if it worked for multiple SSL listening ports as 
virtual servers on the same AOLserver instance. I never had an occasion to use 
it that way. If it's not capable of doing that in its last incarnation it will 
probably take some work to modify it to do it properly.

/s.

> On Aug 15, 2015, at 8:17 PM, Thorpe Mayes  wrote:
> 
> Hi,
> 
> I have AOLserver 4.5.2 running with virtual servers - main.tcl with several 
> sub config files. 
> 
> Three of the domain names are using SSL. The certificate is a UCC SSL 
> Certificate that will accommodate up to 5 domain names. 
> 
> If I activate the virtual server for just one of the three domains that are 
> using SSL, then everything works fine. When I activate two or more of the sub 
> files that need ssl, the server fails to start. Here is the tail end of the 
> log file:
> 
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: nsmain: 
> AOLserver/4.5.2 running
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: nsmain: 
> security info: uid=502, euid=502, gid=502\
> , egid=502
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: 
> starting: nssock
> [15/Aug/2015:18:39:13][3924.18446744073356683008][-sched-] Notice: sched: 
> starting
> [15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] Notice: 
> starting
> [15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] Notice: 
> nssock: listening on 23.253.246.52:80
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: 
> starting: nsopenssl
> [15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-] Notice: 
> starting
> [15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-] Notice: 
> nsopenssl: listening on 23.253.246.52\
> :443
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: 
> starting: nsopenssl
> [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] Notice: 
> starting
> [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] Error: 
> nsopenssl: failed to listen on 23.253.\
> 246.52:443: Permission denied
> [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] Notice: 
> exiting
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: 
> starting: nsopenssl
> [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] Notice: 
> starting
> [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] Error: 
> nsopenssl: failed to listen on 23.253.\
> 246.52:443: Permission denied
> [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] Notice: 
> exiting
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Fatal: could not 
> start drivers
> 
> 
> Here is the ssl portion of the main.tcl file:
> 
> ns_section "ns/server/module/nsopenssl"
> # ns_param RandomFile /some/file  
>   
> ns_param SeedBytes  2048;  # was 1024   
> 
> 
> Here is what the ssl portion of the sub files (all appear to load 
> successfully - see below):
> 
> #-
>   
> # OpenSSL and nsopenssl   
>   
> # http://openacs.org/forums/message-view?message_id=320064 - for nsd code - 
> note: must use port 443 
> # http://openacs.org/doc/install-nsopenssl.html - binding port 443 in 
> daemontools   
> #-
>   
> 
> ns_section "ns/server/${ecognizant}/module/nsopenssl/sslcontexts"
> ns_param ${ecognizant}_users_ctx "SSL context used for $ecognizant regular 
> user access"
> # ns_param admins_ctx "SSL context used for administrator access" 
>   
> ns_param ${ecognizant}_client_ctx "SSL context used for $ecognizant outgoing 
> script socket connections"
> 
> 
> ns_section "ns/server/${ecognizant}/module/nsopenssl/defaults"
> ns_param server ${ecognizant}_users_ctx
> ns_param client ${ecognizant}_client_ctx
> 
> 
> ns_section 
> "ns/server/${ecognizant}/module/nsopenssl/sslcontext/${ecognizant}_users_ctx"
> ns_param Role server
> ns_param ModuleDir $ssldocdir
> ns_param CertFile cert.pem
> ns_param KeyFile key.pem
> ns_param CAFile ca.pem
> ns_param Protocols "All"
> ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
> ns_param PeerVerify false
> ns_param PeerVerifyDepth 3
> ns_param Trace false
> 
> 
> ns_section 
> "ns/server/${ecognizant}/module/nsopenssl/sslcontext/${ecognizant}_client_ctx"
> ns_param Role client
> ns_param ModuleDir $ssldocdir
> ns_param CertFile cert.pem
> ns_param KeyF