Forum OpenACS Q&A: Re: SSL Support for OpenACS - install failed

Collapse
4: Re: SSL Support for OpenACS - install failed (response to 1)
Posted by Steve Manning on 09/02/05 04:56 PM
Sven

What you have there is the config section for version 2 of nsopenssl not version 3. Scott made big changes to the config which is why your not working.

My config for AOLS v4 and nsopenssl v3 looks like this:

#---------------------------------------------------------------------
#
# OpenSSL
#
#---------------------------------------------------------------------

# SSL contexts. Each SSL context is a template that SSL connections are created
# from. A single SSL context may be used by multiple drivers, sockservers and
# sockclients.

ns_section ns/server/${server}/module/nsopenssl/sslcontexts
ns_param users "SSL context used for regular user access"
###ns_param client "SSL context used for outgoing script socket connections"

# We explicitly tell the server which SSL contexts to use as defaults when an
# SSL context is not specified for a particular client or server SSL
# connection. Driver connections do not use defaults; they must be explicitly
# specificied in the driver section. The Tcl API will use the defaults as there
# is currently no provision to specify which SSL context to use for a
# particular connection via an ns_openssl Tcl command.

ns_section ns/server/${server}/module/nsopenssl/defaults
ns_param server users

ns_section ns/server/${server}/module/nsopenssl/sslcontext/users
ns_param Role server
ns_param ModuleDir ${serverroot}/etc/certs/
ns_param CertFile certfile.pem
ns_param KeyFile keyfile.pem
ns_param CADir ca
ns_param CAFile ca.pem
ns_param Protocols "SSLv2, SSLv3, TLSv1"
ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerify false
ns_param PeerVerifyDepth 3
ns_param Trace false

# SSL drivers. Each driver defines a port to listen on and an explitictly named
# SSL context to associate with it. Note that you can now have multiple driver
# connections within a single virtual server, which can be tied to different
# SSL contexts. Isn't that cool?

ns_section ns/server/${server}/module/nsopenssl/ssldrivers
ns_param users "Driver for regular user access"

ns_section ns/server/${server}/module/nsopenssl/ssldriver/users
ns_param sslcontext users
ns_param port $httpsport
ns_param hostname $hostname
ns_param address $address

# OpenSSL library support:
#ns_param RandomFile /some/file
ns_param SeedBytes 1024

--------------

- Steve