Forum OpenACS Q&A: Response to An OpenSSL/Aolserver HOWTO

Collapse
10: Response to An OpenSSL/Aolserver HOWTO (response to 1)
Posted by jay he on 06/05/02 07:58 AM
Thanks. Bart.

I comment out ModuleDir part. But it didn't fix the problem. Also I noticed this thread and follow Zack's configuration for nsopenssl.

I set up my sslcertfile and sslkeyfile as follows: 

set sslkeyfile ${homedir}/servers/${server}/modules/nsopenssl/keyfile.pem
set sslcertfile ${homedir}/servers/${server}/modules/nsopenssl/certfile.pem
I copied the test-key.pem and test-cert.pem from nsopenssl package into /usr/local/aolserver/servers/birdnotes/modules/nsopenssl/ as keyfile.pem and certfile.pem.

I restarted the server. Aolserver restarted and I can connect to the non-secure page. When I tried to connect to secure page, I got an error saying "This page cannot be displayed".

And I can't find any error in the log file.

However, if I use the configuration from ReadMe.txt of nsopenssl, I put 

ns_section "ns/server/${server}/modules"
ns_param nsopenssl    ${bindir}/nsopenssl.so
instead of 
if { [file exists $sslcertfile] && [file exists $sslkeyfile] } { 
    ns_param nsopenssl ${bindir}/nsopenssl.so 
} else { 
    ns_log warning "nsd.tcl: nsopenssl not loaded because key/cert files do not exist."
}
the aolserver just died. And I got the following error in the log: 
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: modload: loading '/usr/local/
aolserver/bin/nsopenssl.so'
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: Module directory defaults to
/usr/local/aolserver/servers/birdnotes/modules/nsopenssl/
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerPeerVerify =
 1
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerPeerVerifyDe
pth = 3
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerTrace = 0
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerProtocols =
SSLv2, SSLv3, TLSv1
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: Using SSLv2 protoc
ol
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: Using SSLv3 protoc
ol
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: Using TLSv1 protoc
ol
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerCipherSuite
= ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerCertFile = /
usr/local/aolserver/servers/birdnotes/modules/nsopenssl/certfile.pem
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerKeyFile = /u
sr/local/aolserver/servers/birdnotes/modules/nsopenssl/keyfile.pem
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerCAFile = /us
r/local/aolserver/servers/birdnotes/modules/nsopenssl/ca.pem
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerCADir = /usr
/local/aolserver/servers/birdnotes/modules/nsopenssl/ca
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: CA certificate fil
e does not exist
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: CA certificate dir
ectory does not exist
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerSessionCache
 = 0
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerSessionCache
Id = 1
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerSessionTimeo
ut = 300
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: ServerSessionCache
Size = 512
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerPeerVeri
fy = 1
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerPeerVeri
fyDepth = 3
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerTrace =
0
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerProtocol
s = SSLv2, SSLv3, TLSv1
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: Using SSLv2 protoc
ol
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: Using SSLv3 protoc
ol
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: Using TLSv1 protoc
ol
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerCipherSu
ite = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerCertFile
 = /usr/local/aolserver/servers/birdnotes/modules/nsopenssl/certfile.pem
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerKeyFile
= /usr/local/aolserver/servers/birdnotes/modules/nsopenssl/keyfile.pem
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerCAFile =
 /usr/local/aolserver/servers/birdnotes/modules/nsopenssl/internal_ca.pem
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerCADir =
/usr/local/aolserver/servers/birdnotes/modules/nsopenssl/internal_ca
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: CA certificate fil
e does not exist
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: CA certificate dir
ectory does not exist
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerSessionC
ache = 0
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerSessionC
acheId = 2
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerSessionT
imeout = 300
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockServerSessionC
acheSize = 512
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockClientPeerVeri
fy = 1
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockClientPeerVeri
fyDepth = 10
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockClientTrace =
0
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockClientProtocol
s = SSLv2, SSLv3, TLSv1
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: Using SSLv2 protoc
ol
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: Using SSLv3 protoc
ol
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: Using TLSv1 protoc
ol
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockClientCipherSu
ite = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
[05/Jun/2002:00:54:58][21228.1024][-main-] Notice: nsopenssl: SockClientCertFile
 = /usr/local/aolserver/servers/birdnotes/modules/nsopenssl/clientcertfile.p
em
[05/Jun/2002:00:54:58][21228.1024][-main-] Error: nsopenssl: error loading certi
ficate file "/usr/local/aolserver/servers/birdnotes/modules/nsopenssl/client
certfile.pem"
[05/Jun/2002:00:54:58][21228.1024][-main-] Debug: nsopenssl: freeing(0x8164f50)
[05/Jun/2002:00:54:58][21228.1024][-main-] Error: modload: failed to load '/usr/
local/aolserver/bin/nsopenssl.so': 'Ns_ModuleInit' returned -1
[05/Jun/2002:00:54:58][21228.1024][-main-] Fatal: modload: failed to load module
 '/usr/local/aolserver/bin/nsopenssl.so'

I think that's because I put two lines of ns_section "ns/server/${server}/modules" in the configuration file.

So I comment the second one and restart the server. It still doesn't fix the problem. But this time Aolser doesn't die but there is nothing in the log I can find about nsopenssl module loading.

Still don't know what's the problem. I tried to change httpsport from 443 to 8443 and it didn't work either.

Can anyone put a working sample nsd.tcl file for nsopenssl?

Thanks,

Jay