Forum OpenACS Q&A: nsopenssl error with AS4 and OpenACS HEAD

This is the first time I'm trying nsopenssl, because it is required by the ecommerce package, and I followed the most recent installation instructions. The installation went apparently fine with only some warnings during the compile. After various tentatives and searches on the forum for hints and problems I finally got it running.

Once started, OpenACS behaves normally as long as I use https with port 8443 to navigate, but as I switch to http with port 8000 nsd stops responding: it is still active, but it doesn't consume any cpu. Even if I switch back to https, nsd dosn't respond anymore and I don't find any error in the error log nor any request in the log.

I installed OpenACS from HEAD on a RedHat 8.0, with PostgreSQL 7.4 Aolserver 4.0 and nsopenssl 3-beta.
The following are the relevant sections of my config.tcl:

# SSL contexts. Define the ssl contexts for this server.

ns_section "ns/server/${server}/module/nsopenssl/sslcontexts"
ns_param ssl_incoming_requests_context   "SSL context used for regular user access to the website"

ns_section "ns/server/${server}/module/nsopenssl/defaults"
ns_param server               ssl_incoming_requests_context

ns_section "ns/server/${server}/module/nsopenssl/sslcontext/ssl_incoming_requests_context"
ns_param Role                  server
ns_param ModuleDir             ${serverroot}/etc/certs
ns_param CertFile              certfile.pem
ns_param KeyFile               keyfile.pem
#ns_param CADir                 ca-client/dir
#ns_param CAFile                ca-client/ca-client.crt
ns_param Protocols             "SSLv3, TLSv1"
ns_param CipherSuite           "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerify            false
ns_param PeerVerifyDepth       3
ns_param Trace                 true


# SSL drivers. Each driver defines a port and a named SSL context to associate with it.

ns_section "ns/server/${server}/module/nsopenssl/ssldrivers"
ns_param ssl_incoming_requests_driver "Driver for regular user access to the website"
#ns_param ssl_outgoing_requests_driver "Driver for outgoing requests"

ns_section "ns/server/${server}/module/nsopenssl/ssldriver/ssl_incoming_requests_driver"
ns_param sslcontext            ssl_incoming_requests_context
ns_param port                  $httpsport
ns_param hostname              $hostname
ns_param address               $address

The only messages shown in the log during the startup are the following:

[04/Aug/2004:10:46:57][1480.8192][-main-] Notice: modload: loading '/usr/local/aolserver/bin/nsopenssl.so'
[04/Aug/2004:10:46:57][1480.8192][-main-] Notice: nsopenssl (head): loading SSL context 'ssl_incoming_requests_context'
[04/Aug/2004:10:46:57][1480.8192][-main-] Notice: nsopenssl (head): 'ssl_incoming_requests_context' ciphers loaded successfully
[04/Aug/2004:10:46:57][1480.8192][-main-] Notice: nsopenssl (head): 'ssl_incoming_requests_context' using SSLv3 protocol
[04/Aug/2004:10:46:57][1480.8192][-main-] Notice: nsopenssl (head): 'ssl_incoming_requests_context' using TLSv1 protocol
[04/Aug/2004:10:46:57][1480.8192][-main-] Notice: nsopenssl (head): 'ssl_incoming_requests_context' key loaded successfully
[04/Aug/2004:10:46:57][1480.8192][-main-] Notice: nsopenssl (head): 'ssl_incoming_requests_context' certificate loaded successfully
[04/Aug/2004:10:46:57][1480.8192][-main-] Notice: nsopenssl (head): 'ssl_incoming_requests_context' failed to load CA certificate file '/usr/local/aolserver/servers/head/modules/nsopenssl/ca.pem'
[04/Aug/2004:10:46:57][1480.8192][-main-] Error: nsopenssl (head): 'ssl_incoming_requests_context' CA certificate file is not readable or does not exist
[04/Aug/2004:10:46:57][1480.8192][-main-] Notice: nsopenssl (head): default SSL context for server is ssl_incoming_requests_context
[04/Aug/2004:10:46:57][1480.8192][-main-] Notice: default server SSL context: ssl_incoming_requests_context
[04/Aug/2004:10:46:57][1480.8192][-main-] Notice: nsopenssl (head): loading 'ssl_incoming_requests_driver' SSL driver

I didn't change the kernel and subsite parameters defaults and so only /acs-admin/* should be restricted to SSL.

Any help gratly appreciated.

Also, I fixed a bug that occured when using non-standard ports. That won't show up until 5.1.2, so you'll either need to apply from oacs-5-1 or wait for 5.1.2 to come out.

You can find it in acs-tcl/security procs on the CVS browser.

sourceforge has an alternate source via cvs, currently version 3beta21

I tried to use beta17 and had major problems;  every time someone placed an order it would spew debug messages (mostly the same one over and over) until the log file reached 2 GB, sometimes in a matter of minutes!  Rather impressive if you ask me. :)  The SSL connection actually worked fine, but that wasn't much consolation.

I had to go back to nsd3.3 rather quickly and haven't had a chance to try the latest from CVS, but I've been told on the AOLserver list that the problem I had should be fixed.

It has been a while since I last had a new Payflow Pro account, so I don't recall what it did with live credit cards.  What is usually done is to use a test number (usually 4111 1111 1111 1111, which is a fake VISA number) with a made-up expiration date in the future.  If that doesn't work, then something is wrong.

BTW, there is supposed to be a huge problem with the Payflow Pro driver and AOLserver, resulting in random crashes, so keep an eye out for that. If you don't experience any crashes then maybe they have fixed their libraries.  I don't recall the exact details but you should be able to search and find threads on this.