Forum OpenACS Q&A: client ns_openssl

Collapse
Posted by robert parker on
Can anyone post their working config.tcl to allow outgoing https from OACS 5.1.5? (ideally self signed certificates)

Alternatively where can I find documentation about the ns_section parameters for ns_openssl clients?

thanks
Robert

Collapse
2: Re: client ns_openssl (response to 1)
Posted by Torben Brosten on
The openacs 5.1.5 config.tcl[1] settings should work without modification. Search for the ns_section ending in "nsopenssl/sslcontext/client" (and subsequent "client" ones here:

http://cvs.openacs.org/cvs/*checkout*/openacs-4/etc/config.tcl

The section includes some brief documentation. Note that there are problems with the config.tcl included with 5.0.0 however --mainly due to the nsopenssl parameters being inconsistent with the code implementation.

The process for creating self-signed certificates for outbound connections are essentially the same for inbound ones:

https://openacs.org/doc/current/install-ssl.html

Collapse
3: Re: client ns_openssl (response to 1)
Posted by Andrew Piskorski on
Robert, depending on what you're doing, AOLserver as client for remote web login might also be useful to you.
Collapse
4: Re: client ns_openssl (response to 1)
Posted by robert parker on
I have gone through the help I have so far received - thanks. To be specific about the problem I am encountering, here is what's happening:

====
From a .tcl page I invoke ns_httpsget to retrieve another page (as I am testing at the moment, this page is hosted on the same instance of OACS)

The requested page checks if the request is https (using [security::secure_conn_p], which returns true) then checks the certificate, using [ns_openssl clientcert subject] which returns blank and [ns_openssl clientcert exists] which returns false. Why?

There doesn't seem to be anything wrong in the error.log

I use the same certfile and keyfile for the users and client contexts and I can make https requests from a browser to the server (i.e. the users context), so I believe my certificate and key file are ok.

I was wondering if I have to do something with the CADir and CAFile ns_params? if so what? I can't find any documentation on these parameters and they are currently commented out as per the default installed config.tcl. Do these parameters store the certificate of the CA approved by the server? (i.e. in the same way that browsers are configured with a list of approved CAs)

This is with nsopenssl-3.0beta26