Forum OpenACS Q&A: SSL Support for OpenACS - install failed

Hi,

I followed the given description when I tried to install nsopenssl 3 on aolserver 4, but a few error messages in the logfile do not disappear and I have no clue how to fix the problem.

The steps I made:
1. installed nsopenssl as described on aolserver4
2. created the certificates with the perl-script as described as well

Although everything seemed to work well I get the following error messages in the logfile:

Notice: modload: loading .../aolserver40r10/bin/nsopenssl.so'
Notice: nsopenssl: generating 512-bit temporary RSA key ...
Notice: nsopenssl: generating 1024-bit temporary RSA key ...
Notice: oacs-5-1 (nsopenssl): no SSL contexts defined for this server
Notice: nsopenssl (oacs-5-1): no SSL drivers defined for this server

And the server is not responding on the given port.

Does someone have an idea where the problem could be?

Thanks for your help,
Sven

Collapse
Posted by Steve Manning on
Sven

Can you post the openssl portion of your config file (those bits with an ns_section which mentions nsopenssl). Then we can see what your server is trying to do.

- Steve

Collapse
Posted by Sven Schmitt on
Hi again,
here is the "nsopenssl" section of the corresponding config file.

The certificates are located (hopefully correct) in /etc/certs as
certfile.pem and keyfile.pem

Regards,
Sven

==========================================================
==========================================================

#---------------------------------------------------------------------
#
# OpenSSL
#
#---------------------------------------------------------------------

ns_section "ns/server/${server}/module/nsopenssl"

ns_param ModuleDir ${serverroot}/etc/certs

# NSD-driven connections:
ns_param ServerPort $httpsport
ns_param ServerHostname $hostname
ns_param ServerAddress $address
ns_param ServerCertFile certfile.pem
ns_param ServerKeyFile keyfile.pem
ns_param ServerProtocols "SSLv2, SSLv3, TLSv1"
ns_param ServerCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param ServerSessionCache true
ns_param ServerSessionCacheID 1
ns_param ServerSessionCacheSize 512
ns_param ServerSessionCacheTimeout 300
ns_param ServerPeerVerify false
ns_param ServerPeerVerifyDepth 3
ns_param ServerCADir ca
ns_param ServerCAFile ca.pem
ns_param ServerTrace false

# For listening and accepting SSL connections via Tcl/C API:
ns_param SockServerCertFile certfile.pem
ns_param SockServerKeyFile keyfile.pem
ns_param SockServerProtocols "SSLv2, SSLv3, TLSv1"
ns_param SockServerCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param SockServerSessionCache true
ns_param SockServerSessionCacheID 2
ns_param SockServerSessionCacheSize 512
ns_param SockServerSessionCacheTimeout 300
ns_param SockServerPeerVerify false
ns_param SockServerPeerVerifyDepth 3
ns_param SockServerCADir internal_ca
ns_param SockServerCAFile internal_ca.pem
ns_param SockServerTrace false

# Outgoing SSL connections
ns_param SockClientCertFile certfile.pem
ns_param SockClientKeyFile keyfile.pem
ns_param SockClientProtocols "SSLv2, SSLv3, TLSv1"
ns_param SockClientCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param SockClientSessionCache true
ns_param SockClientSessionCacheID 3
ns_param SockClientSessionCacheSize 512
ns_param SockClientSessionCacheTimeout 300
ns_param SockClientPeerVerify false
ns_param SockServerPeerVerifyDepth 3
ns_param SockClientCADir ca
ns_param SockClientCAFile ca.pem
ns_param SockClientTrace false

#OpenSSL library support:
#ns_param RandomFile /some/file
ns_param SeedBytes 1024

======================================================
======================================================

Collapse
Posted by Steve Manning on
Sven

What you have there is the config section for version 2 of nsopenssl not version 3. Scott made big changes to the config which is why your not working.

My config for AOLS v4 and nsopenssl v3 looks like this:

#---------------------------------------------------------------------
#
# OpenSSL
#
#---------------------------------------------------------------------

# SSL contexts. Each SSL context is a template that SSL connections are created
# from. A single SSL context may be used by multiple drivers, sockservers and
# sockclients.

ns_section ns/server/${server}/module/nsopenssl/sslcontexts
ns_param users "SSL context used for regular user access"
###ns_param client "SSL context used for outgoing script socket connections"

# We explicitly tell the server which SSL contexts to use as defaults when an
# SSL context is not specified for a particular client or server SSL
# connection. Driver connections do not use defaults; they must be explicitly
# specificied in the driver section. The Tcl API will use the defaults as there
# is currently no provision to specify which SSL context to use for a
# particular connection via an ns_openssl Tcl command.

ns_section ns/server/${server}/module/nsopenssl/defaults
ns_param server users

ns_section ns/server/${server}/module/nsopenssl/sslcontext/users
ns_param Role server
ns_param ModuleDir ${serverroot}/etc/certs/
ns_param CertFile certfile.pem
ns_param KeyFile keyfile.pem
ns_param CADir ca
ns_param CAFile ca.pem
ns_param Protocols "SSLv2, SSLv3, TLSv1"
ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerify false
ns_param PeerVerifyDepth 3
ns_param Trace false

# SSL drivers. Each driver defines a port to listen on and an explitictly named
# SSL context to associate with it. Note that you can now have multiple driver
# connections within a single virtual server, which can be tied to different
# SSL contexts. Isn't that cool?

ns_section ns/server/${server}/module/nsopenssl/ssldrivers
ns_param users "Driver for regular user access"

ns_section ns/server/${server}/module/nsopenssl/ssldriver/users
ns_param sslcontext users
ns_param port $httpsport
ns_param hostname $hostname
ns_param address $address

# OpenSSL library support:
#ns_param RandomFile /some/file
ns_param SeedBytes 1024

--------------

- Steve

Collapse
Posted by Sven Schmitt on
Steve,

thanks a lot for your help. It brought us many steps further.

One question remaining though...
I got a certfile.pem and a keyfile.pem located in ${serverroot}/etc/certs/, but I think there should be a ca.pem, too. What is it? Do I have to generate it? And if yes, do you happen to know how I can do it?

Our error log looks like this now:

Notice: modload: loading '/usr/local/aolserver40r10/bin/nsopenssl.so'
Notice: nsopenssl: generating 512-bit temporary RSA key ...
Notice: nsopenssl: generating 1024-bit temporary RSA key ...
Notice: nsopenssl (oacs-5-1): loading SSL context 'users'
Notice: nsopenssl (oacs-5-1): 'users' ciphers loaded successfully
Notice: nsopenssl (oacs-5-1): 'users' using SSLv2 protocol
Notice: nsopenssl (oacs-5-1): 'users' using SSLv3 protocol
Notice: nsopenssl (oacs-5-1): 'users' using TLSv1 protocol
Notice: nsopenssl (oacs-5-1): 'users' certificate and key loaded successfully
Notice: nsopenssl (oacs-5-1): 'users' failed to load CA certificate file '/www/openacs/oacs-5-1/etc/certs/ca.pem'
Error: nsopenssl (oacs-5-1): 'users' CA certificate file is not readable or does not exist
Notice: users (nsopenssl): session cache is turned on for sslcontext 'oacs-5-1'
Notice: nsopenssl (oacs-5-1): default SSL context for server is users
Notice: nsopenssl (oacs-5-1): loading 'users' SSL driver
Notice: nsopenssl: listening on 134.155.48.128:10001

As always,
Sven

Collapse
Posted by Steve Manning on
I got a certfile.pem and a keyfile.pem located in ${serverroot}/etc/certs/, but I think there should be a ca.pem, too. What is it?

Its the certificate for the certificate authority e.g. Verisign - the body who says that your certificate is genuine.

Do I have to generate it? And if yes, do you happen to know how I can do it?

You should find the https connection is working but that your browser complains about the certificate because it can't validate it. This is not a problem for testing and staging although you can generate your own ca.pem if you want. Look at http://www.openssl.org/docs/HOWTO/ or google for ca.pem.

On a live server you'll need to buy a certificate from a CA - we use SureSSL http://www.suressl.com/ who are dirt cheap and it works very well (look at https://www.fancydress.com to see it in action - AOLS 4, OpenACS 5.x and nsopenssl 3). If you do go down this route you'll need to follow the instructions from the CA as you'll need to generate a request file which you forward to them. They use this to generate the certificates which you install on your server.

- Steve

Collapse
Posted by Sven Schmitt on
I think nsopenssl is finally running without major roblems.

Thank you for your help, Steve!

Regards,
Sven