Forum OpenACS Q&A: Response to An OpenSSL/Aolserver HOWTO
Bart, thanks.
I read the https://openacs.org/bboard/q-and-a-fetch-msg.tcl?msg_id=0003NP thread.
The /web/birdnotes/packages/acs-tcl/tcl/admin-procs.tcl has been modified to set ssl_port [ns_config -int "ns/server/[ns_info server]/module/nsopenssl" ServerPort 443].
I can't connect to the secure server when I type the https address. No page served. And I can't find any error messages in the log.
Port 443 is open. I followed the instruction in https://openacs.org/doc/openacs-4/ and copied the nsd.tcl from https://openacs.org/doc/openacs-4/files/openacs4.tcl.txt.
I comment out the following nsssl configuration setting:
#
# nsssl: Only loads if keyfile.pem and certfile.pem exist.
# If you are using SSL, make sure you have these dirs and files (refer
# to the AOLserver docs)
#set sslkeyfile ${homedir}/servers/${server}/modules/nsssl/keyfile.pem
#set sslcertfile ${homedir}/servers${server}/modules/nsssl/certfile.pem
#
# Socket driver module (HTTPS) -- nsssl
#
# nsssl does not load unless sslkeyfile/sslcertfile exist (above).
#
#ns_section ns/server/${server}/module/nsssl
#ns_param port $httpsport
#ns_param hostname $hostname
#ns_param address $address
#ns_param keyfile $sslkeyfile
#ns_param certfile $sslcertfile
#
## nsssl: loads only if requisite files already exist (see top of this
# file).
#
#if { [file exists $sslcertfile] && [file exists $sslkeyfile] } {
# ns_param nsssl ${bindir}/nsssle.so
#
#} else {
# ns_log warning "nsd.tcl: nsssl not loaded because key/cert files #do not exist."
#}
The port I set is 80/443, not 8000/8443 in the sample configuration file.
And I put the sample configuration for nsopenssl2.1 from http://www.scottg.net/webtools/aolserver/modules/nsopenssl/configuration/ as the following:
ns_section "ns/server/${server}/module/nsopenssl"
# NSD-driven connections:
ns_param ServerPort $httpsport
ns_param ServerHostname $hostname
ns_param ServerAddress $address
ns_param ServerCertFile certfile.pem
ns_param ServerKeyFile keyfile.pem
ns_param ServerProtocols "SSLv2, SSLv3, TLSv1"
ns_param ServerCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param ServerSessionCache false
ns_param ServerSessionCacheID 1
ns_param ServerSessionCacheSize 512
ns_param ServerSessionCacheTimeout 300
ns_param ServerPeerVerify true
ns_param ServerPeerVerifyDepth 3
ns_param ServerCADir ca
ns_param ServerCAFile ca.pem
ns_param ServerTrace false
# For listening and accepting SSL connections via Tcl/C API:
ns_param SockServerCertFile certfile.pem
ns_param SockServerKeyFile keyfile.pem
ns_param SockServerProtocols "SSLv2, SSLv3, TLSv1"
ns_param SockServerCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param SockServerSessionCache false
ns_param SockServerSessionCacheID 2
ns_param SockServerSessionCacheSize 512
ns_param SockServerSessionCacheTimeout 300
ns_param SockServerPeerVerify true
ns_param SockServerPeerVerifyDepth 3
ns_param SockServerCADir internal_ca
ns_param SockServerCAFile internal_ca.pem
ns_param SockServerTrace false
# Outgoing SSL connections
ns_param SockClientCertFile clientcertfile.pem
ns_param SockClientKeyFile clientkeyfile.pem
ns_param SockClientProtocols "SSLv2, SSLv3, TLSv1"
ns_param SockClientCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param SockClientSessionCache false
ns_param SockClientSessionCacheID 3
ns_param SockClientSessionCacheSize 512
ns_param SockClientSessionCacheTimeout 300
ns_param SockClientPeerVerify true
ns_param SockServerPeerVerifyDepth 3
ns_param SockClientCADir ca
ns_param SockClientCAFile ca.pem
ns_param SockClientTrace false
# Typically where you store your certificates
# Defaults to $AOLSERVER/servers/${server}/modules/nsopenssl
ns_param ModuleDir /Path/to/dir
# OpenSSL library support:
ns_param RandomFile /some/file
ns_param SeedBytes 1024
I changed ns_param ModuleDir to ns/server/${server}/module/nsopenssl and create certfile.pem and keyfile.pem in the directory /usr/local/aolserver/servers/birdnotes/module/nsopenssl.
I changed the combination in the configuration file for several times but no luck.
When I tried to put nsopenssl.so under the ns_section ns/server/${server}/modules, like ns_param nsopenssl ${bindir}/nsopenssl.so, the server just died.
If I comment that out, aolserver works with the following error message (from log):
[03/Jun/2002:21:34:20][12723.1024][-main-] Notice: modload: loading '/usr/local/ aolserver/bin/nsopenssl.so' [03/Jun/2002:21:34:20][12723.1024][-main-] Notice: Module directory set by Modul eDir to [03/Jun/2002:21:34:20][12723.1024][-main-] Notice: nsopenssl: ServerPeerVerify = 1 [03/Jun/2002:21:34:20][12723.1024][-main-] Notice: nsopenssl: ServerPeerVerifyDe pth = 3 [03/Jun/2002:21:34:20][12723.1024][-main-] Notice: nsopenssl: ServerTrace = 0 [03/Jun/2002:21:34:20][12723.1024][-main-] Notice: nsopenssl: ServerProtocols = SSLv2, SSLv3, TLSv1 [03/Jun/2002:21:34:20][12723.1024][-main-] Notice: nsopenssl: Using SSLv2 protoc ol [03/Jun/2002:21:34:20][12723.1024][-main-] Notice: nsopenssl: Using SSLv3 protoc ol [03/Jun/2002:21:34:20][12723.1024][-main-] Notice: nsopenssl: Using TLSv1 protoc ol [03/Jun/2002:21:34:20][12723.1024][-main-] Notice: nsopenssl: ServerCipherSuite = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP [03/Jun/2002:21:34:20][12723.1024][-main-] Notice: nsopenssl: ServerCertFile = / certfile.pem [03/Jun/2002:21:34:20][12723.1024][-main-] Error: nsopenssl: error loading certi ficate file "/certfile.pem" [03/Jun/2002:21:34:20][12723.1024][-main-] Debug: nsopenssl: freeing(0x8165938) [03/Jun/2002:21:34:20][12723.1024][-main-] Error: modload: failed to load '/usr/ local/aolserver/bin/nsopenssl.so': 'Ns_ModuleInit' returned -1 [03/Jun/2002:21:34:21][12735.1024][-main-] Fatal: modload: failed to load module '/usr/local/aolserver/bin/nsopenssl.so'Any idea? Thanks, Jay
