Forum OpenACS Development: Re: Proposed corrections to OpenACS default nsopenssl configuration
Posted by
Richard Hamilton
on 10/28/10 05:19 PM
} else {
#--------------------------------------------------------------------------------------------------
# OpenSSL for Aolserver 4
#--------------------------------------------------------------------------------------------------
#
# Configuration for nsopenssl v3.x modified by Richard Hamilton on 10-26-2010
# (email: mailto:richard.hamilton@webteamworks.com), based on example configuration from README in
# source code directory of nsopenssl.
#
# Note 1: nsopenssl.so v3.x supports multiple contexts for ssl connections in Aolserver v4.5
# so that you can configure multiple ssl listeners for each virtual server. For example,
# for each virtual server, you might wish to have different listeners for users and
# admins, and a third context for outgoing ssl connections (the 'client' context).
#
# However, in OpenACS the security::locations proc has the nsopenssl context hard-coded
# as 'users'. Therefore, for Openacs up to the current version (5.6.0 as at 102610)
# you must only configure one context and it must be called 'users'. For this reason
# the example naming convention (of the form 'vs1_user_ctx') has not been used since
# it would be meaningless until OpenACS instances read their SSL context using ns_config.
# This forum post refers: http://www.openacs.org/forums/message-view?message_id=2983032
#
# Note 2: If you do configure more than one listener, each MUST have its own dedicated SSL key.
# This makes sense since otherwise there would be no point in opening up another port.
#
# Note 3: Code has been added that checks for the presence of the required key and certfiles for
# the OpenACS default context 'users'. The nsopenssl module will not load unless
# 'users_cert.pem', 'users_key.pem', and './ca/users_cacert.pem' exist.
#
# The default location assumed for key and certificate files is :
# /usr/local/aolserver/servers/${server}/modules/nsopenssl
#
#
#--------------------------------------------------------------------------------------------------
set httpsport_users $httpsport ;# Multiple contexts cannot share ports.
ns_section "ns/server/${server}/module/nsopenssl"
ns_param RandomFile /proc/kcore
ns_param SeedBytes 1024
# ServerPort is required by procs in acs-tcl/tcl/security-procs.tcl to find the https port.
ns_param ServerPort $httpsport_users
# setting maxinput higher than practical may leave the server vulnerable to resource DoS attacks
# see http://www.panoptic.com/wiki/aolserver/166
# must set maxinput for nsopenssl as well as nssock
ns_param maxinput [expr {$max_file_upload_mb * 1024 * 1024}] ;# Maximum File Size for uploads in bytes
ns_section "ns/server/${server}/module/nsopenssl/sslcontexts"
ns_param users "SSL context used for regular user access"
# ns_param admins "SSL context used for administrator access - not supported by OpenACS"
# ns_param client "SSL context used for outgoing script socket connections - not supported by OpenACS"
ns_section "ns/server/${server}/module/nsopenssl/defaults"
ns_param server users ;# Hard-coded into openACS security::locations proc
# ns_param client client
ns_section "ns/server/${server}/module/nsopenssl/sslcontext/users"
ns_param Role server
ns_param ModuleDir ${homedir}/servers/${server}/modules/nsopenssl
ns_param CertFile users_cert.pem
ns_param KeyFile users_key.pem
ns_param CADir ca ;# Directory containing certificate of signing authority
ns_param CAFile ca/users_cacert.pem
# for Protocols "ALL" = "SSLv2, SSLv3, TLSv1"
ns_param Protocols "SSLv3, TLSv1"
ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerify false
ns_param PeerVerifyDepth 3
ns_param Trace false
# ns_section "ns/server/${server}/module/nsopenssl/sslcontext/admins"
# ns_param Role server
# ns_param ModuleDir /path/to/dir
# ns_param CertFile admins_cert.pem
# ns_param KeyFile admins_key.pem
# ns_param CADir ca
# ns_param CAFile ca/admins_cacert.pem
# for Protocols "ALL" = "SSLv2, SSLv3, TLSv1"
# ns_param Protocols "SSLv3, TLSv1"
# ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
# ns_param PeerVerify false
# ns_param PeerVerifyDepth 3
# ns_param Trace false
# ns_section "ns/server/${server}/module/nsopenssl/sslcontext/client"
# ns_param Role client
# ns_param ModuleDir /path/to/dir
# ns_param CertFile client_cert.pem
# ns_param KeyFile client_key.pem
# ns_param CADir ca
# ns_param CAFile ca/client_cacert.pem
# for Protocols "ALL" = "SSLv2, SSLv3, TLSv1"
# ns_param Protocols "SSLv3, TLSv1"
# ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
# ns_param PeerVerify false
# ns_param PeerVerifyDepth 3
# ns_param Trace false
# SSL drivers. It is possible to configure multiple driver connections within a single
# virtual server, with each allocated to its own named SSL context.However this feature is
# not supported by OpenACS. Each driver defines a port to listen on and an explicitly named
# SSL context to associate with it.
ns_section "ns/server/${server}/module/nsopenssl/ssldrivers"
ns_param users "Driver for regular user access"
# ns_param admins "Driver for administrator access"
# ns_param client "Driver for outgoing ssl connections"
ns_section "ns/server/${server}/module/nsopenssl/ssldriver/users"
ns_param sslcontext users
ns_param port $httpsport_users
ns_param hostname $hostname
ns_param address $address
# following added per
# http://www.mail-archive.com/aolserver@listserv.aol.com/msg07365.html
# Maximum File Size for uploads:
ns_param maxinput [expr {$max_file_upload_mb * 1024 * 1024}] ;# in bytes
# Maximum request time
ns_param recvwait [expr {$max_file_upload_min * 60}] ;# in minutes
# ns_section "ns/server/${server}/module/nsopenssl/ssldriver/admins"
# ns_param sslcontext admins
# ns_param port $httpsport_admins ;# Not set up in OpenACS config.tcl
# ns_param hostname $hostname
# ns_param address $address
# ns_section "ns/server/${server}/module/nsopenssl/ssldriver/client"
# ns_param sslcontext client
# ns_param port $httpsport_client ;# Not set up in OpenACS config.tcl
# ns_param hostname $hostname
# ns_param address $address
}
