Forum OpenACS Development: Re: Proposed corrections to OpenACS default nsopenssl configuration

Torben,

The reason I posted this was because of a conversation (can't find it in the forum - may have been on the openacs chat) with DaveB in which this came up. Dave's comments suggested that there was a problem with the default config.tcl file that led to ns_log errors being recorded.

I have always based my config on the README within the nsopenssl source directory and have had no error log entries. After you very kindly helped me to sort out the issue over the hard-coded 'users' context, it has been my intention to propose some alterations to config.tcl.

I have never needed a 'client' context and have not seem any code that uses it, however I can see that this may be useful in the case of, for example, payment processing gateways.

The only things that look 'not quite right' to me in the default config.tcl are:

1) Comments saying that this file will cause errors in the logfile but don't worry folks it works anyway!

2) The fact that the CADir and CAFile declarations are commented out. As I understand it, these are required to verify the chain of trust for the SSL key and cert files for the context and should be set. I suspect that this is the source of the logfile error. I have mine set and I see no errors in the ns_log output.

My intention really was just to eliminate any log errors, simplify and clarify by adding information to the comments.

This reply to Bart T from Scott G has useful reference material in it:

http://www.mail-archive.com/aolserver@listserv.aol.com/msg06022.html

I would be interested in working with someone to remove the hard-coded context from the OpenACS security procs so that OpenACS can work with the full flexibility of nsopenssl.

Please be assured that no criticism of anyone or anything was intended or implied by my posting.

Regards
Richard