<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Kevin Kovach wrote:
<blockquote cite="mide9cd74a505080310217418e62b@mail.gmail.com"
type="cite">
<pre wrap="">Thanks for the help. I've added that object and was able to modify
the configuration without further issues.
Unfortunately, I've run into another problem now. Now when I try to
start the directory it's complaining about one of the ciphers. I get
the following error when I attempt to start the server ...
[03/Aug/2005:13:19:35 -0400] - SSL alert: Security Initialization:
Failed to set SSL cipher preference information: unknown cipher fo
(Netscape Portable Runtime error -5950 - File not found.)
[03/Aug/2005:13:19:35 -0400] - ERROR: SSL Initialization Failed.
It looks like it's complaining about the 'fo cipher' that was added in
the same configuration modifications? The change I'm talking about is
the following ...
add: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,
+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
</pre>
</blockquote>
That's definitely truncated. +fo is not correct. It's probably
another Fortezza cipher. There may be other ciphers that are missing.<br>
<blockquote cite="mide9cd74a505080310217418e62b@mail.gmail.com"
type="cite">
<pre wrap="">
I looked at the dse.ldif file and it looks like it was added correctly
(as it's presented in the SSL HOWTO) Any advice? Thanks.
- Kevin
On 8/3/05, Adam Stokes <a class="moz-txt-link-rfc2396E" href="mailto:astokes@redhat.com"><astokes@redhat.com></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Wed, 2005-08-03 at 10:35 -0400, Kevin Kovach wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hello,
I've worked through the SSL howto on the FDS site and everything went
well until I got to the part where I modified the schema.
The /tmp/ssl_enable.ldif modifications that are suggested work well up
to the point where it tries to modify cn=RSA,cn=encryption,cn=config
To be specific, the recommended changes are as follows...
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
-
add: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,
+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
-
add: nsKeyfile
nsKeyfile: alias/slapd-directory-key3.db
-
add: nsCertfile
nsCertfile: alias/slapd-directory-cert8.db
dn: cn=RSA,cn=encryption,cn=config
changetype: modify
add: nsSSLPersonalitySSL
nsSSLPersonalitySSL: Server-Cert
dn: cn=config
changetype: modify
add: nsslapd-security
nsslapd-security: on
-
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: off
It seems as though when I get to the point where I want to add the
'nsSSLPersonalitySSL' attribute my directory server complains that the
'cn=RSA,cn=encryption,cn=config' object does not exist to be modified.
I don't see anywhere in the HOWTO where I would have created this
object. Am I missing something? Thanks.
- Kevin
--
Fedora-directory-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a>
</pre>
</blockquote>
<pre wrap="">Refresh the wiki page I have updated this problem.
Thanks for pointing that out please create an ldif /tmp/addrsa.ldif and
have the following :
dn: cn=RSA,cn=encryption,cn=config
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: Server-Cert
nsSSLToken: internal (software)
Use ldapadd to add the entry into the directory server.. Ill fix the
how-to now as well :)
--
Fedora-directory-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a>
</pre>
</blockquote>
<pre wrap=""><!---->
</pre>
</blockquote>
</body>
</html>