[Fedora-directory-users] Enabling SSL

Kevin Kovach kovach at gmail.com
Wed Aug 3 17:57:55 UTC 2005 

Thanks Nathan.  I've made this change and again got farther than I have before.

FYI, I got that cipher list from the Wiki.  That will need to be
updated to contain the complete list.

Although I got farther the server is still not starting up.  Now it's
complaining that none of the ciphers are valid?  How to I ensure that
I'm using a valid cypher?  Here's the error I'm seeing in the error
log ...

[03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1 B2005.201.2115 starting up
[03/Aug/2005:13:56:23 -0400] - SSL failure: None of the cipher are valid

Thanks again for the help.

- Kevin

And again have a different issue now.  Now it's complaining that there are no 

On 8/3/05, Nathan Kinder <nkinder at redhat.com> wrote:
> Rich Megginson wrote:
> 
> > Kevin Kovach wrote:
> >
> >>Thanks for the help.  I've added that object and was able to modify
> >>the configuration without further issues.
> >>
> >>Unfortunately, I've run into another problem now.  Now when I try to
> >>start the directory it's complaining about one of the ciphers.  I get
> >>the following error when I attempt to start the server ...
> >>
> >>[03/Aug/2005:13:19:35 -0400] - SSL alert: Security Initialization:
> >>Failed to set SSL cipher preference information: unknown cipher fo
> >>(Netscape Portable Runtime error -5950 - File not found.)
> >>[03/Aug/2005:13:19:35 -0400] - ERROR: SSL Initialization Failed.
> >>
> >>It looks like it's complaining about the 'fo cipher' that was added in
> >>the same configuration modifications?  The change I'm talking about is
> >>the following ...
> >>
> >>add: nsSSL3Ciphers
> >>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,
> >>+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
> >>
> >>
> > That's definitely truncated.  +fo is not correct.  It's probably
> > another Fortezza cipher.  There may be other ciphers that are missing.
> 
> Rich is correct.  Here is what the audit log shows when SSL is enabled
> via Console:
> 
> nsSSL3Ciphers:
> -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
> 
> -NGK
> 
> >>I looked at the dse.ldif file and it looks like it was added correctly
> >>(as it's presented in the SSL HOWTO)  Any advice?  Thanks.
> >>
> >>- Kevin
> >>
> >>
> >>On 8/3/05, Adam Stokes <astokes at redhat.com> wrote:
> >>
> >>
> >>>On Wed, 2005-08-03 at 10:35 -0400, Kevin Kovach wrote:
> >>>
> >>>
> >>>>Hello,
> >>>>
> >>>>I've worked through the SSL howto on the FDS site and everything went
> >>>>well until I got to the part where I modified the schema.
> >>>>
> >>>>The /tmp/ssl_enable.ldif modifications that are suggested work well up
> >>>>to the point where it tries to modify cn=RSA,cn=encryption,cn=config
> >>>>
> >>>>To be specific, the recommended changes are as follows...
> >>>>
> >>>>dn: cn=encryption,cn=config
> >>>>changetype: modify
> >>>>replace: nsSSL3
> >>>>nsSSL3: on
> >>>>-
> >>>>replace: nsSSLClientAuth
> >>>>nsSSLClientAuth: allowed
> >>>>-
> >>>>add: nsSSL3Ciphers
> >>>>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,
> >>>>+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
> >>>>-
> >>>>add: nsKeyfile
> >>>>nsKeyfile: alias/slapd-directory-key3.db
> >>>>-
> >>>>add: nsCertfile
> >>>>nsCertfile: alias/slapd-directory-cert8.db
> >>>>
> >>>>dn: cn=RSA,cn=encryption,cn=config
> >>>>changetype: modify
> >>>>add: nsSSLPersonalitySSL
> >>>>nsSSLPersonalitySSL: Server-Cert
> >>>>
> >>>>dn: cn=config
> >>>>changetype: modify
> >>>>add: nsslapd-security
> >>>>nsslapd-security: on
> >>>>-
> >>>>replace: nsslapd-ssl-check-hostname
> >>>>nsslapd-ssl-check-hostname: off
> >>>>
> >>>>It seems as though when I get to the point where I want to add the
> >>>>'nsSSLPersonalitySSL' attribute my directory server complains that the
> >>>>'cn=RSA,cn=encryption,cn=config' object does not exist to be modified.
> >>>>
> >>>>I don't see anywhere in the HOWTO where I would have created this
> >>>>object.  Am I missing something?  Thanks.
> >>>>
> >>>>- Kevin
> >>>>
> >>>>--
> >>>>Fedora-directory-users mailing list
> >>>>Fedora-directory-users at redhat.com
> >>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>>>
> >>>>
> >>>Refresh the wiki page I have updated this problem.
> >>>
> >>>Thanks for pointing that out please create an ldif /tmp/addrsa.ldif and
> >>>have the following :
> >>>
> >>>dn: cn=RSA,cn=encryption,cn=config
> >>>objectclass: top
> >>>objectclass: nsEncryptionModule
> >>>cn: RSA
> >>>nsSSLPersonalitySSL: Server-Cert
> >>>nsSSLToken: internal (software)
> >>>
> >>>Use ldapadd to add the entry into the directory server.. Ill fix the
> >>>how-to now as well :)
> >>>
> >>>
> >>>
> >>>--
> >>>Fedora-directory-users mailing list
> >>>Fedora-directory-users at redhat.com
> >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >>
> >------------------------------------------------------------------------
> >
> >--
> >Fedora-directory-users mailing list
> >Fedora-directory-users at redhat.com
> >https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >
> 
> 
> 
> 


-- 
Take back the web, http://www.switch2firefox.com/

More information about the Fedora-directory-users mailing list