[Fedora-directory-users] Enabling SSL

Rich Megginson rmeggins at redhat.com
Wed Aug 3 19:58:47 UTC 2005 

Kevin Kovach wrote:

>Adam,
>
>My entry looks the same.  I'm pretty certain I have the ciphers correct now.
>
>I am curious about one thing though.  In following the wiki, I did as
>suggested and converted the cert db to pkcs12 with the following
>command ...
>
>pk12util -d . -P slapd-serverID- -o servercert.pfx -n Server-Cert
>
>However, I don't see anywhere where we make FDS aware of
>servercert.pfx?  I'd assume that we need to configure FDS for this
>pkcs12 db somewhere?
>  
>
If you followed the other steps up until this one, then you already have 
the required certs for slapd to use.  You only need to export the cert 
to the .pfx file if you need to import that key and cert into another 
program (e.g. use openssl to convert the .pfx file to other formats).

>Also, the wiki mentions the trailing - on the -P option but does not
>go into depth on it.  I'm pretty sure I executed this command
>correctly but am unsure how to double check it?
>  
>
Look in your /opt/fedora-ds/alias directory.  You should have files 
called slapd-serverID-cert8.db and slapd-serverID-key3.db, not 
slapd-serverIDcert8.db and slapd-serverIDkey3.db.

>Thanks again.
>
>- Kevin
>
>On 8/3/05, Adam Stokes <astokes at redhat.com> wrote:
>  
>
>>dn: cn=encryption,cn=config
>>objectClass: top
>>objectClass: nsEncryptionConfig
>>cn: encryption
>>nsSSLSessionTimeout: 0
>>nsSSLClientAuth: allowed
>>nsSSL2: off
>>nsSSL3: on
>>creatorsName: cn=server,cn=plugins,cn=config
>>modifiersName: cn=directory manager
>>createTimestamp: 20050701182744Z
>>modifyTimestamp: 20050720192820Z
>>nsSSL3Ciphers:
>>-rsa_null_md5,rsa_rc4_128_md5,rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_fips_des_sha,rsa_3des_sha,rsa_fips_3des_sha,fortezza,fortezza_rc4_128_sha,fortezza_null,tls_rsa_export1024_with_rc4_56_sha,tls_rsa_export1024_with_des_cbc_sha
>>nsKeyfile: alias/slapd-directory-key3.db
>>nsCertfile: alias/slapd-directory-cert8.db
>>numSubordinates: 1
>>
>>Above is my entry for reference
>>
>>On Wed, 2005-08-03 at 13:57 -0400, Kevin Kovach wrote:
>>    
>>
>>>Thanks Nathan.  I've made this change and again got farther than I have before.
>>>
>>>FYI, I got that cipher list from the Wiki.  That will need to be
>>>updated to contain the complete list.
>>>
>>>Although I got farther the server is still not starting up.  Now it's
>>>complaining that none of the ciphers are valid?  How to I ensure that
>>>I'm using a valid cypher?  Here's the error I'm seeing in the error
>>>log ...
>>>
>>>[03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1 B2005.201.2115 starting up
>>>[03/Aug/2005:13:56:23 -0400] - SSL failure: None of the cipher are valid
>>>
>>>Thanks again for the help.
>>>
>>>- Kevin
>>>
>>>And again have a different issue now.  Now it's complaining that there are no
>>>      
>>>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users at redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>    
>>
>
>
>  
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20050803/15fa228d/attachment.bin>

More information about the Fedora-directory-users mailing list