[Fedora-directory-users] Enabling SSL
Adam Stokes
astokes at redhat.com
Wed Aug 3 21:27:55 UTC 2005
Kevin Kovach wrote:
>dn: cn=encryption,cn=config
>objectClass: top
>objectClass: nsEncryptionConfig
>cn: encryption
>nsSSLSessionTimeout: 0
>nsSSLClientAuth: allowed
>nsSSL2: off
>nsSSL3: on
>creatorsName: cn=server,cn=plugins,cn=config
>modifiersName: cn=root
>createTimestamp: 20050726153224Z
>modifyTimestamp: 20050803144437Z
>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des\
>_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
>nsKeyfile: alias/slapd-birdie-key3.db
>nsCertfile: alias/slapd-birdie-cert8.db
>numSubordinates: 1
>
>In the following entry I wasn't sure if '(software)' was a comment or
>if it was part of the attr value so I've tried it both ways. Didn't
>seem to change anything.
>
>dn: cn=RSA,cn=encryption,cn=config
>objectClass: top
>objectClass: nsEncryptionModule
>cn: RSA
>nsSSLToken: internal (software)
>nsSSLPersonalitySSL: Server-Cert
>creatorsName: cn=root
>modifiersName: cn=root
>createTimestamp: 20050803144438Z
>modifyTimestamp: 20050803144438Z
>
>
>dn: cn=config
>cn: config
>objectClass: top
>objectClass: extensibleObject
>objectClass: nsslapdConfig
>nsslapd-accesslog-logging-enabled: on
>nsslapd-accesslog-maxlogsperdir: 10
>nsslapd-accesslog-mode: 600
>nsslapd-accesslog-maxlogsize: 100
>nsslapd-accesslog-logrotationtime: 1
>nsslapd-accesslog-logrotationtimeunit: day
>nsslapd-accesslog-logrotationsync-enabled: off
>nsslapd-accesslog-logrotationsynchour: 0
>nsslapd-accesslog-logrotationsyncmin: 0
>nsslapd-accesslog: /opt/fedora-ds/slapd-birdie/logs/access
>nsslapd-enquote-sup-oc: off
>nsslapd-schemacheck: on
>nsslapd-rewrite-rfc1274: off
>nsslapd-return-exact-case: on
>nsslapd-ssl-check-hostname: off
>
>...
>
>modifyTimestamp: 20050803144438Z
>nsslapd-security: on
>
>
>I think those were the three objects modified. If you need more
>please let me know. Thanks.
>
>- Kevin
>
>On 8/3/05, Adam Stokes <astokes at redhat.com> wrote:
>
>
>>On Wed, 3 Aug 2005 16:54:09 -0400
>>Kevin Kovach <kovach at gmail.com> wrote:
>>
>>
>>
>>>I double checked my key and cert files and they are of the correct
>>>format. Incidentally, those then correspond to the nsCertfile and
>>>nsKeyfile attributes that are made in the config changes? It's not
>>>real clear in the wiki. The wiki suggests that the nsKeyfile and
>>>nsCertfile attrs include 'slapd-directory'.
>>>
>>>I ask because I originally made the config changes by just copying and
>>>pasting the ldif and I went back and changed them afterwards to be
>>>'slapd-<instance name>'.
>>>
>>>
>>The above is correct, again modified the wiki to resemble the changes.
>>
>>
>>>Regardless of that I'm still not able to get the directory to start
>>>up. I'm still seeing the same error in the log ...
>>>
>>>[03/Aug/2005:16:21:44 -0400] - Fedora-Directory/7.1 B2005.201.2115
>>>starting up [03/Aug/2005:16:21:44 -0400] - SSL failure: None of the
>>>cipher are valid
>>>
>>>I'm going to continue playing with it and research it online, but any
>>>further advice or suggestions would be appreciated. Thanks.
>>>
>>>- Kevin
>>>
>>>
>>Could you post your changes as it shows in /opt/fedora-ds/slapd-
>><instance>/config/dse.ldif?
>>
>>--
>>....<(^_^)> adam stokes ....
>>
>>
>>
>
>
>
>
In the dn: cn=RSA,cn=encryption,cn=config add the following line
nsSSLActivation: on
Sorry for the confusion let me know if this works and ill modify the
wiki accordingly
More information about the Fedora-directory-users
mailing list