[Fedora-directory-users] Enabling SSL

Kevin Kovach kovach at gmail.com
Wed Aug 3 21:35:11 UTC 2005 

Well that did it.  I had actually tried that before.  Saw it in some
Sun forum somewhere or something.  However, when I tried it I got some
other error so I took it back out.  I suspect I had the nsKeyfile and
nsCertfile set incorrectly when I tried it the first time.

Thanks so much for the help.

- Kevin

On 8/3/05, Adam Stokes <astokes at redhat.com> wrote:
> Kevin Kovach wrote:
> 
> >dn: cn=encryption,cn=config
> >objectClass: top
> >objectClass: nsEncryptionConfig
> >cn: encryption
> >nsSSLSessionTimeout: 0
> >nsSSLClientAuth: allowed
> >nsSSL2: off
> >nsSSL3: on
> >creatorsName: cn=server,cn=plugins,cn=config
> >modifiersName: cn=root
> >createTimestamp: 20050726153224Z
> >modifyTimestamp: 20050803144437Z
> >nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des\
> >_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
> >nsKeyfile: alias/slapd-birdie-key3.db
> >nsCertfile: alias/slapd-birdie-cert8.db
> >numSubordinates: 1
> >
> >In the following entry I wasn't sure if '(software)' was a comment or
> >if it was part of the attr value so I've tried it both ways.  Didn't
> >seem to change anything.
> >
> >dn: cn=RSA,cn=encryption,cn=config
> >objectClass: top
> >objectClass: nsEncryptionModule
> >cn: RSA
> >nsSSLToken: internal (software)
> >nsSSLPersonalitySSL: Server-Cert
> >creatorsName: cn=root
> >modifiersName: cn=root
> >createTimestamp: 20050803144438Z
> >modifyTimestamp: 20050803144438Z
> >
> >
> >dn: cn=config
> >cn: config
> >objectClass: top
> >objectClass: extensibleObject
> >objectClass: nsslapdConfig
> >nsslapd-accesslog-logging-enabled: on
> >nsslapd-accesslog-maxlogsperdir: 10
> >nsslapd-accesslog-mode: 600
> >nsslapd-accesslog-maxlogsize: 100
> >nsslapd-accesslog-logrotationtime: 1
> >nsslapd-accesslog-logrotationtimeunit: day
> >nsslapd-accesslog-logrotationsync-enabled: off
> >nsslapd-accesslog-logrotationsynchour: 0
> >nsslapd-accesslog-logrotationsyncmin: 0
> >nsslapd-accesslog: /opt/fedora-ds/slapd-birdie/logs/access
> >nsslapd-enquote-sup-oc: off
> >nsslapd-schemacheck: on
> >nsslapd-rewrite-rfc1274: off
> >nsslapd-return-exact-case: on
> >nsslapd-ssl-check-hostname: off
> >
> >...
> >
> >modifyTimestamp: 20050803144438Z
> >nsslapd-security: on
> >
> >
> >I think those were the three objects modified.  If you need more
> >please let me know.  Thanks.
> >
> >- Kevin
> >
> >On 8/3/05, Adam Stokes <astokes at redhat.com> wrote:
> >
> >
> >>On Wed, 3 Aug 2005 16:54:09 -0400
> >>Kevin Kovach <kovach at gmail.com> wrote:
> >>
> >>
> >>
> >>>I double checked my key and cert files and they are of the correct
> >>>format.  Incidentally, those then correspond to the nsCertfile and
> >>>nsKeyfile attributes that are made in the config changes?  It's not
> >>>real clear in the wiki.  The wiki suggests that the nsKeyfile and
> >>>nsCertfile attrs include 'slapd-directory'.
> >>>
> >>>I ask because I originally made the config changes by just copying and
> >>>pasting the ldif and I went back and changed them afterwards to be
> >>>'slapd-<instance name>'.
> >>>
> >>>
> >>The above is correct, again modified the wiki to resemble the changes.
> >>
> >>
> >>>Regardless of that I'm still not able to get the directory to start
> >>>up.  I'm still seeing the same error in the log ...
> >>>
> >>>[03/Aug/2005:16:21:44 -0400] - Fedora-Directory/7.1 B2005.201.2115
> >>>starting up [03/Aug/2005:16:21:44 -0400] - SSL failure: None of the
> >>>cipher are valid
> >>>
> >>>I'm going to continue playing with it and research it online, but any
> >>>further advice or suggestions would be appreciated.  Thanks.
> >>>
> >>>- Kevin
> >>>
> >>>
> >>Could you post your changes as it shows in /opt/fedora-ds/slapd-
> >><instance>/config/dse.ldif?
> >>
> >>--
> >>....<(^_^)> adam stokes ....
> >>
> >>
> >>
> >
> >
> >
> >
> In the dn: cn=RSA,cn=encryption,cn=config add the following line
> 
> nsSSLActivation: on
> 
> Sorry for the confusion let me know if this works and ill modify the
> wiki accordingly
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 


-- 
Take back the web, http://www.switch2firefox.com/

More information about the Fedora-directory-users mailing list