[Fedora-directory-users] Enabling SSL

Wed Aug 3 20:54:09 UTC 2005

I double checked my key and cert files and they are of the correct
format.  Incidentally, those then correspond to the nsCertfile and
nsKeyfile attributes that are made in the config changes?  It's not
real clear in the wiki.  The wiki suggests that the nsKeyfile and
nsCertfile attrs include 'slapd-directory'.

I ask because I originally made the config changes by just copying and
pasting the ldif and I went back and changed them afterwards to be
'slapd-<instance name>'.

Regardless of that I'm still not able to get the directory to start
up.  I'm still seeing the same error in the log ...

[03/Aug/2005:16:21:44 -0400] - Fedora-Directory/7.1 B2005.201.2115 starting up
[03/Aug/2005:16:21:44 -0400] - SSL failure: None of the cipher are valid

I'm going to continue playing with it and research it online, but any
further advice or suggestions would be appreciated.  Thanks.

- Kevin

On 8/3/05, Rich Megginson <rmeggins at redhat.com> wrote:
> Kevin Kovach wrote:
> 
> >Adam,
> >
> >My entry looks the same.  I'm pretty certain I have the ciphers correct now.
> >
> >I am curious about one thing though.  In following the wiki, I did as
> >suggested and converted the cert db to pkcs12 with the following
> >command ...
> >
> >pk12util -d . -P slapd-serverID- -o servercert.pfx -n Server-Cert
> >
> >However, I don't see anywhere where we make FDS aware of
> >servercert.pfx?  I'd assume that we need to configure FDS for this
> >pkcs12 db somewhere?
> >
> >
> If you followed the other steps up until this one, then you already have
> the required certs for slapd to use.  You only need to export the cert
> to the .pfx file if you need to import that key and cert into another
> program (e.g. use openssl to convert the .pfx file to other formats).
> 
> >Also, the wiki mentions the trailing - on the -P option but does not
> >go into depth on it.  I'm pretty sure I executed this command
> >correctly but am unsure how to double check it?
> >
> >
> Look in your /opt/fedora-ds/alias directory.  You should have files
> called slapd-serverID-cert8.db and slapd-serverID-key3.db, not
> slapd-serverIDcert8.db and slapd-serverIDkey3.db.
> 
> >Thanks again.
> >
> >- Kevin
> >
> >On 8/3/05, Adam Stokes <astokes at redhat.com> wrote:
> >
> >
> >>dn: cn=encryption,cn=config
> >>objectClass: top
> >>objectClass: nsEncryptionConfig
> >>cn: encryption
> >>nsSSLSessionTimeout: 0
> >>nsSSLClientAuth: allowed
> >>nsSSL2: off
> >>nsSSL3: on
> >>creatorsName: cn=server,cn=plugins,cn=config
> >>modifiersName: cn=directory manager
> >>createTimestamp: 20050701182744Z
> >>modifyTimestamp: 20050720192820Z
> >>nsSSL3Ciphers:
> >>-rsa_null_md5,rsa_rc4_128_md5,rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_fips_des_sha,rsa_3des_sha,rsa_fips_3des_sha,fortezza,fortezza_rc4_128_sha,fortezza_null,tls_rsa_export1024_with_rc4_56_sha,tls_rsa_export1024_with_des_cbc_sha
> >>nsKeyfile: alias/slapd-directory-key3.db
> >>nsCertfile: alias/slapd-directory-cert8.db
> >>numSubordinates: 1
> >>
> >>Above is my entry for reference
> >>
> >>On Wed, 2005-08-03 at 13:57 -0400, Kevin Kovach wrote:
> >>
> >>
> >>>Thanks Nathan.  I've made this change and again got farther than I have before.
> >>>
> >>>FYI, I got that cipher list from the Wiki.  That will need to be
> >>>updated to contain the complete list.
> >>>
> >>>Although I got farther the server is still not starting up.  Now it's
> >>>complaining that none of the ciphers are valid?  How to I ensure that
> >>>I'm using a valid cypher?  Here's the error I'm seeing in the error
> >>>log ...
> >>>
> >>>[03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1 B2005.201.2115 starting up
> >>>[03/Aug/2005:13:56:23 -0400] - SSL failure: None of the cipher are valid
> >>>
> >>>Thanks again for the help.
> >>>
> >>>- Kevin
> >>>
> >>>
> >>>
> >>--
> >>Fedora-directory-users mailing list
> >>Fedora-directory-users at redhat.com
> >>https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>
> >>
> >>
> >
> >
> >
> >
> 
> 
> 

-- 
Take back the web, http://www.switch2firefox.com/