Well, I went through all that last July - here are some links to the relevent BBoard threads:
http://www.arsdigita.com/bboard/q-and-a-fetch-msg?msg%5fid=000Is9 http://openacs.org/bboard/q-and-a-fetch-msg.tcl?msg_id=0002jX http://www.arsdigita.com/bboard/q-and-a-fetch-msg?msg%5fid=000fSs I'm using nsopenssl 1.1c on Solaris right now and it works just fine. Some things I remember off the top of my head are, nsopenssl does NOT use the same cert. file format as nsssl. I seem to remember that when you switch from nsssl to nsopenssl you have to do a whole new cert request because of that. And you're right, you do have to strip the passphrase out of the key file for nsopenssl to work. I don't have any idea what's wrong with your nsssl, but I'd generate your own self-signed cert. for use with nsopenssl, and if that works, then you know that all you have to do is get a real officially signed cert. generated for nsopenssl, and you'll be set. nsopenssl definitely seems like the way to go anyway - open source, more features than nsssl, ongoing development, etc., etc. On Sat, Apr 13, 2002 at 05:51:39PM -0400, David V Rodriguez wrote: > I'm having trouble getting a new SSL certificate installed. I created > the request with the same keygen.tcl file used to generate the > request for this service a year ago, but SSL is failing with the new > certificate/key combination. I get these two lines in the error log > for every request: > > Debug: nsssl: failed to decrypt secret session key > Error: nsssl: ssl connection failed, bsafe error 524 > > I'm sure I'm using the 128-bit SSL module because the server log > contains > > Notice: nsssl: initialized with 128-bit domestic encryption > > I tried using nsopenssl, but can't even get the server to start > with the new or old certificates. It dies with: > > Error: nsopenssl: error loading private key file "/web/tufte/oldkeys/keyfile.pem" > > Things I've tried: (1) reinstalling the latest version of openssl, > (2) rebuilding nsopenssl 1.1c, (3) experimenting with file permissions > (644 and 600), (4) ensuring the keyfile doesn't have a passphrase in > it, and (5) ensuring that the files are really where AOLserver thinks > they are. None of these have worked. > > Does anyone have experience in fixing either of these problems -- > either (1) getting rid of "bsafe error 524" or (2) getting certificates > created for a keygen.tcl/nsssl request working with nsopenssl? > > David -- Andrew Piskorski <[EMAIL PROTECTED]> http://www.piskorski.com
