Re: [AOLSERVER] Error code: ssl_error_rx_record_too_long

[Scott Goodwin]

Thank you for posting the resolution to this problem. The bgdelivery  
capability in OpenACS looks interesting, and I noticed this in the  
OpenACS bgdelivery code:
ns_log notice "AOLserver is not patched for bgdelivery, NOT loading  
bgdelivery"
Are there patches to the AOLserver executable required to make  
bgdelivery possible?
/s.

On Nov 5, 2008, at 8:03 AM, Hector Romojaro wrote:

Hi Scott and all,

Thanks for your quick response. We have found the problem, it was  
using
bgdelivery patch with nsopenssl. Gustaf pointed it out and made a fix
for that (thanks Gustaf!).

If anyone has this problem, Gustaf commited the fix to openacs cvs:

http://cvs.openacs.org/cvs/openacs-4/packages/xotcl-core/tcl/bgdelivery-procs.tcl?r1=1.15&r2=1.16

Cheers, Héctor

El lun, 03-11-2008 a las 13:30 -0500, Scott Goodwin escribió:
Héctor,

Try and duplicate the problem with another browser, preferably as  
many
other browsers as you have available. This will narrow down whether
it's an interaction problem with Firefox in particular or a general
problem. If all the other browsers have no problems yet Firefox still
does, then you might want to review Firefox's SSL settings and try  
out
different combinations to narrow down what settings in particular
cause this problem. If other browsers exhibit the same error, then
we'd want to know that as well.

Also, state the specific version numbers of all the browsers you test
with, what OS version you tried with each, and if the web site is
available publicly, the specific URL that exhibits the issue so that
others might try it.

/s.


On Nov 3, 2008, at 12:32 PM, Hector Romojaro wrote:

Hi,

I get this error on the browser (firefox) when accessing to certain
ssl
pages, mainly files from dotLRN's content repository.

-------------------------------------------------------------------
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
-------------------------------------------------------------------

Accessing to these files by the http port works perfectly. There  
is no
error on aolserver's log.

Some details:

* dotLRN 2.4.0
* debian GNU/Linux etch amd64
* aolserver 4.0.10 (debian package)
* nsopenssl 3.0beta22 (debian package)

Some data from config.tcl:

#---------------------------------------------------------------------
# OpenSSL for Aolserver 4
#---------------------------------------------------------------------
  ns_section "ns/server/${server}/module/nsopenssl"
        ns_param ServerPort                $httpsport

  ns_section "ns/server/${server}/module/nsopenssl/sslcontexts"
      ns_param users        "SSL context used for regular user
access"
      ns_param client       "SSL context used for outgoing script
socket connections"

  ns_section "ns/server/${server}/module/nsopenssl/defaults"
      ns_param server               users
      ns_param client               client

  ns_section "ns/server/${server}/module/nsopenssl/sslcontext/users"
      ns_param Role                  server
      ns_param ModuleDir              /etc/aolserver4/ssl/${server}/
      ns_param CertFile               server.crt
      ns_param Protocols             "SSLv3, TLSv1"
      ns_param CipherSuite           "ALL:!ADH:RC4+RSA:+HIGH:
+MEDIUM:+LOW:+SSLv3:!SSLv2:+EXP"
      ns_param PeerVerify            false
      ns_param PeerVerifyDepth       3
      ns_param Trace                 false
      ns_param SessionCache true
      ns_param SessionCacheID 1
      ns_param SessionCacheSize 512
      ns_param SessionCacheTimeout 300

  ns_section "ns/server/${server}/module/nsopenssl/sslcontext/ 
client"
      ns_param Role                  client
      ns_param ModuleDir             ${serverroot}/etc/certs
      ns_param CertFile              certfile.pem
      ns_param KeyFile               keyfile.pem
      ns_param Protocols             "SSLv3, TLSv1"
      ns_param CipherSuite           "ALL:!ADH:RC4+RSA:+HIGH:
+MEDIUM:+LOW:+SSLv3:!SSLv2:+EXP"
      ns_param PeerVerify            false
      ns_param PeerVerifyDepth       3
      ns_param Trace                 false
      ns_param SessionCache true
      ns_param SessionCacheID 1
      ns_param SessionCacheSize 512
      ns_param SessionCacheTimeout 300

  ns_section "ns/server/${server}/module/nsopenssl/ssldrivers"
      ns_param users         "Driver for regular user access"

  ns_section "ns/server/${server}/module/nsopenssl/ssldriver/users"
      ns_param sslcontext            users
      ns_param port                  $httpsport
      ns_param hostname              $hostname
      ns_param address               $address
      ns_param   maxinput           [expr 150 * 1024 * 1024] ;# in
bytes
      ns_param   recvwait           [expr 60 * 60] ;# in minutes
#---------------------------------------------------------------------

Any tips? Need more data?

Cheers, Héctor


--
AOLserver - http://www.aolserver.com/

To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]
with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the
Subject: field of your email blank.


--
AOLserver - http://www.aolserver.com/

To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED] 
> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the  
Subject: field of your email blank.


--
AOLserver - http://www.aolserver.com/

To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED] 
> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the  
Subject: field of your email blank.



--
AOLserver - http://www.aolserver.com/

To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> 
with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: 
field of your email blank.