Hi Gustav,
Thank you for your response.
Here is what I have in the nsssl section of the config file:
ns_param certificate ${serverdir}/modules/openssl/server.pem
ns_param address $address
ns_param port 443
ns_param ciphers
"ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!RC4"
ns_param ciphersuites
"TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
ns_param protocols "!SSLv2:!SSLv3:!TLSv1.0:!TLSv1.1"
ns_param OCSPstapling on
ns_param verify 0
ns_param maxinput [expr 10 * 1024 * 1024]
ns_param extraheaders {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
X-Frame-Options SAMEORIGIN
X-Content-Type-Options nosniff
}
${serverdir) is defined as /usr/local/ns/servers/mealdeliverysoftware
set homedir /usr/local/ns
set servername “mealdeliverysoftware"
set serverdir ${homedir}/servers/${servername}
This issue surfaced when I was creating a new ssl certificate. The old
certificate expires at the end of the month.
The old certificate continued to work after I updated naviserver (with openssl
1.1k). The new certificate did not work.
The old certificate has the Diffie-Hellmand key exchange applied.
I applied the DH key exchange via openssl: openssl dhparam 2048 >> server.pem
The version of openssl installed at the time predated 1.1k. I believe that it
was 1.1.i; it may have been an earlier version.
I decided to not apply the DH Param to the new certificate. The new certificate
now works.
Thank you for your responsiveness and your help.
Best regards,
Thorpe
> On Jul 27, 2021, at 03:15, Gustaf Neumann <[email protected]> wrote:
>
> Hi Thorpe.
>
> NaviServer 4.99.21 is not released yet... but nevertheless, it is supposed to
> work (and is in use e.g. on openacs.org and on many more sites).
>
> What is your configuration line for the certificate?
> It looks like NaviServer is passing the the path
>
>
> ns/server/mealdeliverysoftware/module/nsssl//usr/local/ns/servers/mealdeliverysoftware/modules/openssl/server.pem
>
> to OpenSSL, but it should pass probably
>
> /usr/local/ns/servers/mealdeliverysoftware/modules/openssl/server.pem
>
> -g
>
> On 24.07.21 14:43, THORPE MAYES via naviserver-devel wrote:
>> Hi,
>>
>> I have updated to naviserver-4-99.21
>>
>> I get this error when starting the server:
>> Notice: OpenSSL OpenSSL 1.1.1k 25 Mar 2021 initialized
>> Notice: load certificate from
>> <ns/server/mealdeliverysoftware/module/nsssl//usr/local/ns/servers/mealdeliverysoftware/modules/openssl/server.pem>
>> ...
>> Warning: private key load error: error:06065064:digital envelope
>> routines:EVP_DecryptFinal_ex:bad decrypt
>> Error: nsssl: init error: No such file or directory
>> Error: modload: /usr/local/ns/bin/nsssl.so: Ns_ModuleInit returned: -1
>> Fatal: modload: failed to load module '/usr/local/ns/bin/nsssl.so’
>>
>> I checked the server.pem file:
>> openssl rsa -inform PEM -in server.pem -check -noout
>> Enter pass phrase for server.pem:
>> RSA key ok
>>
>> I am stuck.
>>
>> Does anyone have any insight re this issue?
>>
>> Thank you.
>>
>> Thorpe
>>
>>
>>
>> _______________________________________________
>> naviserver-devel mailing list
>> [email protected]
>> <mailto:[email protected]>
>> https://lists.sourceforge.net/lists/listinfo/naviserver-devel
>> <https://lists.sourceforge.net/lists/listinfo/naviserver-devel>
> --
> Univ.Prof. Dr. Gustaf Neumann
> Head of the Institute of Information Systems and New Media
> of Vienna University of Economics and Business
> Program Director of MSc "Information Systems"
> _______________________________________________
> naviserver-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/naviserver-devel
_______________________________________________
naviserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
