Re: [AOLSERVER] Roadmap - 4.6 and beyond

[Scott Goodwin]

Yes.

/s.

On Sep 26, 2012, at 11:07 AM, jgdavid...@mac.com wrote:

> 
> Hi,
> 
> Every few years we talk about what's next for the strategic direction of 
> AOLserver which is great.  In addition to the ideas below (which are cool), I 
> always bring up this question:  Should we dump the Windows port in favor of a 
> clean Unix code base, configure, build, and install?
> 
> I wrote most of that weird Windows code, including the goofy nsconfig stuff.  
> Some of it was curious, maybe even clever, but in the end it was a 
> distraction.  It's impact on the config/build process in particular was 
> pretty significant.  Today's Linux and OS/X environments are so much more 
> amenable to Aolserver, with threaded Tcl ready to go, gcc/make all pretty 
> stable.  It wasn't like that in the early days!For me, a purge of the 
> Windows code and then an aggressive scan for anything still not 64-bit 
> compatible and cleanly build-able using standard configure/gcc/gmake tools 
> would be quite refreshing :)
> 
> -Jim
> 
> 
> 
> 
> On Sep 26, 2012, at 7:47 AM, Cesáreo García Rodicio  
> wrote:
> 
>> Hi all,
>> 
>> Firstly, thanks so much for your work. A lot of us are using aolserver 
>> everyday so this is welcome !!
>> 
>> I'm not a hard developer but in my projects it's been hard students to 
>> install and use aolserver). And I think it's because documentation and 
>> installation:
>> 1. TCL API and Config Files
>> 2. "Packaged Installation" (batteries included)
>> 3. Some Case Studies and Complete Examples with API (something simple).
>> 
>> Only some ideas. Great Work!
>> Cesáreo
>> 
>> 
>> 
>> 
>> El 25/septiembre/12 05:29, Jeff Rogers escribió:
>>> Hi all,
>>> 
>>> There should be a 4.5.2 final release sometime soon, but what comes
>>> next?  I've been organizing my wishlist of what I'd like to see in
>>> future AOLserver releases and I'm throwing it out there for anyone else
>>> to add to or comment on.  These are not in any particular order; some
>>> are half-baked, some are straightforward, and some are little more than
>>> speculation.  I know development hands are a bit short these days, but
>>> maybe people will find something that interests them to work on.
>>> 
>>> Core features:
>>> - support chunked postdata
>>> - api for filter unregistration
>>> - core async delivery
>>>   currently possible by transferring conn socket to tcl event loop.
>>> Would be nice to make it work for everything, by default.
>>> - re-queue api
>>>   extension of pre-queue filters and quewait api: allow a conn thread
>>> to send a request back to quewait for network i/o.
>>> - move encoding and compression to filters
>>> - general-purpose worker-pool api
>>> - external prebinding
>>>   allow an external program to bind ports and specify open file
>>> descriptors on the command line;  would allow privileged port binding
>>> with no root privileges for actual server.  Would also allow restarting
>>> without closing listen socket.
>>> - pre-start request service
>>>   have a micro server that responds to requests with "please wait"
>>> while server is starting.  Helpful for long start-up sequences.
>>> 
>>> Core tcl:
>>> - replace various c-coded file commands with tcl equivalents (e.g.,
>>> ns_mkdir, ns_unlink).  Main benefit is clean handling of utf8 filenames.
>>> - Support a 2-phase interp initialization.  Phase 1 is defining procs /
>>> loading packages, which is replicated in every new interp.  Phase 2 is
>>> initializing persistent data, preloading caches, setting up filters and
>>> handlers, etc; things that are not replicated in every new interp.
>>> 
>>> Nsdb:
>>> - add variable binding to nsdb
>>> - add lob handling to nsdb
>>> - support runtime db pool configuration
>>> 
>>> Protocols:
>>> - SPDY
>>> - websockets
>>> I have a vague notion of how both of these could work.  But it needs
>>> somewhat more than that :)
>>> 
>>> Documentation:
>>> - Yes, please.
>>> 
>>> Packaging:
>>> - more config examples
>>> - examples of various features
>>> - configuration through web browser
>>> - "batteries-included" distribution (binaries including perhaps sqlite,
>>> zlib, openssl, a few simple web apps, maybe php, perl, ...?)
>>> - single-file mountable packages, like tclkits
>>> 
>>> Community:
>>> - dogfood website
>>>   It'd be really nice if aolserver.com actually ran on aolserver.  It's
>>> hosted on sourceforge currently so probably not much chance of that as
>>> it stands, but who knows.
>>> 
>>> 
>>> Anything else to add?
>>> 
>>> -J
>>> 
>>> --
>>> Live Security Virtual Conference
>>> Exclusive live event will cover all the ways today's security and
>>> threat landscape has changed and how IT managers can respond. Discussions
>>> will include endpoint security, mobile security and the latest in malware
>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> ___
>>> aolserver-tal

Re: [AOLSERVER] Roadmap - 4.6 and beyond

[Scott Goodwin]

I would be surprised if we reached a yes or no consensus on removing Windows 
support directly within the code since some number of people want to or are 
required to use Windows for reasons similar to ones Rusty has provided. Before 
debating such a yes or no decision, I would encourage exploring options to 
enable AOLserver to run on Windows with the Windows-specific code removed. I 
realize it's a non-starter for some to install Linux or other Unix flavor as a 
guest OS on Windows within an all-Windows shop, but perhaps there's a way to 
encapsulate AOLserver in a WINE-like container so that it runs as an 
application on Windows without requiring a full VM. I'm by no means an expert 
in this area, but it seems identifying various options that exist or could 
exist and discussing and testing those should come first. If there is a way to 
run under Windows without Windows code in the codebase, and it meets Rusty's 
and others' Windows enclave requirements, then the decision becomes obvious. 
Seems like this research would make a fine basis for someone to do their thesis 
on, or submit as a Google SOC proposal.

/s.


On Sep 26, 2012, at 11:10 AM, Rusty Brooks wrote:

> Would windows still be supported via something like cygwin?  If so then I 
> guess I'm OK with this.  I have not used AOLServer under windows much, but 
> when I did, it was because I *had* to.  Not having windows support would have 
> sucked a lot.
> 
> Rusty
> 
> On Sep 26, 2012, at 10:07 AM, jgdavid...@mac.com wrote:
> 
>> Every few years we talk about what's next for the strategic direction of 
>> AOLserver which is great.  In addition to the ideas below (which are cool), 
>> I always bring up this question:  Should we dump the Windows port in favor 
>> of a clean Unix code base, configure, build, and install?
>> 
>> I wrote most of that weird Windows code, including the goofy nsconfig stuff. 
>>  Some of it was curious, maybe even clever, but in the end it was a 
>> distraction.  It's impact on the config/build process in particular was 
>> pretty significant.  Today's Linux and OS/X environments are so much more 
>> amenable to Aolserver, with threaded Tcl ready to go, gcc/make all pretty 
>> stable.  It wasn't like that in the early days!For me, a purge of the 
>> Windows code and then an aggressive scan for anything still not 64-bit 
>> compatible and cleanly build-able using standard configure/gcc/gmake tools 
>> would be quite refreshing :)
>> 
>> -Jim
>> 
>> 
>> 
>> 
>> On Sep 26, 2012, at 7:47 AM, Cesáreo García Rodicio  
>> wrote:
>> 
>>> Hi all,
>>> 
>>> Firstly, thanks so much for your work. A lot of us are using aolserver 
>>> everyday so this is welcome !!
>>> 
>>> I'm not a hard developer but in my projects it's been hard students to 
>>> install and use aolserver). And I think it's because documentation and 
>>> installation:
>>> 1. TCL API and Config Files
>>> 2. "Packaged Installation" (batteries included)
>>> 3. Some Case Studies and Complete Examples with API (something simple).
>>> 
>>> Only some ideas. Great Work!
>>> Cesáreo
>>> 
>>> 
>>> 
>>> 
>>> El 25/septiembre/12 05:29, Jeff Rogers escribió:
 Hi all,
 
 There should be a 4.5.2 final release sometime soon, but what comes
 next?  I've been organizing my wishlist of what I'd like to see in
 future AOLserver releases and I'm throwing it out there for anyone else
 to add to or comment on.  These are not in any particular order; some
 are half-baked, some are straightforward, and some are little more than
 speculation.  I know development hands are a bit short these days, but
 maybe people will find something that interests them to work on.
 
 Core features:
 - support chunked postdata
 - api for filter unregistration
 - core async delivery
  currently possible by transferring conn socket to tcl event loop.
 Would be nice to make it work for everything, by default.
 - re-queue api
  extension of pre-queue filters and quewait api: allow a conn thread
 to send a request back to quewait for network i/o.
 - move encoding and compression to filters
 - general-purpose worker-pool api
 - external prebinding
  allow an external program to bind ports and specify open file
 descriptors on the command line;  would allow privileged port binding
 with no root privileges for actual server.  Would also allow restarting
 without closing listen socket.
 - pre-start request service
  have a micro server that responds to requests with "please wait"
 while server is starting.  Helpful for long start-up sequences.
 
 Core tcl:
 - replace various c-coded file commands with tcl equivalents (e.g.,
 ns_mkdir, ns_unlink).  Main benefit is clean handling of utf8 filenames.
 - Support a 2-phase interp initialization.  Phase 1 is defining procs /
 loading packages, which is replicated in every new interp.  Phase 2 is
 initializing persistent data, p

Re: [AOLSERVER] Roadmap - 4.6 and beyond

[Scott Goodwin]

First step would be to identify various possibilities for running AOLserver on 
Windows within some kind of minimal VM that's not a full VM (or other option 
that will meet requirements in some way). I mentioned WINE as an example of the 
type of capability that I think would be ideal; WINE allows Windows code to run 
on Linux without a VM by intercepting the calls to the OS and servicing them 
with code that makes the app think it's on Windows. We would be looking for the 
reverse -- a container that runs on Windows, intercepts calls to the OS from 
the encapsulated app, and services them so the app thinks it's on a Unix type 
system. If memory serves me well, Cygwin is a compilation environment that 
provides Unix-style APIs on Windows so Unixy code compile on Windows and runs 
on Windows without extensive mods to the Unixy style code. That or another 
compilation environment sounds promising, but I'm hoping there is some kind of 
runtime container that can run a Linux or other Unix executable on without 
requiring that the encapsulated app (AOLserver) be (re)compiled on the Windows 
OS directly, kind of like how starkits can package up Tcl apps with the interp 
and all the necessary runtime stuff in one file.

/s.


On Sep 26, 2012, at 12:53 PM, jgdavid...@mac.com wrote:

> 
> That's a smart next step.  Anybody want to tackle it and report back?  I 
> don't have the knowledge and am a bit biased :)
> 
> -Jim
> 
> 
> 
> On Sep 26, 2012, at 10:48 AM, Scott Goodwin  wrote:
> 
>> I would be surprised if we reached a yes or no consensus on removing Windows 
>> support directly within the code since some number of people want to or are 
>> required to use Windows for reasons similar to ones Rusty has provided. 
>> Before debating such a yes or no decision, I would encourage exploring 
>> options to enable AOLserver to run on Windows with the Windows-specific code 
>> removed. I realize it's a non-starter for some to install Linux or other 
>> Unix flavor as a guest OS on Windows within an all-Windows shop, but perhaps 
>> there's a way to encapsulate AOLserver in a WINE-like container so that it 
>> runs as an application on Windows without requiring a full VM. I'm by no 
>> means an expert in this area, but it seems identifying various options that 
>> exist or could exist and discussing and testing those should come first. If 
>> there is a way to run under Windows without Windows code in the codebase, 
>> and it meets Rusty's and others' Windows enclave requirements, then the 
>> decision becomes obvious. Seems like this research would make a fine basis 
>> for someone to do their thesis on, or submit as a Google SOC proposal.
>> 
>> /s.
>> 
>> 
>> On Sep 26, 2012, at 11:10 AM, Rusty Brooks wrote:
>> 
>>> Would windows still be supported via something like cygwin?  If so then I 
>>> guess I'm OK with this.  I have not used AOLServer under windows much, but 
>>> when I did, it was because I *had* to.  Not having windows support would 
>>> have sucked a lot.
>>> 
>>> Rusty
>>> 
>>> On Sep 26, 2012, at 10:07 AM, jgdavid...@mac.com wrote:
>>> 
>>>> Every few years we talk about what's next for the strategic direction of 
>>>> AOLserver which is great.  In addition to the ideas below (which are 
>>>> cool), I always bring up this question:  Should we dump the Windows port 
>>>> in favor of a clean Unix code base, configure, build, and install?
>>>> 
>>>> I wrote most of that weird Windows code, including the goofy nsconfig 
>>>> stuff.  Some of it was curious, maybe even clever, but in the end it was a 
>>>> distraction.  It's impact on the config/build process in particular was 
>>>> pretty significant.  Today's Linux and OS/X environments are so much more 
>>>> amenable to Aolserver, with threaded Tcl ready to go, gcc/make all pretty 
>>>> stable.  It wasn't like that in the early days!For me, a purge of the 
>>>> Windows code and then an aggressive scan for anything still not 64-bit 
>>>> compatible and cleanly build-able using standard configure/gcc/gmake tools 
>>>> would be quite refreshing :)
>>>> 
>>>> -Jim
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On Sep 26, 2012, at 7:47 AM, Cesáreo García Rodicio  
>>>> wrote:
>>>> 
>>>>> Hi all,
>>>>> 
>>>>> Firstly, thanks so much for your work. A lot of us are using aolserver 
>>>>> everyday so this is welcome !!
>&g

Re: [AOLSERVER] Roadmap, Live Cycle & Windows Support

[Scott Goodwin]

It appears there is enough consternation about removing Windows support that I 
doubt figuring out how to run AOLserver on Windows sans the Windows-specific 
code in the codebase would result in having the Windows code removed anyway, so 
I am rescinding my suggestion that we find a way to do so.

/s.


On Sep 27, 2012, at 7:36 AM, Frank Bergmann wrote:

> Hi!
> 
> 
> I believe that it is important to consider the current
> phase of the "live cycle" of AOLserver in order to focus
> the roadmap on the important stuff:
> 
> - AOLserver is "mature" software, there were relatively 
>  few changes in the last few years. There are very
>  large productive installations relying on AOLserver.
> 
> - AOLserver is close to the end of it's live cycle,
>  because there are few new installations. Instead, 
>  many users and projects have already migrated away 
>  towards Apache etc.
> 
> - New features will probably convince few additional
>  people to use AOLserver.
> 
> - Instead, and that would be my conclusion, new versions 
>  of AOLserver should reduce the migration pressure for 
>  existing users and allow the existing user to extend 
>  the lifetime of their installations.
> 
> Would you agree with this assessment? Maybe we should have 
> a survey who is still using AOLserver really...
> 
> 
> Concerning ]project-open[ (we had some 200.000 downloads on 
> SourceForge and there are some ~50 developers involved with 
> ]po[ in one form or another):
> 
> - We have approx. 10x more ]project-open[ users running on 
>  Windows then on Linux. I don't particularly like the Win
>  version, but removing this version will have a devasting
>  impact on ]po[. A VMware version is not a replacement for 
>  a Windows installer. We are increasingly going for "stupid"
>  users, and these guys want a clean and easy installer for 
>  their Win box.
> 
> - I'm a personal fan of CygWin, and a CygWin version would
>  be OK for us even with 32bit. However, I believe there are
>  other users (Quest) who have customers asking for high-
>  performance Windows installations. Dropping a native 
>  Win version might force Quest to migrate.
>  I can also imagine that the Windows platform will become 
>  more important for our upcoming ]po[ V4.0 release because
>  we will target larger corporations who are typciallly 
>  Windows shops in the US.
> 
> - We are already hedging for an end of AOLserver live cycle:
>  www.openacs.org/forums/message-view?message_id=3637561
>  It will be painful, but I believe it will come some day.
>  Please don't accellerate this moment unnecessarily...
> 
> 
> Cheers!
> Frank
> 
> ---
> Frank Bergmann
> Dipl.-Ing., MBA
> Founder ]project-open[
> Tel: +34 933 250 914
> Cell: +34 609 953 751
> Fax: +34 932 890 729
> mailto:frank.bergm...@project-open.com
> http://www.project-open.com/
> 
> 
> -Original Message-
> From: Maurizio Martignano [mailto:maurizio.martign...@spazioit.com] 
> Sent: Thursday, September 27, 2012 10:56 AM
> To: aolserver-talk@lists.sourceforge.net
> Subject: [AOLSERVER] Windows Support
> 
> Dear all,
>   I do not think that removing Windows specific code is a good idea.
> Some time ago I showed as example how many people have downloaded
> ]project-open[ on Windows as opposed to the VM, or the tar ball.
> In case you do not remember the numbers, please have a look at this URL:
> http://sourceforge.net/projects/project-open/files/project-open/
> 
> The  idea of using some kind of emulation is also questionable. Why?
> Suppose we want to have Aolserver on Windows , then the emulation layer
> would impose unacceptable inefficiencies. Here we are not talking about
> using some emulation layer to run some ancillary programs, called every now
> and then (e.g. dot, wget, and so on), but Aolserver itself (i.e. nsd), the
> very heart of every OpenACS based web application.
> The same type or reasoning applies to the database engine (e.g. postgresql),
> it would be a major error running it on some emulation layer.
> 
> What is the current status of these emulation layers?
> 
> I know everybody is thinking about Cygwin... But Cygwin is, at the time
> being only a Win32 application.
> 
> Nowadays all the servers are 64 bit machines. Soon the same will be for
> desktop and laptop computers. With Cygwin on 64 bit Windows machine we have
> double emulation:
> 
> Linux/Unix Application
> -
> Cygwin/ Posix emulation
> -
> WOW64/ Win32 emulation (this is Windows 32 emulated on Windows 64)
> -
> Windows 64
> 
> I can’t see any sign of Cygwin moving towards Windows 64. Last year in
> summer there was an interesting discussion about that
> (http://thread.gmane.org/gmane.os.cygwin.devel/233/focus=247) but nothing
> happened because the effort is too big and nobody had enough energy to spend
> on it.
> 
> For how long will WOW64 be supported by Microsoft? It is already an option
> in the core part of Windows Server 2008 R2

Re: [AOLSERVER] Updating Aolserver to use TLSv1.2

[Scott Goodwin]

An AOLserver configuration file from an old server I used to run has this 
section defined:

ns_param Protocol"SSLv2, SSLv3, TLSv1"
ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"

From the OpenSSL documentation:
Only enable TLSv1.2:

SSL_CONF_cmd(ctx, "Protocol", "-ALL,TLSv1.2");


So I’d assume the following would restrict AOLserver to ONLY use TLS 1.2:

ns_param Protocol“-ALL,TLSv1.2"
ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"


/s.


> On Jun 23, 2015, at 10:36 AM, Paula Giangeruso  
> wrote:
> 
> Does anyone have TLS v1.2 working on AOLserver?  If so how did you go about 
> doing this?
> 
> Thank You,
> Paula
> 
> -- 
> Paula Giangeruso - Vice President/Engineering
> pgianger...@wineaccess.com  | 
> www.wineaccess.com 
> O: ( <>610) 642-1255 | F: (610) 642-1277 | C: (609) 731-8092
> 
> wineaccess ®
> direct from the source
> --
> Monitor 25 network devices or servers for free with OpManager!
> OpManager is web-based network management software that monitors 
> network devices and physical & virtual servers, alerts via email & sms 
> for fault. Monitor 25 devices for free with no restriction. Download now
> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o___
> aolserver-talk mailing list
> aolserver-talk@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/aolserver-talk

--
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors 
network devices and physical & virtual servers, alerts via email & sms 
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o___
aolserver-talk mailing list
aolserver-talk@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/aolserver-talk

Re: [AOLSERVER] Updating Aolserver to use TLSv1.2

[Scott Goodwin]

By the way, ignore my CipherSuite line in there — you obviously don’t want 
SSLv2, +LOW, +MEDIUM and other components - you’ll likely just want the TLS 
v1.2 ciphers, which are listed here:

https://www.openssl.org/docs/apps/ciphers.html#TLS-v1.2-cipher-suites 
<https://www.openssl.org/docs/apps/ciphers.html#TLS-v1.2-cipher-suites>

Not sure what the CipherSuite string should look like to support that, but if I 
have time this week I’ll see if I can figure it out. Be aware that restricting 
to just TLS 1.2 may cause some older browsers to not work with your site, but I 
haven’t done hands-on work in this area in years, so I’m not up-to-date on 
proper configurations.

/s.


> On Jun 23, 2015, at 12:00 PM, Scott Goodwin  wrote:
> 
> An AOLserver configuration file from an old server I used to run has this 
> section defined:
> 
> ns_param Protocol"SSLv2, SSLv3, TLSv1"
> ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
> 
> From the OpenSSL documentation:
> Only enable TLSv1.2:
> 
> SSL_CONF_cmd(ctx, "Protocol", "-ALL,TLSv1.2");
> 
> 
> So I’d assume the following would restrict AOLserver to ONLY use TLS 1.2:
> 
> ns_param Protocol“-ALL,TLSv1.2"
> ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
> 
> 
> /s.
> 
> 
>> On Jun 23, 2015, at 10:36 AM, Paula Giangeruso > <mailto:pgianger...@wineaccess.com>> wrote:
>> 
>> Does anyone have TLS v1.2 working on AOLserver?  If so how did you go about 
>> doing this?
>> 
>> Thank You,
>> Paula
>> 
>> -- 
>> Paula Giangeruso - Vice President/Engineering
>> pgianger...@wineaccess.com <mailto:pgianger...@wineaccess.com> | 
>> www.wineaccess.com <http://www.wineaccess.com/>
>> O: ( <>610) 642-1255 | F: (610) 642-1277 | C: (609) 731-8092
>> 
>> wineaccess ®
>> direct from the source
>> --
>> Monitor 25 network devices or servers for free with OpManager!
>> OpManager is web-based network management software that monitors 
>> network devices and physical & virtual servers, alerts via email & sms 
>> for fault. Monitor 25 devices for free with no restriction. Download now
>> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o___
>>  
>> <http://ad.doubleclick.net/ddm/clk/292181274;119417398;o___>
>> aolserver-talk mailing list
>> aolserver-talk@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/aolserver-talk
> 

--
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors 
network devices and physical & virtual servers, alerts via email & sms 
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o___
aolserver-talk mailing list
aolserver-talk@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/aolserver-talk

Re: [AOLSERVER] AOL server 4.5.2 w/ virtual servers - SSL not working

[Scott Goodwin]

Has this ever worked in the past? It's been a long time since I've looked at 
the module and I don't recall if it worked for multiple SSL listening ports as 
virtual servers on the same AOLserver instance. I never had an occasion to use 
it that way. If it's not capable of doing that in its last incarnation it will 
probably take some work to modify it to do it properly.

/s.

> On Aug 15, 2015, at 8:17 PM, Thorpe Mayes  wrote:
> 
> Hi,
> 
> I have AOLserver 4.5.2 running with virtual servers - main.tcl with several 
> sub config files. 
> 
> Three of the domain names are using SSL. The certificate is a UCC SSL 
> Certificate that will accommodate up to 5 domain names. 
> 
> If I activate the virtual server for just one of the three domains that are 
> using SSL, then everything works fine. When I activate two or more of the sub 
> files that need ssl, the server fails to start. Here is the tail end of the 
> log file:
> 
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: nsmain: 
> AOLserver/4.5.2 running
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: nsmain: 
> security info: uid=502, euid=502, gid=502\
> , egid=502
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: 
> starting: nssock
> [15/Aug/2015:18:39:13][3924.18446744073356683008][-sched-] Notice: sched: 
> starting
> [15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] Notice: 
> starting
> [15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] Notice: 
> nssock: listening on 23.253.246.52:80
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: 
> starting: nsopenssl
> [15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-] Notice: 
> starting
> [15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-] Notice: 
> nsopenssl: listening on 23.253.246.52\
> :443
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: 
> starting: nsopenssl
> [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] Notice: 
> starting
> [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] Error: 
> nsopenssl: failed to listen on 23.253.\
> 246.52:443: Permission denied
> [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] Notice: 
> exiting
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: 
> starting: nsopenssl
> [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] Notice: 
> starting
> [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] Error: 
> nsopenssl: failed to listen on 23.253.\
> 246.52:443: Permission denied
> [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] Notice: 
> exiting
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Fatal: could not 
> start drivers
> 
> 
> Here is the ssl portion of the main.tcl file:
> 
> ns_section "ns/server/module/nsopenssl"
> # ns_param RandomFile /some/file  
>   
> ns_param SeedBytes  2048;  # was 1024   
> 
> 
> Here is what the ssl portion of the sub files (all appear to load 
> successfully - see below):
> 
> #-
>   
> # OpenSSL and nsopenssl   
>   
> # http://openacs.org/forums/message-view?message_id=320064 - for nsd code - 
> note: must use port 443 
> # http://openacs.org/doc/install-nsopenssl.html - binding port 443 in 
> daemontools   
> #-
>   
> 
> ns_section "ns/server/${ecognizant}/module/nsopenssl/sslcontexts"
> ns_param ${ecognizant}_users_ctx "SSL context used for $ecognizant regular 
> user access"
> # ns_param admins_ctx "SSL context used for administrator access" 
>   
> ns_param ${ecognizant}_client_ctx "SSL context used for $ecognizant outgoing 
> script socket connections"
> 
> 
> ns_section "ns/server/${ecognizant}/module/nsopenssl/defaults"
> ns_param server ${ecognizant}_users_ctx
> ns_param client ${ecognizant}_client_ctx
> 
> 
> ns_section 
> "ns/server/${ecognizant}/module/nsopenssl/sslcontext/${ecognizant}_users_ctx"
> ns_param Role server
> ns_param ModuleDir $ssldocdir
> ns_param CertFile cert.pem
> ns_param KeyFile key.pem
> ns_param CAFile ca.pem
> ns_param Protocols "All"
> ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
> ns_param PeerVerify false
> ns_param PeerVerifyDepth 3
> ns_param Trace false
> 
> 
> ns_section 
> "ns/server/${ecognizant}/module/nsopenssl/sslcontext/${ecognizant}_client_ctx"
> ns_param Role client
> ns_param ModuleDir $ssldocdir
> ns_param CertFile cert.pem
> ns_param KeyF

Re: [AOLSERVER] AOL server 4.5.2 w/ virtual servers - SSL not working

[Scott Goodwin]

The backslash shows line continuation — the IP address below is 23.253.246.52 
(and :443 for the port).

/s.


> On Aug 16, 2015, at 1:22 AM, Sep  wrote:
> 
> Could your IP address be the one failing? 
> 
> Error: nsopenssl: failed to listen on 23.253.\
> 
> 246.52:443: Permission denied
> 
> What's the stray back slash for?
> 
> On Aug 16, 2015 9:17 AM, "Scott Goodwin"  <mailto:sc...@scottg.net>> wrote:
> Has this ever worked in the past? It's been a long time since I've looked at 
> the module and I don't recall if it worked for multiple SSL listening ports 
> as virtual servers on the same AOLserver instance. I never had an occasion to 
> use it that way. If it's not capable of doing that in its last incarnation it 
> will probably take some work to modify it to do it properly.
> 
> /s.
> 
> On Aug 15, 2015, at 8:17 PM, Thorpe Mayes  <mailto:tma...@ecognizant.net>> wrote:
> 
>> Hi,
>> 
>> I have AOLserver 4.5.2 running with virtual servers - main.tcl with several 
>> sub config files. 
>> 
>> Three of the domain names are using SSL. The certificate is a UCC SSL 
>> Certificate that will accommodate up to 5 domain names. 
>> 
>> If I activate the virtual server for just one of the three domains that are 
>> using SSL, then everything works fine. When I activate two or more of the 
>> sub files that need ssl, the server fails to start. Here is the tail end of 
>> the log file:
>> 
>> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: nsmain: 
>> AOLserver/4.5.2 running
>> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: nsmain: 
>> security info: uid=502, euid=502, gid=502\
>> , egid=502
>> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: 
>> starting: nssock
>> [15/Aug/2015:18:39:13][3924.18446744073356683008][-sched-] Notice: sched: 
>> starting
>> [15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] Notice: 
>> starting
>> [15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] Notice: 
>> nssock: listening on 23.253.246.52:80 <http://23.253.246.52/>
>> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: 
>> starting: nsopenssl
>> [15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-] 
>> Notice: starting
>> [15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-] 
>> Notice: nsopenssl: listening on 23.253.246.52\
>> :443
>> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: 
>> starting: nsopenssl
>> [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] 
>> Notice: starting
>> [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] Error: 
>> nsopenssl: failed to listen on 23.253.\
>> 246.52:443: Permission denied
>> [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] 
>> Notice: exiting
>> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: 
>> starting: nsopenssl
>> [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] 
>> Notice: starting
>> [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] Error: 
>> nsopenssl: failed to listen on 23.253.\
>> 246.52:443: Permission denied
>> [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] 
>> Notice: exiting
>> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Fatal: could not 
>> start drivers
>> 
>> 
>> Here is the ssl portion of the main.tcl file:
>> 
>> ns_section "ns/server/module/nsopenssl"
>> # ns_param RandomFile /some/file 
>>
>> ns_param SeedBytes  2048;  # was 1024   
>> 
>> 
>> Here is what the ssl portion of the sub files (all appear to load 
>> successfully - see below):
>> 
>> #-   
>>
>> # OpenSSL and nsopenssl  
>>
>> # http://openacs.org/forums/message-view?message_id=320064 
>> <http://openacs.org/forums/message-view?message_id=320064> - for nsd code - 
>> note: must use port 443 
>> # http://openacs.org/doc/install-nsopenssl.html 
>> <http://openacs.org/doc/install-nsopenssl.html> - binding port 443 in 
>> daemontools   
>> #-

Re: [AOLSERVER] AOL server 4.5.2 w/ virtual servers - SSL not working

[Scott Goodwin]

I’m fairly certain that you can’t have multiple listeners on the same IP 
address and port number on a NIC simultaneously, even if they’re all binding 
from the same process. All three of the virtual servers below are configured to 
use the same IP address and port number, and the first nsopenssl instance to 
bind to it, ‘owns’ it. The rest get EPERM from the operating system. I think 
the way multiple SSL certificates are bound to a single IP address and port: 
the server listens on the IP and port, and looks at the Host header of the 
incoming connection to determine which SSL certificate to use for that 
particular connection. I don’t think AOLserver has the ability to do this 
today. The other way to do it is to create three distinct IP addresses on your 
NIC and use one for each SSL instance. There may be other ways to make this 
work, but any of them will probably require rewiring AOLserver and nsopenssl.

Aside: the direct email to your address above bounced — see here:


mailto:tma...@ecognizant.net>>: host ecognizant.net 
[23.253.246.52] said: 553 sorry,
   that domain isn't in my list of allowed rcpthosts (#5.7.1) (in reply to
   RCPT TO command)
Reporting-MTA: dns; mailout.nyi.internal
X-Postfix-Queue-ID: 4732622053
X-Postfix-Sender: rfc822; sc...@scottg.net 
Arrival-Date: Sun, 16 Aug 2015 09:04:30 -0400 (EDT)

/s.


> On Aug 15, 2015, at 8:17 PM, Thorpe Mayes  wrote:
> 
> Hi,
> 
> I have AOLserver 4.5.2 running with virtual servers - main.tcl with several 
> sub config files. 
> 
> Three of the domain names are using SSL. The certificate is a UCC SSL 
> Certificate that will accommodate up to 5 domain names. 
> 
> If I activate the virtual server for just one of the three domains that are 
> using SSL, then everything works fine. When I activate two or more of the sub 
> files that need ssl, the server fails to start. Here is the tail end of the 
> log file:
> 
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: nsmain: 
> AOLserver/4.5.2 running
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: nsmain: 
> security info: uid=502, euid=502, gid=502\
> , egid=502
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: 
> starting: nssock
> [15/Aug/2015:18:39:13][3924.18446744073356683008][-sched-] Notice: sched: 
> starting
> [15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] Notice: 
> starting
> [15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] Notice: 
> nssock: listening on 23.253.246.52:80
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: 
> starting: nsopenssl
> [15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-] Notice: 
> starting
> [15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-] Notice: 
> nsopenssl: listening on 23.253.246.52\
> :443
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: 
> starting: nsopenssl
> [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] Notice: 
> starting
> [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] Error: 
> nsopenssl: failed to listen on 23.253.\
> 246.52:443: Permission denied
> [15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] Notice: 
> exiting
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: 
> starting: nsopenssl
> [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] Notice: 
> starting
> [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] Error: 
> nsopenssl: failed to listen on 23.253.\
> 246.52:443: Permission denied
> [15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] Notice: 
> exiting
> [15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Fatal: could not 
> start drivers
> 
> 
> Here is the ssl portion of the main.tcl file:
> 
> ns_section "ns/server/module/nsopenssl"
> # ns_param RandomFile /some/file  
>   
> ns_param SeedBytes  2048;  # was 1024   
> 
> 
> Here is what the ssl portion of the sub files (all appear to load 
> successfully - see below):
> 
> #-
>   
> # OpenSSL and nsopenssl   
>   
> # http://openacs.org/forums/message-view?message_id=320064 
>  - for nsd code - 
> note: must use port 443 
> # http://openacs.org/doc/install-nsopenssl.html 
>  - binding port 443 in 
> daemontools   
> #-
>   
> 
> ns_section "ns/server/${ecogni

Re: [AOLSERVER] AOL server 4.5.2 w/ virtual servers - SSL not working

[Scott Goodwin]

So OpenSSL will look at the domain names in the cert and if one of them 
matches, the SSL connection is accepted? I am behind the times. Thanks for 
pointing this out.

/s.

> On Aug 16, 2015, at 12:59 PM, Jeff Rogers  wrote:
> 
> The feature of having multiple certificates served on the same ip/port is 
> Server Name Indication (SNI) and the nsopenssl driver does not support it.  
> As you said, getting that to work would require some rewiring.
> 
> However, I think the certificate described by Thorpe was a single certificate 
> that is valid for multiple domains - Service Alternate Name (SAN), somewhat 
> similar to a wildcard cert.  Since it's just one certificate, it doesn't need 
> multiple different ips/ports.  The downside of a SAN cert is that if any of 
> the hosts changes, the whole cert needs to be reissued, versus with SNI each 
> host has its own cert.
> 
> So since it's just one certificate, I think that also means it doesn't need 
> multiple contexts to be set up.  Just set up the single context with the SAN 
> certificate, and set up the virtual servers as you would for a non-ssl setup.
> 
> -J
> 
> Scott Goodwin wrote:
>> I’m fairly certain that you can’t have multiple listeners on the same IP
>> address and port number on a NIC simultaneously, even if they’re all
>> binding from the same process. All three of the virtual servers below
>> are configured to use the same IP address and port number, and the first
>> nsopenssl instance to bind to it, ‘owns’ it. The rest get EPERM from the
>> operating system. I think the way multiple SSL certificates are bound to
>> a single IP address and port: the server listens on the IP and port, and
>> looks at the Host header of the incoming connection to determine which
>> SSL certificate to use for that particular connection. I don’t think
>> AOLserver has the ability to do this today. The other way to do it is to
>> create three distinct IP addresses on your NIC and use one for each SSL
>> instance. There may be other ways to make this work, but any of them
>> will probably require rewiring AOLserver and nsopenssl.
>> 

--
___
aolserver-talk mailing list
aolserver-talk@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/aolserver-talk