Re: [AOLSERVER] AOL server 4.5.2 w/ virtual servers - SSL not working
The backslash shows line continuation — the IP address below is 23.253.246.52
(and :443 for the port).
/s.
On Aug 16, 2015, at 1:22 AM, Sep thejackschm...@gmail.com wrote:
Could your IP address be the one failing?
Error: nsopenssl: failed to listen on 23.253.\
246.52:443: Permission denied
What's the stray back slash for?
On Aug 16, 2015 9:17 AM, Scott Goodwin sc...@scottg.net
mailto:sc...@scottg.net wrote:
Has this ever worked in the past? It's been a long time since I've looked at
the module and I don't recall if it worked for multiple SSL listening ports
as virtual servers on the same AOLserver instance. I never had an occasion to
use it that way. If it's not capable of doing that in its last incarnation it
will probably take some work to modify it to do it properly.
/s.
On Aug 15, 2015, at 8:17 PM, Thorpe Mayes tma...@ecognizant.net
mailto:tma...@ecognizant.net wrote:
Hi,
I have AOLserver 4.5.2 running with virtual servers - main.tcl with several
sub config files.
Three of the domain names are using SSL. The certificate is a UCC SSL
Certificate that will accommodate up to 5 domain names.
If I activate the virtual server for just one of the three domains that are
using SSL, then everything works fine. When I activate two or more of the
sub files that need ssl, the server fails to start. Here is the tail end of
the log file:
[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: nsmain:
AOLserver/4.5.2 running
[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: nsmain:
security info: uid=502, euid=502, gid=502\
, egid=502
[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver:
starting: nssock
[15/Aug/2015:18:39:13][3924.18446744073356683008][-sched-] Notice: sched:
starting
[15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] Notice:
starting
[15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] Notice:
nssock: listening on 23.253.246.52:80 http://23.253.246.52/
[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver:
starting: nsopenssl
[15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-]
Notice: starting
[15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-]
Notice: nsopenssl: listening on 23.253.246.52\
:443
[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver:
starting: nsopenssl
[15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-]
Notice: starting
[15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] Error:
nsopenssl: failed to listen on 23.253.\
246.52:443: Permission denied
[15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-]
Notice: exiting
[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver:
starting: nsopenssl
[15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-]
Notice: starting
[15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] Error:
nsopenssl: failed to listen on 23.253.\
246.52:443: Permission denied
[15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-]
Notice: exiting
[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Fatal: could not
start drivers
Here is the ssl portion of the main.tcl file:
ns_section ns/server/module/nsopenssl
# ns_param RandomFile /some/file
ns_param SeedBytes 2048; # was 1024
Here is what the ssl portion of the sub files (all appear to load
successfully - see below):
#-
# OpenSSL and nsopenssl
# http://openacs.org/forums/message-view?message_id=320064
http://openacs.org/forums/message-view?message_id=320064 - for nsd code -
note: must use port 443
# http://openacs.org/doc/install-nsopenssl.html
http://openacs.org/doc/install-nsopenssl.html - binding port 443 in
daemontools
#-
ns_section ns/server/${ecognizant}/module/nsopenssl/sslcontexts
ns_param ${ecognizant}_users_ctx SSL context used for $ecognizant regular
user access
# ns_param admins_ctx SSL context used for administrator access
ns_param ${ecognizant}_client_ctx SSL context used for $ecognizant outgoing
script socket connections
ns_section ns/server/${ecognizant}/module/nsopenssl/defaults
ns_param server ${ecognizant}_users_ctx
ns_param client ${ecognizant}_client_ctx
ns_section
ns/server/${ecognizant}/module/nsopenssl/sslcontext/${ecognizant}_users_ctx
Re: [AOLSERVER] AOL server 4.5.2 w/ virtual servers - SSL not working
So OpenSSL will look at the domain names in the cert and if one of them matches, the SSL connection is accepted? I am behind the times. Thanks for pointing this out. /s. On Aug 16, 2015, at 12:59 PM, Jeff Rogers dv...@diphi.com wrote: The feature of having multiple certificates served on the same ip/port is Server Name Indication (SNI) and the nsopenssl driver does not support it. As you said, getting that to work would require some rewiring. However, I think the certificate described by Thorpe was a single certificate that is valid for multiple domains - Service Alternate Name (SAN), somewhat similar to a wildcard cert. Since it's just one certificate, it doesn't need multiple different ips/ports. The downside of a SAN cert is that if any of the hosts changes, the whole cert needs to be reissued, versus with SNI each host has its own cert. So since it's just one certificate, I think that also means it doesn't need multiple contexts to be set up. Just set up the single context with the SAN certificate, and set up the virtual servers as you would for a non-ssl setup. -J Scott Goodwin wrote: I’m fairly certain that you can’t have multiple listeners on the same IP address and port number on a NIC simultaneously, even if they’re all binding from the same process. All three of the virtual servers below are configured to use the same IP address and port number, and the first nsopenssl instance to bind to it, ‘owns’ it. The rest get EPERM from the operating system. I think the way multiple SSL certificates are bound to a single IP address and port: the server listens on the IP and port, and looks at the Host header of the incoming connection to determine which SSL certificate to use for that particular connection. I don’t think AOLserver has the ability to do this today. The other way to do it is to create three distinct IP addresses on your NIC and use one for each SSL instance. There may be other ways to make this work, but any of them will probably require rewiring AOLserver and nsopenssl. -- ___ aolserver-talk mailing list aolserver-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/aolserver-talk
Re: [AOLSERVER] AOL server 4.5.2 w/ virtual servers - SSL not working
Has this ever worked in the past? It's been a long time since I've looked at
the module and I don't recall if it worked for multiple SSL listening ports as
virtual servers on the same AOLserver instance. I never had an occasion to use
it that way. If it's not capable of doing that in its last incarnation it will
probably take some work to modify it to do it properly.
/s.
On Aug 15, 2015, at 8:17 PM, Thorpe Mayes tma...@ecognizant.net wrote:
Hi,
I have AOLserver 4.5.2 running with virtual servers - main.tcl with several
sub config files.
Three of the domain names are using SSL. The certificate is a UCC SSL
Certificate that will accommodate up to 5 domain names.
If I activate the virtual server for just one of the three domains that are
using SSL, then everything works fine. When I activate two or more of the sub
files that need ssl, the server fails to start. Here is the tail end of the
log file:
[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: nsmain:
AOLserver/4.5.2 running
[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: nsmain:
security info: uid=502, euid=502, gid=502\
, egid=502
[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver:
starting: nssock
[15/Aug/2015:18:39:13][3924.18446744073356683008][-sched-] Notice: sched:
starting
[15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] Notice:
starting
[15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] Notice:
nssock: listening on 23.253.246.52:80
[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver:
starting: nsopenssl
[15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-] Notice:
starting
[15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-] Notice:
nsopenssl: listening on 23.253.246.52\
:443
[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver:
starting: nsopenssl
[15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] Notice:
starting
[15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] Error:
nsopenssl: failed to listen on 23.253.\
246.52:443: Permission denied
[15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] Notice:
exiting
[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver:
starting: nsopenssl
[15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] Notice:
starting
[15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] Error:
nsopenssl: failed to listen on 23.253.\
246.52:443: Permission denied
[15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] Notice:
exiting
[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Fatal: could not
start drivers
Here is the ssl portion of the main.tcl file:
ns_section ns/server/module/nsopenssl
# ns_param RandomFile /some/file
ns_param SeedBytes 2048; # was 1024
Here is what the ssl portion of the sub files (all appear to load
successfully - see below):
#-
# OpenSSL and nsopenssl
# http://openacs.org/forums/message-view?message_id=320064 - for nsd code -
note: must use port 443
# http://openacs.org/doc/install-nsopenssl.html - binding port 443 in
daemontools
#-
ns_section ns/server/${ecognizant}/module/nsopenssl/sslcontexts
ns_param ${ecognizant}_users_ctx SSL context used for $ecognizant regular
user access
# ns_param admins_ctx SSL context used for administrator access
ns_param ${ecognizant}_client_ctx SSL context used for $ecognizant outgoing
script socket connections
ns_section ns/server/${ecognizant}/module/nsopenssl/defaults
ns_param server ${ecognizant}_users_ctx
ns_param client ${ecognizant}_client_ctx
ns_section
ns/server/${ecognizant}/module/nsopenssl/sslcontext/${ecognizant}_users_ctx
ns_param Role server
ns_param ModuleDir $ssldocdir
ns_param CertFile cert.pem
ns_param KeyFile key.pem
ns_param CAFile ca.pem
ns_param Protocols All
ns_param CipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
ns_param PeerVerify false
ns_param PeerVerifyDepth 3
ns_param Trace false
ns_section
ns/server/${ecognizant}/module/nsopenssl/sslcontext/${ecognizant}_client_ctx
ns_param Role client
ns_param ModuleDir $ssldocdir
ns_param CertFile cert.pem
ns_param KeyFile key.pem
ns_param CAFile ca.pem
ns_param Protocols All
ns_param CipherSuite
Re: [AOLSERVER] Updating Aolserver to use TLSv1.2
An AOLserver configuration file from an old server I used to run has this section defined: ns_param ProtocolSSLv2, SSLv3, TLSv1 ns_param CipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP From the OpenSSL documentation: Only enable TLSv1.2: SSL_CONF_cmd(ctx, Protocol, -ALL,TLSv1.2); So I’d assume the following would restrict AOLserver to ONLY use TLS 1.2: ns_param Protocol“-ALL,TLSv1.2 ns_param CipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP /s. On Jun 23, 2015, at 10:36 AM, Paula Giangeruso pgianger...@wineaccess.com wrote: Does anyone have TLS v1.2 working on AOLserver? If so how did you go about doing this? Thank You, Paula -- Paula Giangeruso - Vice President/Engineering pgianger...@wineaccess.com mailto:pgianger...@wineaccess.com | www.wineaccess.com http://www.wineaccess.com/ O: ( 610) 642-1255 | F: (610) 642-1277 | C: (609) 731-8092 wineaccess ® direct from the source -- Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical virtual servers, alerts via email sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o___ aolserver-talk mailing list aolserver-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/aolserver-talk -- Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical virtual servers, alerts via email sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o___ aolserver-talk mailing list aolserver-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/aolserver-talk
Re: [AOLSERVER] Updating Aolserver to use TLSv1.2
By the way, ignore my CipherSuite line in there — you obviously don’t want SSLv2, +LOW, +MEDIUM and other components - you’ll likely just want the TLS v1.2 ciphers, which are listed here: https://www.openssl.org/docs/apps/ciphers.html#TLS-v1.2-cipher-suites https://www.openssl.org/docs/apps/ciphers.html#TLS-v1.2-cipher-suites Not sure what the CipherSuite string should look like to support that, but if I have time this week I’ll see if I can figure it out. Be aware that restricting to just TLS 1.2 may cause some older browsers to not work with your site, but I haven’t done hands-on work in this area in years, so I’m not up-to-date on proper configurations. /s. On Jun 23, 2015, at 12:00 PM, Scott Goodwin sc...@scottg.net wrote: An AOLserver configuration file from an old server I used to run has this section defined: ns_param ProtocolSSLv2, SSLv3, TLSv1 ns_param CipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP From the OpenSSL documentation: Only enable TLSv1.2: SSL_CONF_cmd(ctx, Protocol, -ALL,TLSv1.2); So I’d assume the following would restrict AOLserver to ONLY use TLS 1.2: ns_param Protocol“-ALL,TLSv1.2 ns_param CipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP /s. On Jun 23, 2015, at 10:36 AM, Paula Giangeruso pgianger...@wineaccess.com mailto:pgianger...@wineaccess.com wrote: Does anyone have TLS v1.2 working on AOLserver? If so how did you go about doing this? Thank You, Paula -- Paula Giangeruso - Vice President/Engineering pgianger...@wineaccess.com mailto:pgianger...@wineaccess.com | www.wineaccess.com http://www.wineaccess.com/ O: ( 610) 642-1255 | F: (610) 642-1277 | C: (609) 731-8092 wineaccess ® direct from the source -- Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical virtual servers, alerts via email sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o___ http://ad.doubleclick.net/ddm/clk/292181274;119417398;o___ aolserver-talk mailing list aolserver-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/aolserver-talk -- Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical virtual servers, alerts via email sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o___ aolserver-talk mailing list aolserver-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/aolserver-talk
