[AOLSERVER] AOL server 4.5.2 w/ virtual servers - SSL not working

[Thorpe Mayes]

Hi,

I have AOLserver 4.5.2 running with virtual servers - main.tcl with several sub config files. 

Three of the domain names are using SSL. The certificate is a UCC SSL Certificate that will accommodate up to 5 domain names. 

If I activate the virtual server for just one of the three domains that are using SSL, then everything works fine. When I activate two or more of the sub files that need ssl, the server fails to start. Here is the tail end of the log file:

[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: nsmain: AOLserver/4.5.2 running

[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: nsmain: security info: uid=502, euid=502, gid=502\

, egid=502

[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: starting: nssock

[15/Aug/2015:18:39:13][3924.18446744073356683008][-sched-] Notice: sched: starting

[15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] Notice: starting

[15/Aug/2015:18:39:13][3924.18446744073356543744][-nssock:driver-] Notice: nssock: listening on 23.253.246.52:80

[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: starting: nsopenssl

[15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-] Notice: starting

[15/Aug/2015:18:39:13][3924.18446744073356404480][-nsopenssl:driver-] Notice: nsopenssl: listening on 23.253.246.52\

:443

[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: starting: nsopenssl

[15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] Notice: starting

[15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] Error: nsopenssl: failed to listen on 23.253.\

246.52:443: Permission denied

[15/Aug/2015:18:39:13][3924.18446744073356265216][-nsopenssl:driver-] Notice: exiting

[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Notice: driver: starting: nsopenssl

[15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] Notice: starting

[15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] Error: nsopenssl: failed to listen on 23.253.\

246.52:443: Permission denied

[15/Aug/2015:18:39:13][3924.18446744073356125952][-nsopenssl:driver-] Notice: exiting

[15/Aug/2015:18:39:13][3924.18446744073356691200][-main-] Fatal: could not start drivers

Here is the ssl portion of the main.tcl file:

ns_section "ns/server/module/nsopenssl"

# ns_param RandomFile /some/file                                                                                    

ns_param SeedBytes  2048;  # was 1024   

Here is what the ssl portion of the sub files (all appear to load successfully - see below):

#---------------------------------------------------------------------                                              

# OpenSSL and nsopenssl                                                                                             

# http://openacs.org/forums/message-view?message_id=320064 - for nsd code - note: must use port 443                 

# http://openacs.org/doc/install-nsopenssl.html - binding port 443 in daemontools                                   

#---------------------------------------------------------------------                                              

ns_section "ns/server/${ecognizant}/module/nsopenssl/sslcontexts"

ns_param ${ecognizant}_users_ctx "SSL context used for $ecognizant regular user access"

# ns_param admins_ctx "SSL context used for administrator access"                                                   

ns_param ${ecognizant}_client_ctx "SSL context used for $ecognizant outgoing script socket connections"

ns_section "ns/server/${ecognizant}/module/nsopenssl/defaults"

ns_param server ${ecognizant}_users_ctx

ns_param client ${ecognizant}_client_ctx

ns_section "ns/server/${ecognizant}/module/nsopenssl/sslcontext/${ecognizant}_users_ctx"

ns_param Role server

ns_param ModuleDir $ssldocdir

ns_param CertFile cert.pem

ns_param KeyFile key.pem

ns_param CAFile ca.pem

ns_param Protocols "All"

ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"

ns_param PeerVerify false

ns_param PeerVerifyDepth 3

ns_param Trace false

ns_section "ns/server/${ecognizant}/module/nsopenssl/sslcontext/${ecognizant}_client_ctx"

ns_param Role client

ns_param ModuleDir $ssldocdir

ns_param CertFile cert.pem

ns_param KeyFile key.pem

ns_param CAFile ca.pem

ns_param Protocols "All"

ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"

ns_param PeerVerify false

ns_param PeerVerifyDepth 3

ns_param Trace false

ns_section "ns/server/${ecognizant}/module/nsopenssl/ssldrivers"

ns_param ${ecognizant}_users_drv "Driver for regular $ecognizant user access"

ns_section "ns/server/${ecognizant}/module/nsopenssl/ssldriver/${ecognizant}_users_drv"

ns_param sslcontext ${ecognizant}_users_ctx

ns_param port $httpsport

ns_param hostname $hostname

ns_param address $address

ns_param maxinput [expr {1024 * 1000 * 10}] ;# 10 MB upload limit                                                   

ns_section "ns/server/${ecognizant}/modules"

ns_param nslog   ${bindir}/nslog${ext}

ns_param nsdb    ${bindir}/nsdb${ext}

ns_param nscache ${bindir}/nscache${ext}

ns_param nssha1  ${bindir}/nssha1${ext}

ns_param nsopenssl ${bindir}/nsopenssl${ext}

The log file portion of one of the sub files that have ssl:

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: fastpath[server10]: mapped GET /

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: fastpath[server10]: mapped HEAD /

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: fastpath[server10]: mapped POST /

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nslog: opened '/usr/local/aolserver/servers/server10/access.log'

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nscache module version 1.5 server: server10

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: modload: loading '/usr/local/aolserver/bin/nsopenssl.so'

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl: generating 512-bit temporary RSA key ...

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl: generating 1024-bit temporary RSA key ...

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl (server10): loading SSL context 'server10_users_ctx'

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl (server10): 'server10_users_ctx' ciphers loaded successfully

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl (server10): 'server10_users_ctx' using all protocols: SSLv2, SSLv3 and TLSv1

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl (server10): 'server10_users_ctx' certificate and key loaded successfully

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl (server10): 'server10_users_ctx' CA file loaded successfully

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: server10_users_ctx (nsopenssl): session cache is turned on for sslcontext 'server10'

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl (server10): loading SSL context 'server10_client_ctx'

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl (server10): 'server10_client_ctx' ciphers loaded successfully

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl (server10): 'server10_client_ctx' using all protocols: SSLv2, SSLv3 and TLSv1

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl (server10): 'server10_client_ctx' certificate and key loaded successfully

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl (server10): 'server10_client_ctx' CA file loaded successfully

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: server10_client_ctx (nsopenssl): session cache is turned on for sslcontext 'server10'

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl (server10): default SSL context for server is server10_users_ctx

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: default server SSL context: server10_users_ctx

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl (server10): default SSL context for client is server10_client_ctx

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: default client SSL context: server10_client_ctx

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: nsopenssl (server10): loading 'server10_users_drv' SSL driver

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: conf: [ns/server/server10]enabletclpages = 1

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: tcl: enabling .tcl pages

[15/Aug/2015:18:39:12][3924.18446744073356691200][-main-] Notice: default thread pool: minthreads 0 maxthreads 10 idle 0 current 0 maxconns 4000 queued 0 timeout 1000\

000 spread 20

Here is what the command that starts the server looks like:

/usr/local/aolserver/bin/nsd -u nsadmin -g nsadmin -it /usr/local/aolserver/front_end.tcl -b 23.253.246.52:80,23\

.253.246.52:443

It looks like the ssl connection (port 443) is being loaded three times, with the last two failing and preventing the server from starting. 

Does anyone have an insight for me?

Thank you,

Thorpe

[Scott Goodwin]

Has this ever worked in the past? It's been a long time since I've looked at the module and I don't recall if it worked for multiple SSL listening ports as virtual servers on the same AOLserver instance. I never had an occasion to use it that way. If it's not capable of doing that in its last incarnation it will probably take some work to modify it to do it properly.

/s.

------------------------------------------------------------------------------

_______________________________________________
aolserver-talk mailing list
aolserv...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/aolserver-talk

[Sep]

Could your IP address be the one failing? 

Error: nsopenssl: failed to listen on 23.253.\

246.52:443: Permission denied

What's the stray back slash for?

[Scott Goodwin]

The backslash shows line continuation — the IP address below is 23.253.246.52 (and :443 for the port).

/s.

[Scott Goodwin]

I’m fairly certain that you can’t have multiple listeners on the same IP address and port number on a NIC simultaneously, even if they’re all binding from the same process. All three of the virtual servers below are configured to use the same IP address and port number, and the first nsopenssl instance to bind to it, ‘owns’ it. The rest get EPERM from the operating system. I think the way multiple SSL certificates are bound to a single IP address and port: the server listens on the IP and port, and looks at the Host header of the incoming connection to determine which SSL certificate to use for that particular connection. I don’t think AOLserver has the ability to do this today. The other way to do it is to create three distinct IP addresses on your NIC and use one for each SSL instance. There may be other ways to make this work, but any of them will probably require rewiring AOLserver and nsopenssl.

Aside: the direct email to your address above bounced — see here:

<tma...@ecognizant.net>: host ecognizant.net[23.253.246.52] said: 553 sorry,
   that domain isn't in my list of allowed rcpthosts (#5.7.1) (in reply to
   RCPT TO command)
Reporting-MTA: dns; mailout.nyi.internal
X-Postfix-Queue-ID: 4732622053
X-Postfix-Sender: rfc822; sc...@scottg.net
Arrival-Date: Sun, 16 Aug 2015 09:04:30 -0400 (EDT)

/s.

On Aug 15, 2015, at 8:17 PM, Thorpe Mayes <tma...@ecognizant.net> wrote:

[Scott Goodwin]

So OpenSSL will look at the domain names in the cert and if one of them matches, the SSL connection is accepted? I am behind the times. Thanks for pointing this out.

/s.

> On Aug 16, 2015, at 12:59 PM, Jeff Rogers <dv...@diphi.com> wrote:
>
> The feature of having multiple certificates served on the same ip/port is Server Name Indication (SNI) and the nsopenssl driver does not support it. As you said, getting that to work would require some rewiring.
>
> However, I think the certificate described by Thorpe was a single certificate that is valid for multiple domains - Service Alternate Name (SAN), somewhat similar to a wildcard cert. Since it's just one certificate, it doesn't need multiple different ips/ports. The downside of a SAN cert is that if any of the hosts changes, the whole cert needs to be reissued, versus with SNI each host has its own cert.
>
> So since it's just one certificate, I think that also means it doesn't need multiple contexts to be set up. Just set up the single context with the SAN certificate, and set up the virtual servers as you would for a non-ssl setup.
>
> -J

>
> Scott Goodwin wrote:
>> I’m fairly certain that you can’t have multiple listeners on the same IP
>> address and port number on a NIC simultaneously, even if they’re all
>> binding from the same process. All three of the virtual servers below
>> are configured to use the same IP address and port number, and the first
>> nsopenssl instance to bind to it, ‘owns’ it. The rest get EPERM from the
>> operating system. I think the way multiple SSL certificates are bound to
>> a single IP address and port: the server listens on the IP and port, and
>> looks at the Host header of the incoming connection to determine which
>> SSL certificate to use for that particular connection. I don’t think
>> AOLserver has the ability to do this today. The other way to do it is to
>> create three distinct IP addresses on your NIC and use one for each SSL
>> instance. There may be other ways to make this work, but any of them
>> will probably require rewiring AOLserver and nsopenssl.
>>

------------------------------------------------------------------------------

[Jeff Rogers]

The feature of having multiple certificates served on the same ip/port
is Server Name Indication (SNI) and the nsopenssl driver does not
support it. As you said, getting that to work would require some rewiring.

However, I think the certificate described by Thorpe was a single
certificate that is valid for multiple domains - Service Alternate Name
(SAN), somewhat similar to a wildcard cert. Since it's just one
certificate, it doesn't need multiple different ips/ports. The downside
of a SAN cert is that if any of the hosts changes, the whole cert needs
to be reissued, versus with SNI each host has its own cert.

So since it's just one certificate, I think that also means it doesn't
need multiple contexts to be set up. Just set up the single context
with the SAN certificate, and set up the virtual servers as you would
for a non-ssl setup.

-J

Scott Goodwin wrote:

> I’m fairly certain that you can’t have multiple listeners on the same IP
> address and port number on a NIC simultaneously, even if they’re all
> binding from the same process. All three of the virtual servers below
> are configured to use the same IP address and port number, and the first
> nsopenssl instance to bind to it, ‘owns’ it. The rest get EPERM from the
> operating system. I think the way multiple SSL certificates are bound to
> a single IP address and port: the server listens on the IP and port, and
> looks at the Host header of the incoming connection to determine which
> SSL certificate to use for that particular connection. I don’t think
> AOLserver has the ability to do this today. The other way to do it is to
> create three distinct IP addresses on your NIC and use one for each SSL
> instance. There may be other ways to make this work, but any of them
> will probably require rewiring AOLserver and nsopenssl.
>

[Torben Brosten]

Thorpe, my reply to you bounced.

Here is original:

-------- Forwarded Message --------
Subject: Re: [AOLSERVER] AOL server 4.5.2 w/ virtual servers - SSL not
working
Date: Sat, 15 Aug 2015 19:55:59 -0700
From: Torben Brosten <tor...@dekka.com>
To: Thorpe Mayes <tma...@ecognizant.net>

Thorpe,

No guarantees, but you might want to try:

1. setting each http ssl at a different port, and

2. reference each key.pem and cert.pem file only once in the config
files. For cases where they are referenced more than once, duplicate the
file (with a different name, such as keyfile1.pem, keyfile2.pem etc).

This may not get what you need, but I've found this method helps reduce
some error conditions.

cheers,

Torben

[Brad Chick]

All,

Sorry if this is the wrong place, but we're looking for a contractor to
help with an AOLserver app that we maintain for JPMorgan Chase.

The work will consist of
- new functionality
- bug fixes
- security-related issues
- performance

We also have a related PHP app that runs in parallel; so PHP knowledge
is helpful, but not necessary.

Hours will vary, roughly ~5-20 hours per week.

Pay is commensurate with experience.

Please let me know. Or, if there is another place I should be looking
for an experienced AOLserver dev, please also forward that information.

Thanks

--
==============================
BRAD CHICK
==============================

Br...@ChickCentral.com
734.662.1701 (h)
734.646.9372 (m)

"Make Some Time for Wasting!"
_
| |
___| |__ ___ ___ _ __ ___
/ __| '_ \ / _ \/ _ \ '__/ __|
(__| | | | __/ __/ | \__ \
\___|_| |_|\___|\___|_| |___/
================================


------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140