Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SSL Problem with NS LDAP server 4.12

18 views
Skip to first unread message

Ian Deng

unread,
Nov 28, 2000, 3:00:00 AM11/28/00
to
After installing Verisign certificate I got the following error messages
in "errors" log
file when restarting the Directory server:

SSL alert: Security Initialization: Failed to set SSL cipher preference
information:
unknown cipher tls_rsa_export1024_with_rc4_56_sha!
SSL alert: Security Initialization: Failed to set SSL cipher preference
information:
unknown cipher tls_rsa_export1024_with_des_cbc_sha!

Client also fails to connect to the LDAP server (4.12) over SSL.

I do not have the error message with NS LDAP server 4.11 and
client works fine over SSL with 4.11.

Two questions:
1. Is this a bug in 4.12 or there is some configuration I should change?

2. Is client failed to connect to server related to the error message
or it's caused by something else? (after the error message the log
indicates the 4.12 server is up and listening on SSL port 636)

Thank you for your help,

Ian Deng


Mark Lightner

unread,
Dec 4, 2000, 3:00:00 AM12/4/00
to
What operating system is this running on? If it is running on Solaris, then
the problem probably has to do with access rights to the public certificates
(i.e. Server Certs.). On Solaris, these need to be opened up with full
access (as these are public certs).


"Ian Deng" <id...@cisco.com> wrote in message
news:3A242831...@cisco.com...

Ian Deng

unread,
Dec 4, 2000, 3:00:00 AM12/4/00
to
Mark, thank you for your reply. I should have indicated I'm running on Solaris
2.6
in my original message. Now my question: how can I check and open up full access

to the public certificates?

Ian Deng

Mark Lightner

unread,
Dec 5, 2000, 3:00:00 AM12/5/00
to
The following assumes that you store your certs (*cert7.db, *key3.db files)
in your /usr/netscape/server4/aliases folder. If this is incorrect, then
make the appropriate change to the commands...

chmod 777 /usr/netscape/server4/aliases
chmod 777 /usr/netscape/server4/aliases/*.db

This is somewhat of a compromise, as I ran
chmod 777 /usr/netscape/server4/aliases/*.db
in my testing - which worked. I don't see, though, why anything should need
'write' access, or 'execute' access for that matter, in order to use the
public cert/key. Therefore, try the full access (777) first ... to see if
that fixes your issue. If it does, them back out of the 'write' access for
owner/group/other, then test, and back out of the 'execute' access for
owner/group/other, then test again.

Also, let me know if this helped...

"Ian Deng" <id...@cisco.com> wrote in message

news:3A2C3C18...@cisco.com...

Ian Deng

unread,
Dec 5, 2000, 3:00:00 AM12/5/00
to
I've tried to chmod 777 to the sub directory and file *cert7.db and
*key3.db (in my case the two files are under /usr/netscape/ldap_412/alias
and I'm running as 'root').

I still get the same error messages after the chmod. Client fails to connect
to the ldap server as before.

I guess I can see why these two files need write permission for certificate
installation. Not sure why it's needed after cert installed.

I've tried two certificates: one I got from Verisign and another was generated
by the NS Certificate Management Server I installed on the same machine as
the LDAP server is running. Same error messages and client connection failure
for both certificates.

While cannot make LDAP Server 4.12 work, I have no problem with either
certificate when I run LDAP server 4.11.

Anyway, thank you so much Mark for your help. If you can confirm that
you've been successful with 4.12 that'll give me a good indication the problem
is on my side.

0 new messages