[AOLSERVER] SSL connection error
274 views
Skip to first unread message
Iuri Sampaio
Jun 18, 2012, 8:11:18 AM6/18/12
to aolserve...@lists.sourceforge.net, aolserv...@lists.sourceforge.net
Hi there,
After setting up nsopenssl on aolserver I got the following error.
Though, 1) config.tcl is properly set
2) paths and permissions are properly set
3) and logs show the libs and certs were loaded sucessfully
[17/Jun/2012:20:20:45][30618.
After setting up nsopenssl on aolserver I got the following error.
SSL connection error
Unable to make a secure
connection to the server. This may be a problem with the server,
or it may be requiring a client authentication certificate that
you don't have.
Error 107
(net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
Though, 1) config.tcl is properly set
2) paths and permissions are properly set
3) and logs show the libs and certs were loaded sucessfully
[17/Jun/2012:20:20:45][30618.
3074823872][-main-] Notice: modload:
loading '/usr/lib/aolserver4/bin/nssha1.so'
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: modload: loading '/usr/lib/aolserver4/bin/nsopenssl-3.0/nsopenssl.so'
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl: generating 512-bit temporary RSA key ...
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl: generating 1024-bit temporary RSA key ...
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): loading SSL context 'users'
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'users' ciphers loaded successfully
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'users' using SSLv3 protocol
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'users' using TLSv1 protocol
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'users' certificate and key loaded successfully
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'users' CA file loaded successfully
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: users (nsopenssl): session cache is turned on for sslcontext 'cnauto'
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): loading SSL context 'client'
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'client' ciphers loaded successfully
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'client' using SSLv2 protocol
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'client' using SSLv3 protocol
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'client' using TLSv1 protocol
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'client' certificate and key loaded successfully
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'client' CA file loaded successfully
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: client (nsopenssl): session cache is turned on for sslcontext 'cnauto'
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): default SSL context for server is users
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: default server SSL context: users
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): default SSL context for client is client
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: default client SSL context: client
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): loading 'users' SSL driver
...
[17/Jun/2012:20:20:56][30618.3052837744][-nsopenssl:driver-] Notice: starting
[17/Jun/2012:20:20:56][30618.3052837744][-nsopenssl:driver-] Notice: nsopenssl: listening on 127.0.0.1:8443
#######
I believe the error is related to the 'client' certificate. Before I got the error:
########
[17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): loading SSL context 'client'
[17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): 'client' ciphers loaded successfully
[17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): 'client' using SSLv2 protocol
[17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): 'client' using SSLv3 protocol
[17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): 'client' using TLSv1 protocol
[17/Jun/2012:20:00:42][30405.3074971328][-main-] Error: nsopenssl (cnauto): 'client' certificate file is not readable or does not exist
[17/Jun/2012:20:00:42][30405.3074971328][-main-] Error: nsopenssl (cnauto): SSL context 'client' left uninitialized
[17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): default SSL context for server is users
[17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: default server SSL context: users
[17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): default SSL context for client is client
[17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: default client SSL context: client
[17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): loading 'users' SSL driver
#########
Then I changed the 'client' cert's paths within config.tcl to the same of users
Would that be the issue?
Best wishes,
Iuri
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: modload: loading '/usr/lib/aolserver4/bin/nsopenssl-3.0/nsopenssl.so'
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl: generating 512-bit temporary RSA key ...
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl: generating 1024-bit temporary RSA key ...
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): loading SSL context 'users'
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'users' ciphers loaded successfully
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'users' using SSLv3 protocol
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'users' using TLSv1 protocol
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'users' certificate and key loaded successfully
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'users' CA file loaded successfully
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: users (nsopenssl): session cache is turned on for sslcontext 'cnauto'
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): loading SSL context 'client'
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'client' ciphers loaded successfully
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'client' using SSLv2 protocol
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'client' using SSLv3 protocol
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'client' using TLSv1 protocol
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'client' certificate and key loaded successfully
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): 'client' CA file loaded successfully
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: client (nsopenssl): session cache is turned on for sslcontext 'cnauto'
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): default SSL context for server is users
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: default server SSL context: users
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): default SSL context for client is client
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: default client SSL context: client
[17/Jun/2012:20:20:45][30618.3074823872][-main-] Notice: nsopenssl (cnauto): loading 'users' SSL driver
...
[17/Jun/2012:20:20:56][30618.3052837744][-nsopenssl:driver-] Notice: starting
[17/Jun/2012:20:20:56][30618.3052837744][-nsopenssl:driver-] Notice: nsopenssl: listening on 127.0.0.1:8443
#######
I believe the error is related to the 'client' certificate. Before I got the error:
########
[17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): loading SSL context 'client'
[17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): 'client' ciphers loaded successfully
[17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): 'client' using SSLv2 protocol
[17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): 'client' using SSLv3 protocol
[17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): 'client' using TLSv1 protocol
[17/Jun/2012:20:00:42][30405.3074971328][-main-] Error: nsopenssl (cnauto): 'client' certificate file is not readable or does not exist
[17/Jun/2012:20:00:42][30405.3074971328][-main-] Error: nsopenssl (cnauto): SSL context 'client' left uninitialized
[17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): default SSL context for server is users
[17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: default server SSL context: users
[17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): default SSL context for client is client
[17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: default client SSL context: client
[17/Jun/2012:20:00:42][30405.3074971328][-main-] Notice: nsopenssl (cnauto): loading 'users' SSL driver
#########
Then I changed the 'client' cert's paths within config.tcl to the same of users
Would that be the issue?
Best wishes,
Iuri
Sep Ng
Jun 20, 2012, 1:01:12 AM6/20/12
to aols...@googlegroups.com, aolserve...@lists.sourceforge.net, aolserv...@lists.sourceforge.net
My guess is it has something to do with your keys and certificates, maybe. Maybe you should post relevant sections of your config.tcl.
Iuri Sampaio
Jun 20, 2012, 8:50:04 AM6/20/12
to Sep Ng, aols...@googlegroups.com, aolserv...@lists.sourceforge.net, aolserve...@lists.sourceforge.net
Of course
ns_section "ns/server/${server}/module/nsopenssl"
# this is used by acs-tcl/tcl/security-procs.tcl to get the https port.
ns_param ServerPort $httpsport
# setting maxinput higher than practical may leave the server vulnerable to resource DoS attacks
# see http://www.panoptic.com/wiki/aolserver/166
# must set maxinput for nsopenssl as well as nssock
ns_param maxinput [expr {$max_file_upload_mb * 1024 * 1024}] ;# Maximum File Size for uploads in bytes
# We explicitly tell the server which SSL contexts to use as defaults when an
# SSL context is not specified for a particular client or server SSL
# connection. Driver connections do not use defaults; they must be explicitly
# specificied in the driver section. The Tcl API will use the defaults as there
# is currently no provision to specify which SSL context to use for a
# particular connection via an ns_openssl Tcl command.
ns_section "ns/server/${server}/module/nsopenssl/sslcontexts"
ns_param users "SSL context used for regular user access"
# ns_param admins "SSL context used for administrator access"
ns_param client "SSL context used for outgoing script socket connections"
ns_section "ns/server/${server}/module/nsopenssl/defaults"
ns_param server users
ns_param client client
ns_section "ns/server/${server}/module/nsopenssl/sslcontext/users"
ns_param Role server
ns_param ModuleDir ${serverroot}/etc/certs
# ns_param CertFile users-certfile.pem
ns_param CertFile cnauto-cert.pem
# ns_param KeyFile users-keyfile.pem
ns_param KeyFile cnauto-key.pem
# CADir/CAFile can be commented out, if CA chain cert is appended to CA issued server cert.
ns_param CADir ${serverroot}/etc/certs
# ns_param CADir /usr/local/src/nsopenssl-3.0beta26/ca/ca1/
# ns_param CAFile users-ca.crt
ns_param CAFile ca1.pem
# for Protocols "ALL" = "SSLv2, SSLv3, TLSv1"
ns_param Protocols "SSLv3, TLSv1"
ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerify false
ns_param PeerVerifyDepth 3
ns_param Trace false
# following helps to stablize some openssl connections from buggy clients.
ns_param SessionCache true
ns_param SessionCacheID 1
ns_param SessionCacheSize 512
ns_param SessionCacheTimeout 300
ns_section "ns/server/${server}/module/nsopenssl/sslcontext/client"
ns_param Role client
ns_param ModuleDir ${serverroot}/etc/certs
ns_param CertFile cnauto-cert.pem
ns_param KeyFile cnauto-key.pem
# CADir/CAFile can be commented out, if CA chain cert is appended to CA issued server cert.
ns_param CADir ${serverroot}/etc/certs
ns_param CAFile ca1.pem
# for Protocols "ALL" = "SSLv2, SSLv3, TLSv1"
ns_param Protocols "SSLv2, SSLv3, TLSv1"
ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerify false
ns_param PeerVerifyDepth 3
ns_param Trace false
ns_section "ns/server/${server}/module/nsopenssl"
# this is used by acs-tcl/tcl/security-procs.tcl to get the https port.
ns_param ServerPort $httpsport
# setting maxinput higher than practical may leave the server vulnerable to resource DoS attacks
# see http://www.panoptic.com/wiki/aolserver/166
# must set maxinput for nsopenssl as well as nssock
ns_param maxinput [expr {$max_file_upload_mb * 1024 * 1024}] ;# Maximum File Size for uploads in bytes
# We explicitly tell the server which SSL contexts to use as defaults when an
# SSL context is not specified for a particular client or server SSL
# connection. Driver connections do not use defaults; they must be explicitly
# specificied in the driver section. The Tcl API will use the defaults as there
# is currently no provision to specify which SSL context to use for a
# particular connection via an ns_openssl Tcl command.
ns_section "ns/server/${server}/module/nsopenssl/sslcontexts"
ns_param users "SSL context used for regular user access"
# ns_param admins "SSL context used for administrator access"
ns_param client "SSL context used for outgoing script socket connections"
ns_section "ns/server/${server}/module/nsopenssl/defaults"
ns_param server users
ns_param client client
ns_section "ns/server/${server}/module/nsopenssl/sslcontext/users"
ns_param Role server
ns_param ModuleDir ${serverroot}/etc/certs
# ns_param CertFile users-certfile.pem
ns_param CertFile cnauto-cert.pem
# ns_param KeyFile users-keyfile.pem
ns_param KeyFile cnauto-key.pem
# CADir/CAFile can be commented out, if CA chain cert is appended to CA issued server cert.
ns_param CADir ${serverroot}/etc/certs
# ns_param CADir /usr/local/src/nsopenssl-3.0beta26/ca/ca1/
# ns_param CAFile users-ca.crt
ns_param CAFile ca1.pem
# for Protocols "ALL" = "SSLv2, SSLv3, TLSv1"
ns_param Protocols "SSLv3, TLSv1"
ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerify false
ns_param PeerVerifyDepth 3
ns_param Trace false
# following helps to stablize some openssl connections from buggy clients.
ns_param SessionCache true
ns_param SessionCacheID 1
ns_param SessionCacheSize 512
ns_param SessionCacheTimeout 300
ns_section "ns/server/${server}/module/nsopenssl/sslcontext/client"
ns_param Role client
ns_param ModuleDir ${serverroot}/etc/certs
ns_param CertFile cnauto-cert.pem
ns_param KeyFile cnauto-key.pem
# CADir/CAFile can be commented out, if CA chain cert is appended to CA issued server cert.
ns_param CADir ${serverroot}/etc/certs
ns_param CAFile ca1.pem
# for Protocols "ALL" = "SSLv2, SSLv3, TLSv1"
ns_param Protocols "SSLv2, SSLv3, TLSv1"
ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerify false
ns_param PeerVerifyDepth 3
ns_param Trace false
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
aolserver-talk mailing list
aolserv...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/aolserver-talk
Sep Ng
Jun 20, 2012, 9:15:42 PM6/20/12
to aols...@googlegroups.com, aolserve...@lists.sourceforge.net, aolserv...@lists.sourceforge.net
I see that you have cnauto-cert.pem and cnauto-key.pem. Can you look into the files and make sure that the contents are correctly tagged as certificate and key?
Maybe also try Protocols="All" for the sslcontext.
I'm not sure what's the problem, but hope that might help you.
On Monday, June 18, 2012 8:11:18 PM UTC+8, Iuri Sampaio wrote:
Maybe also try Protocols="All" for the sslcontext.
I'm not sure what's the problem, but hope that might help you.
On Monday, June 18, 2012 8:11:18 PM UTC+8, Iuri Sampaio wrote:
Reply all
Reply to author
Forward
0 new messages