Fedora directory users - Aug 2005 - Enabling SSL

Hello,

I''ve worked through the SSL howto on the FDS site and everything went
well until I got to the part where I modified the schema.

The /tmp/ssl_enable.ldif modifications that are suggested work well up
to the point where it tries to modify cn=RSA,cn=encryption,cn=config

To be specific, the recommended changes are as follows...

dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
-
add: nsSSL3Ciphers
nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,
+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
-
add: nsKeyfile
nsKeyfile: alias/slapd-directory-key3.db
-
add: nsCertfile
nsCertfile: alias/slapd-directory-cert8.db

dn: cn=RSA,cn=encryption,cn=config
changetype: modify
add: nsSSLPersonalitySSL
nsSSLPersonalitySSL: Server-Cert

dn: cn=config
changetype: modify
add: nsslapd-security
nsslapd-security: on
-
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: off

It seems as though when I get to the point where I want to add the
''nsSSLPersonalitySSL'' attribute my directory server complains
that the
''cn=RSA,cn=encryption,cn=config'' object does not exist to be
modified.

I don''t see anywhere in the HOWTO where I would have created this
object.  Am I missing something?  Thanks.

- Kevin

On Wed, 2005-08-03 at 10:35 -0400, Kevin Kovach wrote:
> Hello,
> 
> I''ve worked through the SSL howto on the FDS site and everything
went
> well until I got to the part where I modified the schema.
> 
> The /tmp/ssl_enable.ldif modifications that are suggested work well up
> to the point where it tries to modify cn=RSA,cn=encryption,cn=config
> 
> To be specific, the recommended changes are as follows...
> 
> dn: cn=encryption,cn=config
> changetype: modify
> replace: nsSSL3
> nsSSL3: on
> -
> replace: nsSSLClientAuth
> nsSSLClientAuth: allowed
> -
> add: nsSSL3Ciphers
> nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,
> +rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
> -
> add: nsKeyfile
> nsKeyfile: alias/slapd-directory-key3.db
> -
> add: nsCertfile
> nsCertfile: alias/slapd-directory-cert8.db
> 
> dn: cn=RSA,cn=encryption,cn=config
> changetype: modify
> add: nsSSLPersonalitySSL
> nsSSLPersonalitySSL: Server-Cert
> 
> dn: cn=config
> changetype: modify
> add: nsslapd-security
> nsslapd-security: on
> -
> replace: nsslapd-ssl-check-hostname
> nsslapd-ssl-check-hostname: off
> 
> It seems as though when I get to the point where I want to add the
> ''nsSSLPersonalitySSL'' attribute my directory server
complains that the
> ''cn=RSA,cn=encryption,cn=config'' object does not exist to
be modified.
> 
> I don''t see anywhere in the HOWTO where I would have created this
> object.  Am I missing something?  Thanks.
> 
> - Kevin
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
Refresh the wiki page I have updated this problem.

Thanks for pointing that out please create an ldif /tmp/addrsa.ldif and
have the following :

dn: cn=RSA,cn=encryption,cn=config
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: Server-Cert
nsSSLToken: internal (software)

Use ldapadd to add the entry into the directory server.. Ill fix the
how-to now as well :)

Thanks for the help.  I''ve added that object and was able to modify
the configuration without further issues.

Unfortunately, I''ve run into another problem now.  Now when I try to
start the directory it''s complaining about one of the ciphers.  I get
the following error when I attempt to start the server ...

[03/Aug/2005:13:19:35 -0400] - SSL alert: Security Initialization:
Failed to set SSL cipher preference information: unknown cipher fo
(Netscape Portable Runtime error -5950 - File not found.)
[03/Aug/2005:13:19:35 -0400] - ERROR: SSL Initialization Failed.

It looks like it''s complaining about the ''fo cipher''
that was added in
the same configuration modifications?  The change I''m talking about is
the following ...

add: nsSSL3Ciphers
nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,
+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo

I looked at the dse.ldif file and it looks like it was added correctly
(as it''s presented in the SSL HOWTO)  Any advice?  Thanks.

- Kevin


On 8/3/05, Adam Stokes <astokes@redhat.com> wrote:
> On Wed, 2005-08-03 at 10:35 -0400, Kevin Kovach wrote:
> > Hello,
> >
> > I''ve worked through the SSL howto on the FDS site and
everything went
> > well until I got to the part where I modified the schema.
> >
> > The /tmp/ssl_enable.ldif modifications that are suggested work well up
> > to the point where it tries to modify cn=RSA,cn=encryption,cn=config
> >
> > To be specific, the recommended changes are as follows...
> >
> > dn: cn=encryption,cn=config
> > changetype: modify
> > replace: nsSSL3
> > nsSSL3: on
> > -
> > replace: nsSSLClientAuth
> > nsSSLClientAuth: allowed
> > -
> > add: nsSSL3Ciphers
> > nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,
> > +rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
> > -
> > add: nsKeyfile
> > nsKeyfile: alias/slapd-directory-key3.db
> > -
> > add: nsCertfile
> > nsCertfile: alias/slapd-directory-cert8.db
> >
> > dn: cn=RSA,cn=encryption,cn=config
> > changetype: modify
> > add: nsSSLPersonalitySSL
> > nsSSLPersonalitySSL: Server-Cert
> >
> > dn: cn=config
> > changetype: modify
> > add: nsslapd-security
> > nsslapd-security: on
> > -
> > replace: nsslapd-ssl-check-hostname
> > nsslapd-ssl-check-hostname: off
> >
> > It seems as though when I get to the point where I want to add the
> > ''nsSSLPersonalitySSL'' attribute my directory server
complains that the
> > ''cn=RSA,cn=encryption,cn=config'' object does not
exist to be modified.
> >
> > I don''t see anywhere in the HOWTO where I would have created
this
> > object.  Am I missing something?  Thanks.
> >
> > - Kevin
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 
> Refresh the wiki page I have updated this problem.
> 
> Thanks for pointing that out please create an ldif /tmp/addrsa.ldif and
> have the following :
> 
> dn: cn=RSA,cn=encryption,cn=config
> objectclass: top
> objectclass: nsEncryptionModule
> cn: RSA
> nsSSLPersonalitySSL: Server-Cert
> nsSSLToken: internal (software)
> 
> Use ldapadd to add the entry into the directory server.. Ill fix the
> how-to now as well :)
> 
> 
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 

-- 
Take back the web, http://www.switch2firefox.com/

On Wed, 2005-08-03 at 13:21 -0400, Kevin Kovach wrote:
> Thanks for the help.  I''ve added that object and was able to
modify
> the configuration without further issues.
> 
> Unfortunately, I''ve run into another problem now.  Now when I try
to
> start the directory it''s complaining about one of the ciphers.  I
get
> the following error when I attempt to start the server ...
> 
> [03/Aug/2005:13:19:35 -0400] - SSL alert: Security Initialization:
> Failed to set SSL cipher preference information: unknown cipher fo
> (Netscape Portable Runtime error -5950 - File not found.)
> [03/Aug/2005:13:19:35 -0400] - ERROR: SSL Initialization Failed.
> 
> It looks like it''s complaining about the ''fo
cipher'' that was added in
> the same configuration modifications?  The change I''m talking
about is
> the following ...
> 
> add: nsSSL3Ciphers
> nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,
> +rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
> 
> I looked at the dse.ldif file and it looks like it was added correctly
> (as it''s presented in the SSL HOWTO)  Any advice?  Thanks.
> 
> - Kevin
> 
> 
> On 8/3/05, Adam Stokes <astokes@redhat.com> wrote:
> > On Wed, 2005-08-03 at 10:35 -0400, Kevin Kovach wrote:
> > > Hello,
> > >
> > > I''ve worked through the SSL howto on the FDS site and
everything went
> > > well until I got to the part where I modified the schema.
> > >
> > > The /tmp/ssl_enable.ldif modifications that are suggested work
well up
> > > to the point where it tries to modify
cn=RSA,cn=encryption,cn=config
> > >
> > > To be specific, the recommended changes are as follows...
> > >
> > > dn: cn=encryption,cn=config
> > > changetype: modify
> > > replace: nsSSL3
> > > nsSSL3: on
> > > -
> > > replace: nsSSLClientAuth
> > > nsSSLClientAuth: allowed
> > > -
> > > add: nsSSL3Ciphers
> > > nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,
> > > +rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
> > > -
> > > add: nsKeyfile
> > > nsKeyfile: alias/slapd-directory-key3.db
> > > -
> > > add: nsCertfile
> > > nsCertfile: alias/slapd-directory-cert8.db
> > >
> > > dn: cn=RSA,cn=encryption,cn=config
> > > changetype: modify
> > > add: nsSSLPersonalitySSL
> > > nsSSLPersonalitySSL: Server-Cert
> > >
> > > dn: cn=config
> > > changetype: modify
> > > add: nsslapd-security
> > > nsslapd-security: on
> > > -
> > > replace: nsslapd-ssl-check-hostname
> > > nsslapd-ssl-check-hostname: off
> > >
> > > It seems as though when I get to the point where I want to add
the
> > > ''nsSSLPersonalitySSL'' attribute my directory
server complains that the
> > > ''cn=RSA,cn=encryption,cn=config'' object does
not exist to be modified.
> > >
> > > I don''t see anywhere in the HOWTO where I would have
created this
> > > object.  Am I missing something?  Thanks.
> > >
> > > - Kevin
> > >
> > > --
> > > Fedora-directory-users mailing list
> > > Fedora-directory-users@redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > 
> > Refresh the wiki page I have updated this problem.
> > 
> > Thanks for pointing that out please create an ldif /tmp/addrsa.ldif
and
> > have the following :
> > 
> > dn: cn=RSA,cn=encryption,cn=config
> > objectclass: top
> > objectclass: nsEncryptionModule
> > cn: RSA
> > nsSSLPersonalitySSL: Server-Cert
> > nsSSLToken: internal (software)
> > 
> > Use ldapadd to add the entry into the directory server.. Ill fix the
> > how-to now as well :)
> > 
> > 
> > 
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > 
> 
> 
The how-to may be confusing here as the ciphers need to be on one line
so make sure there isnt a new line 

nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,
+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,
+rsa_fips_3des_sha,+fortezza,+fo

Kevin Kovach wrote:
>Thanks for the help.  I''ve added that object and was able to modify
>the configuration without further issues.
>
>Unfortunately, I''ve run into another problem now.  Now when I try
to
>start the directory it''s complaining about one of the ciphers.  I
get
>the following error when I attempt to start the server ...
>
>[03/Aug/2005:13:19:35 -0400] - SSL alert: Security Initialization:
>Failed to set SSL cipher preference information: unknown cipher fo
>(Netscape Portable Runtime error -5950 - File not found.)
>[03/Aug/2005:13:19:35 -0400] - ERROR: SSL Initialization Failed.
>
>It looks like it''s complaining about the ''fo
cipher'' that was added in
>the same configuration modifications?  The change I''m talking about
is
>the following ...
>
>add: nsSSL3Ciphers
>nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,
>+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
>  
>
That''s definitely truncated.  +fo is not correct.  It''s
probably another
Fortezza cipher.  There may be other ciphers that are missing.
>I looked at the dse.ldif file and it looks like it was added correctly
>(as it''s presented in the SSL HOWTO)  Any advice?  Thanks.
>
>- Kevin
>
>
>On 8/3/05, Adam Stokes <astokes@redhat.com> wrote:
>  
>
>>On Wed, 2005-08-03 at 10:35 -0400, Kevin Kovach wrote:
>>    
>>
>>>Hello,
>>>
>>>I''ve worked through the SSL howto on the FDS site and
everything went
>>>well until I got to the part where I modified the schema.
>>>
>>>The /tmp/ssl_enable.ldif modifications that are suggested work well
up
>>>to the point where it tries to modify cn=RSA,cn=encryption,cn=config
>>>
>>>To be specific, the recommended changes are as follows...
>>>
>>>dn: cn=encryption,cn=config
>>>changetype: modify
>>>replace: nsSSL3
>>>nsSSL3: on
>>>-
>>>replace: nsSSLClientAuth
>>>nsSSLClientAuth: allowed
>>>-
>>>add: nsSSL3Ciphers
>>>nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,
>>>+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
>>>-
>>>add: nsKeyfile
>>>nsKeyfile: alias/slapd-directory-key3.db
>>>-
>>>add: nsCertfile
>>>nsCertfile: alias/slapd-directory-cert8.db
>>>
>>>dn: cn=RSA,cn=encryption,cn=config
>>>changetype: modify
>>>add: nsSSLPersonalitySSL
>>>nsSSLPersonalitySSL: Server-Cert
>>>
>>>dn: cn=config
>>>changetype: modify
>>>add: nsslapd-security
>>>nsslapd-security: on
>>>-
>>>replace: nsslapd-ssl-check-hostname
>>>nsslapd-ssl-check-hostname: off
>>>
>>>It seems as though when I get to the point where I want to add the
>>>''nsSSLPersonalitySSL'' attribute my directory
server complains that the
>>>''cn=RSA,cn=encryption,cn=config'' object does not
exist to be modified.
>>>
>>>I don''t see anywhere in the HOWTO where I would have
created this
>>>object.  Am I missing something?  Thanks.
>>>
>>>- Kevin
>>>
>>>--
>>>Fedora-directory-users mailing list
>>>Fedora-directory-users@redhat.com
>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>      
>>>
>>Refresh the wiki page I have updated this problem.
>>
>>Thanks for pointing that out please create an ldif /tmp/addrsa.ldif and
>>have the following :
>>
>>dn: cn=RSA,cn=encryption,cn=config
>>objectclass: top
>>objectclass: nsEncryptionModule
>>cn: RSA
>>nsSSLPersonalitySSL: Server-Cert
>>nsSSLToken: internal (software)
>>
>>Use ldapadd to add the entry into the directory server.. Ill fix the
>>how-to now as well :)
>>
>>
>>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users@redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>    
>>
>
>
>  
>

Rich Megginson wrote:
> Kevin Kovach wrote:
>
>>Thanks for the help.  I''ve added that object and was able to
modify
>>the configuration without further issues.
>>
>>Unfortunately, I''ve run into another problem now.  Now when I
try to
>>start the directory it''s complaining about one of the ciphers. 
I get
>>the following error when I attempt to start the server ...
>>
>>[03/Aug/2005:13:19:35 -0400] - SSL alert: Security Initialization:
>>Failed to set SSL cipher preference information: unknown cipher fo
>>(Netscape Portable Runtime error -5950 - File not found.)
>>[03/Aug/2005:13:19:35 -0400] - ERROR: SSL Initialization Failed.
>>
>>It looks like it''s complaining about the ''fo
cipher'' that was added in
>>the same configuration modifications?  The change I''m talking
about is
>>the following ...
>>
>>add: nsSSL3Ciphers
>>nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,
>>+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
>>  
>>
> That''s definitely truncated.  +fo is not correct.  It''s
probably
> another Fortezza cipher.  There may be other ciphers that are missing.
Rich is correct.  Here is what the audit log shows when SSL is enabled 
via Console:

nsSSL3Ciphers: 
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha

-NGK
>>I looked at the dse.ldif file and it looks like it was added correctly
>>(as it''s presented in the SSL HOWTO)  Any advice?  Thanks.
>>
>>- Kevin
>>
>>
>>On 8/3/05, Adam Stokes <astokes@redhat.com> wrote:
>>  
>>
>>>On Wed, 2005-08-03 at 10:35 -0400, Kevin Kovach wrote:
>>>    
>>>
>>>>Hello,
>>>>
>>>>I''ve worked through the SSL howto on the FDS site and
everything went
>>>>well until I got to the part where I modified the schema.
>>>>
>>>>The /tmp/ssl_enable.ldif modifications that are suggested work
well up
>>>>to the point where it tries to modify
cn=RSA,cn=encryption,cn=config
>>>>
>>>>To be specific, the recommended changes are as follows...
>>>>
>>>>dn: cn=encryption,cn=config
>>>>changetype: modify
>>>>replace: nsSSL3
>>>>nsSSL3: on
>>>>-
>>>>replace: nsSSLClientAuth
>>>>nsSSLClientAuth: allowed
>>>>-
>>>>add: nsSSL3Ciphers
>>>>nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,
>>>>+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
>>>>-
>>>>add: nsKeyfile
>>>>nsKeyfile: alias/slapd-directory-key3.db
>>>>-
>>>>add: nsCertfile
>>>>nsCertfile: alias/slapd-directory-cert8.db
>>>>
>>>>dn: cn=RSA,cn=encryption,cn=config
>>>>changetype: modify
>>>>add: nsSSLPersonalitySSL
>>>>nsSSLPersonalitySSL: Server-Cert
>>>>
>>>>dn: cn=config
>>>>changetype: modify
>>>>add: nsslapd-security
>>>>nsslapd-security: on
>>>>-
>>>>replace: nsslapd-ssl-check-hostname
>>>>nsslapd-ssl-check-hostname: off
>>>>
>>>>It seems as though when I get to the point where I want to add
the
>>>>''nsSSLPersonalitySSL'' attribute my directory
server complains that the
>>>>''cn=RSA,cn=encryption,cn=config'' object does
not exist to be modified.
>>>>
>>>>I don''t see anywhere in the HOWTO where I would have
created this
>>>>object.  Am I missing something?  Thanks.
>>>>
>>>>- Kevin
>>>>
>>>>--
>>>>Fedora-directory-users mailing list
>>>>Fedora-directory-users@redhat.com
>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>      
>>>>
>>>Refresh the wiki page I have updated this problem.
>>>
>>>Thanks for pointing that out please create an ldif /tmp/addrsa.ldif
and
>>>have the following :
>>>
>>>dn: cn=RSA,cn=encryption,cn=config
>>>objectclass: top
>>>objectclass: nsEncryptionModule
>>>cn: RSA
>>>nsSSLPersonalitySSL: Server-Cert
>>>nsSSLToken: internal (software)
>>>
>>>Use ldapadd to add the entry into the directory server.. Ill fix the
>>>how-to now as well :)
>>>
>>>
>>>
>>>--
>>>Fedora-directory-users mailing list
>>>Fedora-directory-users@redhat.com
>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>    
>>>
>>
>>
>>  
>>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

Thanks Nathan.  I''ve made this change and again got farther than I have
before.

FYI, I got that cipher list from the Wiki.  That will need to be
updated to contain the complete list.

Although I got farther the server is still not starting up.  Now it''s
complaining that none of the ciphers are valid?  How to I ensure that
I''m using a valid cypher?  Here''s the error I''m
seeing in the error
log ...

[03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1 B2005.201.2115 starting up
[03/Aug/2005:13:56:23 -0400] - SSL failure: None of the cipher are valid

Thanks again for the help.

- Kevin

And again have a different issue now.  Now it''s complaining that there
are no

On 8/3/05, Nathan Kinder <nkinder@redhat.com>
wrote:
> Rich Megginson wrote:
> 
> > Kevin Kovach wrote:
> >
> >>Thanks for the help.  I''ve added that object and was able
to modify
> >>the configuration without further issues.
> >>
> >>Unfortunately, I''ve run into another problem now.  Now
when I try to
> >>start the directory it''s complaining about one of the
ciphers.  I get
> >>the following error when I attempt to start the server ...
> >>
> >>[03/Aug/2005:13:19:35 -0400] - SSL alert: Security Initialization:
> >>Failed to set SSL cipher preference information: unknown cipher fo
> >>(Netscape Portable Runtime error -5950 - File not found.)
> >>[03/Aug/2005:13:19:35 -0400] - ERROR: SSL Initialization Failed.
> >>
> >>It looks like it''s complaining about the ''fo
cipher'' that was added in
> >>the same configuration modifications?  The change I''m
talking about is
> >>the following ...
> >>
> >>add: nsSSL3Ciphers
> >>nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,
> >>+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
> >>
> >>
> > That''s definitely truncated.  +fo is not correct. 
It''s probably
> > another Fortezza cipher.  There may be other ciphers that are missing.
> 
> Rich is correct.  Here is what the audit log shows when SSL is enabled
> via Console:
> 
> nsSSL3Ciphers:
>
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
> 
> -NGK
> 
> >>I looked at the dse.ldif file and it looks like it was added
correctly
> >>(as it''s presented in the SSL HOWTO)  Any advice?  Thanks.
> >>
> >>- Kevin
> >>
> >>
> >>On 8/3/05, Adam Stokes <astokes@redhat.com> wrote:
> >>
> >>
> >>>On Wed, 2005-08-03 at 10:35 -0400, Kevin Kovach wrote:
> >>>
> >>>
> >>>>Hello,
> >>>>
> >>>>I''ve worked through the SSL howto on the FDS site
and everything went
> >>>>well until I got to the part where I modified the schema.
> >>>>
> >>>>The /tmp/ssl_enable.ldif modifications that are suggested
work well up
> >>>>to the point where it tries to modify
cn=RSA,cn=encryption,cn=config
> >>>>
> >>>>To be specific, the recommended changes are as follows...
> >>>>
> >>>>dn: cn=encryption,cn=config
> >>>>changetype: modify
> >>>>replace: nsSSL3
> >>>>nsSSL3: on
> >>>>-
> >>>>replace: nsSSLClientAuth
> >>>>nsSSLClientAuth: allowed
> >>>>-
> >>>>add: nsSSL3Ciphers
> >>>>nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,
> >>>>+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
> >>>>-
> >>>>add: nsKeyfile
> >>>>nsKeyfile: alias/slapd-directory-key3.db
> >>>>-
> >>>>add: nsCertfile
> >>>>nsCertfile: alias/slapd-directory-cert8.db
> >>>>
> >>>>dn: cn=RSA,cn=encryption,cn=config
> >>>>changetype: modify
> >>>>add: nsSSLPersonalitySSL
> >>>>nsSSLPersonalitySSL: Server-Cert
> >>>>
> >>>>dn: cn=config
> >>>>changetype: modify
> >>>>add: nsslapd-security
> >>>>nsslapd-security: on
> >>>>-
> >>>>replace: nsslapd-ssl-check-hostname
> >>>>nsslapd-ssl-check-hostname: off
> >>>>
> >>>>It seems as though when I get to the point where I want to
add the
> >>>>''nsSSLPersonalitySSL'' attribute my
directory server complains that the
> >>>>''cn=RSA,cn=encryption,cn=config'' object
does not exist to be modified.
> >>>>
> >>>>I don''t see anywhere in the HOWTO where I would
have created this
> >>>>object.  Am I missing something?  Thanks.
> >>>>
> >>>>- Kevin
> >>>>
> >>>>--
> >>>>Fedora-directory-users mailing list
> >>>>Fedora-directory-users@redhat.com
>
>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>>>
> >>>>
> >>>Refresh the wiki page I have updated this problem.
> >>>
> >>>Thanks for pointing that out please create an ldif
/tmp/addrsa.ldif and
> >>>have the following :
> >>>
> >>>dn: cn=RSA,cn=encryption,cn=config
> >>>objectclass: top
> >>>objectclass: nsEncryptionModule
> >>>cn: RSA
> >>>nsSSLPersonalitySSL: Server-Cert
> >>>nsSSLToken: internal (software)
> >>>
> >>>Use ldapadd to add the entry into the directory server.. Ill
fix the
> >>>how-to now as well :)
> >>>
> >>>
> >>>
> >>>--
> >>>Fedora-directory-users mailing list
> >>>Fedora-directory-users@redhat.com
> >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >>
>
>------------------------------------------------------------------------
> >
> >--
> >Fedora-directory-users mailing list
> >Fedora-directory-users@redhat.com
> >https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >
> 
> 
> 
> 

-- 
Take back the web, http://www.switch2firefox.com/

On Wed, 2005-08-03 at 13:57 -0400, Kevin Kovach wrote:
> Thanks Nathan.  I''ve made this change and again got farther than I
have before.
> 
> FYI, I got that cipher list from the Wiki.  That will need to be
> updated to contain the complete list.
> 
> Although I got farther the server is still not starting up.  Now
it''s
> complaining that none of the ciphers are valid?  How to I ensure that
> I''m using a valid cypher?  Here''s the error I''m
seeing in the error
> log ...
> 
> [03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1 B2005.201.2115 starting
up
> [03/Aug/2005:13:56:23 -0400] - SSL failure: None of the cipher are valid
> 
> Thanks again for the help.
> 
> - Kevin
> 
> And again have a different issue now.  Now it''s complaining that
there are no
> 
Ok, ciphers updated properly on wiki now.
Kevin, double check /opt/fedora-ds/slapd-<instance>/config/dse.ldif and
make sure there are no typo''s/unneccessary line breaks in the cipher
list

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: on
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20050701182744Z
modifyTimestamp: 20050720192820Z
nsSSL3Ciphers:
-rsa_null_md5,rsa_rc4_128_md5,rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_fips_des_sha,rsa_3des_sha,rsa_fips_3des_sha,fortezza,fortezza_rc4_128_sha,fortezza_null,tls_rsa_export1024_with_rc4_56_sha,tls_rsa_export1024_with_des_cbc_sha
nsKeyfile: alias/slapd-directory-key3.db
nsCertfile: alias/slapd-directory-cert8.db
numSubordinates: 1

Above is my entry for reference

On Wed, 2005-08-03 at 13:57 -0400, Kevin Kovach wrote:
> Thanks Nathan.  I''ve made this change and again got farther than I
have before.
> 
> FYI, I got that cipher list from the Wiki.  That will need to be
> updated to contain the complete list.
> 
> Although I got farther the server is still not starting up.  Now
it''s
> complaining that none of the ciphers are valid?  How to I ensure that
> I''m using a valid cypher?  Here''s the error I''m
seeing in the error
> log ...
> 
> [03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1 B2005.201.2115 starting
up
> [03/Aug/2005:13:56:23 -0400] - SSL failure: None of the cipher are valid
> 
> Thanks again for the help.
> 
> - Kevin
> 
> And again have a different issue now.  Now it''s complaining that
there are no

Adam,

My entry looks the same.  I''m pretty certain I have the ciphers correct
now.

I am curious about one thing though.  In following the wiki, I did as
suggested and converted the cert db to pkcs12 with the following
command ...

pk12util -d . -P slapd-serverID- -o servercert.pfx -n Server-Cert

However, I don''t see anywhere where we make FDS aware of
servercert.pfx?  I''d assume that we need to configure FDS for this
pkcs12 db somewhere?

Also, the wiki mentions the trailing - on the -P option but does not
go into depth on it.  I''m pretty sure I executed this command
correctly but am unsure how to double check it?

Thanks again.

- Kevin

On 8/3/05, Adam Stokes <astokes@redhat.com> wrote:
> dn: cn=encryption,cn=config
> objectClass: top
> objectClass: nsEncryptionConfig
> cn: encryption
> nsSSLSessionTimeout: 0
> nsSSLClientAuth: allowed
> nsSSL2: off
> nsSSL3: on
> creatorsName: cn=server,cn=plugins,cn=config
> modifiersName: cn=directory manager
> createTimestamp: 20050701182744Z
> modifyTimestamp: 20050720192820Z
> nsSSL3Ciphers:
>
-rsa_null_md5,rsa_rc4_128_md5,rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_fips_des_sha,rsa_3des_sha,rsa_fips_3des_sha,fortezza,fortezza_rc4_128_sha,fortezza_null,tls_rsa_export1024_with_rc4_56_sha,tls_rsa_export1024_with_des_cbc_sha
> nsKeyfile: alias/slapd-directory-key3.db
> nsCertfile: alias/slapd-directory-cert8.db
> numSubordinates: 1
> 
> Above is my entry for reference
> 
> On Wed, 2005-08-03 at 13:57 -0400, Kevin Kovach wrote:
> > Thanks Nathan.  I''ve made this change and again got farther
than I have before.
> >
> > FYI, I got that cipher list from the Wiki.  That will need to be
> > updated to contain the complete list.
> >
> > Although I got farther the server is still not starting up.  Now
it''s
> > complaining that none of the ciphers are valid?  How to I ensure that
> > I''m using a valid cypher?  Here''s the error
I''m seeing in the error
> > log ...
> >
> > [03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1 B2005.201.2115
starting up
> > [03/Aug/2005:13:56:23 -0400] - SSL failure: None of the cipher are
valid
> >
> > Thanks again for the help.
> >
> > - Kevin
> >
> > And again have a different issue now.  Now it''s complaining
that there are no
> 
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 

-- 
Take back the web, http://www.switch2firefox.com/

On Wed, 3 Aug 2005 15:48:42 -0400
Kevin Kovach <kovach@gmail.com> wrote:

Kevin,

Again another typo the line should read

pk12util -d . -P slapd-serverID- -o servercert.pk12 -n Server-Cert

and the -P option is the dbprefix in which case slapd-serverID- should
be replaced with whatever you have setup as your slapd-<instance>-

Hope this helps
> Adam,
> 
> My entry looks the same.  I''m pretty certain I have the ciphers
> correct now.
> 
> I am curious about one thing though.  In following the wiki, I did as
> suggested and converted the cert db to pkcs12 with the following
> command ...
> 
> pk12util -d . -P slapd-serverID- -o servercert.pfx -n Server-Cert
> 
> However, I don''t see anywhere where we make FDS aware of
> servercert.pfx?  I''d assume that we need to configure FDS for this
> pkcs12 db somewhere?
> 
> Also, the wiki mentions the trailing - on the -P option but does not
> go into depth on it.  I''m pretty sure I executed this command
> correctly but am unsure how to double check it?
> 
> Thanks again.
> 
> - Kevin
> 
> On 8/3/05, Adam Stokes <astokes@redhat.com> wrote:
> > dn: cn=encryption,cn=config
> > objectClass: top
> > objectClass: nsEncryptionConfig
> > cn: encryption
> > nsSSLSessionTimeout: 0
> > nsSSLClientAuth: allowed
> > nsSSL2: off
> > nsSSL3: on
> > creatorsName: cn=server,cn=plugins,cn=config
> > modifiersName: cn=directory manager
> > createTimestamp: 20050701182744Z
> > modifyTimestamp: 20050720192820Z
> > nsSSL3Ciphers:
> > -
> >
rsa_null_md5,rsa_rc4_128_md5,rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_fips_des_sha,rsa_3des_sha,rsa_fips_3des_sha,fortezza,fortezza_rc4_128_sha,fortezza_null,tls_rsa_export1024_with_rc4_56_sha,tls_rsa_export1024_with_des_cbc_sha
> > nsKeyfile: alias/slapd-directory-key3.db nsCertfile: alias/slapd-
> > directory-cert8.db numSubordinates: 1
> > 
> > Above is my entry for reference
> > 
> > On Wed, 2005-08-03 at 13:57 -0400, Kevin Kovach wrote:
> > > Thanks Nathan.  I''ve made this change and again got
farther than
> > > I have before.
> > >
> > > FYI, I got that cipher list from the Wiki.  That will need to be
> > > updated to contain the complete list.
> > >
> > > Although I got farther the server is still not starting up.  Now
> > > it''s complaining that none of the ciphers are valid? 
How to I
> > > ensure that I''m using a valid cypher?  Here''s
the error I''m
> > > seeing in the error log ...
> > >
> > > [03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1
> > > B2005.201.2115 starting up [03/Aug/2005:13:56:23 -0400] - SSL
> > > failure: None of the cipher are valid
> > >
> > > Thanks again for the help.
> > >
> > > - Kevin
> > >
> > > And again have a different issue now.  Now it''s
complaining that
> > > there are no
> > 
> > 
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > 
> 
> 
> -- 
> Take back the web, http://www.switch2firefox.com/
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

-- 
....<(^_^)> adam stokes....

Kevin Kovach wrote:
>Adam,
>
>My entry looks the same.  I''m pretty certain I have the ciphers
correct now.
>
>I am curious about one thing though.  In following the wiki, I did as
>suggested and converted the cert db to pkcs12 with the following
>command ...
>
>pk12util -d . -P slapd-serverID- -o servercert.pfx -n Server-Cert
>
>However, I don''t see anywhere where we make FDS aware of
>servercert.pfx?  I''d assume that we need to configure FDS for this
>pkcs12 db somewhere?
>  
>
If you followed the other steps up until this one, then you already have 
the required certs for slapd to use.  You only need to export the cert 
to the .pfx file if you need to import that key and cert into another 
program (e.g. use openssl to convert the .pfx file to other formats).
>Also, the wiki mentions the trailing - on the -P option but does not
>go into depth on it.  I''m pretty sure I executed this command
>correctly but am unsure how to double check it?
>  
>
Look in your /opt/fedora-ds/alias directory.  You should have files 
called slapd-serverID-cert8.db and slapd-serverID-key3.db, not 
slapd-serverIDcert8.db and slapd-serverIDkey3.db.
>Thanks again.
>
>- Kevin
>
>On 8/3/05, Adam Stokes <astokes@redhat.com> wrote:
>  
>
>>dn: cn=encryption,cn=config
>>objectClass: top
>>objectClass: nsEncryptionConfig
>>cn: encryption
>>nsSSLSessionTimeout: 0
>>nsSSLClientAuth: allowed
>>nsSSL2: off
>>nsSSL3: on
>>creatorsName: cn=server,cn=plugins,cn=config
>>modifiersName: cn=directory manager
>>createTimestamp: 20050701182744Z
>>modifyTimestamp: 20050720192820Z
>>nsSSL3Ciphers:
>>-rsa_null_md5,rsa_rc4_128_md5,rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_fips_des_sha,rsa_3des_sha,rsa_fips_3des_sha,fortezza,fortezza_rc4_128_sha,fortezza_null,tls_rsa_export1024_with_rc4_56_sha,tls_rsa_export1024_with_des_cbc_sha
>>nsKeyfile: alias/slapd-directory-key3.db
>>nsCertfile: alias/slapd-directory-cert8.db
>>numSubordinates: 1
>>
>>Above is my entry for reference
>>
>>On Wed, 2005-08-03 at 13:57 -0400, Kevin Kovach wrote:
>>    
>>
>>>Thanks Nathan.  I''ve made this change and again got farther
than I have before.
>>>
>>>FYI, I got that cipher list from the Wiki.  That will need to be
>>>updated to contain the complete list.
>>>
>>>Although I got farther the server is still not starting up.  Now
it''s
>>>complaining that none of the ciphers are valid?  How to I ensure
that
>>>I''m using a valid cypher?  Here''s the error
I''m seeing in the error
>>>log ...
>>>
>>>[03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1 B2005.201.2115
starting up
>>>[03/Aug/2005:13:56:23 -0400] - SSL failure: None of the cipher are
valid
>>>
>>>Thanks again for the help.
>>>
>>>- Kevin
>>>
>>>And again have a different issue now.  Now it''s complaining
that there are no
>>>      
>>>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users@redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>    
>>
>
>
>  
>

A follow up question:  why does pk12util need to be run against the 
certificate db at all?  Doesn''t RedHat/Fedora DS read certificate and 
key information directly from the cert8.db and key3.db files?

In the RedHat SSL setup docs at:
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158
... it says:
> Run pk12util to convert the certificate database to pkcs12 format, so 
> it is accessbile by the Directory Server:

As Adam Stokes mentioned, the incantation for this should be:
>Again another typo the line should read
>
>pk12util -d . -P slapd-serverID- -o servercert.pk12 -n Server-Cert
>
But what does it buy you to have the "servercert.pk12" file sitting in
the alias directory with the cert and key db files?  How does this make 
the certificate database "accessible by the Directory Server"?

In previous versions of Netscape DS, I don''t recall the need for a pk12
file in the alias directory.  Is this a new requirement for version 7.1 ?

Thanks,
-- George


Adam Stokes wrote:
>On Wed, 3 Aug 2005 15:48:42 -0400
>Kevin Kovach <kovach@gmail.com> wrote:
>
>Kevin,
>
>Again another typo the line should read
>
>pk12util -d . -P slapd-serverID- -o servercert.pk12 -n Server-Cert
>
>and the -P option is the dbprefix in which case slapd-serverID- should
>be replaced with whatever you have setup as your slapd-<instance>-
>
>Hope this helps
>
>  
>
>>Adam,
>>
>>My entry looks the same.  I''m pretty certain I have the ciphers
>>correct now.
>>
>>I am curious about one thing though.  In following the wiki, I did as
>>suggested and converted the cert db to pkcs12 with the following
>>command ...
>>
>>pk12util -d . -P slapd-serverID- -o servercert.pfx -n Server-Cert
>>
>>However, I don''t see anywhere where we make FDS aware of
>>servercert.pfx?  I''d assume that we need to configure FDS for
this
>>pkcs12 db somewhere?
>>
>>Also, the wiki mentions the trailing - on the -P option but does not
>>go into depth on it.  I''m pretty sure I executed this command
>>correctly but am unsure how to double check it?
>>
>>Thanks again.
>>
>>- Kevin
>>
>>On 8/3/05, Adam Stokes <astokes@redhat.com> wrote:
>>    
>>
>>>dn: cn=encryption,cn=config
>>>objectClass: top
>>>objectClass: nsEncryptionConfig
>>>cn: encryption
>>>nsSSLSessionTimeout: 0
>>>nsSSLClientAuth: allowed
>>>nsSSL2: off
>>>nsSSL3: on
>>>creatorsName: cn=server,cn=plugins,cn=config
>>>modifiersName: cn=directory manager
>>>createTimestamp: 20050701182744Z
>>>modifyTimestamp: 20050720192820Z
>>>nsSSL3Ciphers:
>>>-
>>>rsa_null_md5,rsa_rc4_128_md5,rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_fips_des_sha,rsa_3des_sha,rsa_fips_3des_sha,fortezza,fortezza_rc4_128_sha,fortezza_null,tls_rsa_export1024_with_rc4_56_sha,tls_rsa_export1024_with_des_cbc_sha
>>>nsKeyfile: alias/slapd-directory-key3.db nsCertfile: alias/slapd-
>>>directory-cert8.db numSubordinates: 1
>>>
>>>Above is my entry for reference
>>>
>>>On Wed, 2005-08-03 at 13:57 -0400, Kevin Kovach wrote:
>>>      
>>>
>>>>Thanks Nathan.  I''ve made this change and again got
farther than
>>>>I have before.
>>>>
>>>>FYI, I got that cipher list from the Wiki.  That will need to be
>>>>updated to contain the complete list.
>>>>
>>>>Although I got farther the server is still not starting up.  Now
>>>>it''s complaining that none of the ciphers are valid? 
How to I
>>>>ensure that I''m using a valid cypher?  Here''s
the error I''m
>>>>seeing in the error log ...
>>>>
>>>>[03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1
>>>>B2005.201.2115 starting up [03/Aug/2005:13:56:23 -0400] - SSL
>>>>failure: None of the cipher are valid
>>>>
>>>>Thanks again for the help.
>>>>
>>>>- Kevin
>>>>
>>>>And again have a different issue now.  Now it''s
complaining that
>>>>there are no
>>>>        
>>>>
>>>--
>>>Fedora-directory-users mailing list
>>>Fedora-directory-users@redhat.com
>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>      
>>>
>>-- 
>>Take back the web, http://www.switch2firefox.com/
>>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users@redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>    
>>
>
>
>  
>

Rich M answered my question in his recent post:
> If you followed the other steps up until this one, then you already 
> have the required certs for slapd to use.  You only need to export the 
> cert to the .pfx file if you need to import that key and cert into 
> another program (e.g. use openssl to convert the .pfx file to other 
> formats).
So there apparently is not a need for the pk12 file in the alias directory.

Thanks Rich,
-- George



George Holbert wrote:
> A follow up question:  why does pk12util need to be run against the 
> certificate db at all?  Doesn''t RedHat/Fedora DS read certificate
and
> key information directly from the cert8.db and key3.db files?
>
> In the RedHat SSL setup docs at:
> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158
> ... it says:
>
>> Run pk12util to convert the certificate database to pkcs12 format, so 
>> it is accessbile by the Directory Server:
>
>
>
> As Adam Stokes mentioned, the incantation for this should be:
>
>> Again another typo the line should read
>>
>> pk12util -d . -P slapd-serverID- -o servercert.pk12 -n Server-Cert
>>
> But what does it buy you to have the "servercert.pk12" file
sitting in
> the alias directory with the cert and key db files?  How does this 
> make the certificate database "accessible by the Directory
Server"?
>
> In previous versions of Netscape DS, I don''t recall the need for a
> pk12 file in the alias directory.  Is this a new requirement for 
> version 7.1 ?
>
> Thanks,
> -- George
>
>
> Adam Stokes wrote:
>
>> On Wed, 3 Aug 2005 15:48:42 -0400
>> Kevin Kovach <kovach@gmail.com> wrote:
>>
>> Kevin,
>>
>> Again another typo the line should read
>>
>> pk12util -d . -P slapd-serverID- -o servercert.pk12 -n Server-Cert
>>
>> and the -P option is the dbprefix in which case slapd-serverID- should
>> be replaced with whatever you have setup as your
slapd-<instance>-
>>
>> Hope this helps
>>
>>  
>>
>>> Adam,
>>>
>>> My entry looks the same.  I''m pretty certain I have the
ciphers
>>> correct now.
>>>
>>> I am curious about one thing though.  In following the wiki, I did
as
>>> suggested and converted the cert db to pkcs12 with the following
>>> command ...
>>>
>>> pk12util -d . -P slapd-serverID- -o servercert.pfx -n Server-Cert
>>>
>>> However, I don''t see anywhere where we make FDS aware of
>>> servercert.pfx?  I''d assume that we need to configure FDS
for this
>>> pkcs12 db somewhere?
>>>
>>> Also, the wiki mentions the trailing - on the -P option but does
not
>>> go into depth on it.  I''m pretty sure I executed this
command
>>> correctly but am unsure how to double check it?
>>>
>>> Thanks again.
>>>
>>> - Kevin
>>>
>>> On 8/3/05, Adam Stokes <astokes@redhat.com> wrote:
>>>   
>>>
>>>> dn: cn=encryption,cn=config
>>>> objectClass: top
>>>> objectClass: nsEncryptionConfig
>>>> cn: encryption
>>>> nsSSLSessionTimeout: 0
>>>> nsSSLClientAuth: allowed
>>>> nsSSL2: off
>>>> nsSSL3: on
>>>> creatorsName: cn=server,cn=plugins,cn=config
>>>> modifiersName: cn=directory manager
>>>> createTimestamp: 20050701182744Z
>>>> modifyTimestamp: 20050720192820Z
>>>> nsSSL3Ciphers:
>>>> -
>>>>
rsa_null_md5,rsa_rc4_128_md5,rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_fips_des_sha,rsa_3des_sha,rsa_fips_3des_sha,fortezza,fortezza_rc4_128_sha,fortezza_null,tls_rsa_export1024_with_rc4_56_sha,tls_rsa_export1024_with_des_cbc_sha
>>>>
>>>> nsKeyfile: alias/slapd-directory-key3.db nsCertfile:
alias/slapd-
>>>> directory-cert8.db numSubordinates: 1
>>>>
>>>> Above is my entry for reference
>>>>
>>>> On Wed, 2005-08-03 at 13:57 -0400, Kevin Kovach wrote:
>>>>     
>>>>
>>>>> Thanks Nathan.  I''ve made this change and again
got farther than
>>>>> I have before.
>>>>>
>>>>> FYI, I got that cipher list from the Wiki.  That will need
to be
>>>>> updated to contain the complete list.
>>>>>
>>>>> Although I got farther the server is still not starting up.
Now
>>>>> it''s complaining that none of the ciphers are
valid?  How to I
>>>>> ensure that I''m using a valid cypher? 
Here''s the error I''m
>>>>> seeing in the error log ...
>>>>>
>>>>> [03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1
>>>>> B2005.201.2115 starting up [03/Aug/2005:13:56:23 -0400] -
SSL
>>>>> failure: None of the cipher are valid
>>>>>
>>>>> Thanks again for the help.
>>>>>
>>>>> - Kevin
>>>>>
>>>>> And again have a different issue now.  Now it''s
complaining that
>>>>> there are no
>>>>>       
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>>     
>>>
>>> -- 
>>> Take back the web, http://www.switch2firefox.com/
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>
>>
>>
>>  
>>
>
>
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Ill update wiki accordingly

thanks
On Wed, 03 Aug 2005 13:14:00 -0700
"George Holbert" <gholbert@broadcom.com> wrote:
> Rich M answered my question in his recent post:
> 
> > If you followed the other steps up until this one, then you already 
> > have the required certs for slapd to use.  You only need to export
> > the cert to the .pfx file if you need to import that key and cert
> > into another program (e.g. use openssl to convert the .pfx file to
> > other formats).
> 
> So there apparently is not a need for the pk12 file in the alias
> directory.
> 
> Thanks Rich,
> -- George
> 
> 
> 
> George Holbert wrote:
> 
> > A follow up question:  why does pk12util need to be run against the 
> > certificate db at all?  Doesn''t RedHat/Fedora DS read
certificate
> > and key information directly from the cert8.db and key3.db files?
> >
> > In the RedHat SSL setup docs at:
> > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158
> > ... it says:
> >
> >> Run pk12util to convert the certificate database to pkcs12 format,
> >> so it is accessbile by the Directory Server:
> >
> >
> >
> > As Adam Stokes mentioned, the incantation for this should be:
> >
> >> Again another typo the line should read
> >>
> >> pk12util -d . -P slapd-serverID- -o servercert.pk12 -n Server-Cert
> >>
> > But what does it buy you to have the "servercert.pk12" file
sitting
> > in the alias directory with the cert and key db files?  How does
> > this make the certificate database "accessible by the Directory
> > Server"?
> >
> > In previous versions of Netscape DS, I don''t recall the need
for a
> > pk12 file in the alias directory.  Is this a new requirement for 
> > version 7.1 ?
> >
> > Thanks,
> > -- George
> >
> >
> > Adam Stokes wrote:
> >
> >> On Wed, 3 Aug 2005 15:48:42 -0400
> >> Kevin Kovach <kovach@gmail.com> wrote:
> >>
> >> Kevin,
> >>
> >> Again another typo the line should read
> >>
> >> pk12util -d . -P slapd-serverID- -o servercert.pk12 -n Server-Cert
> >>
> >> and the -P option is the dbprefix in which case slapd-serverID-
> >> should be replaced with whatever you have setup as your slapd-
> >> <instance>-
> >>
> >> Hope this helps
> >>
> >>  
> >>
> >>> Adam,
> >>>
> >>> My entry looks the same.  I''m pretty certain I have
the ciphers
> >>> correct now.
> >>>
> >>> I am curious about one thing though.  In following the wiki, I
> >>> did as suggested and converted the cert db to pkcs12 with the
> >>> following command ...
> >>>
> >>> pk12util -d . -P slapd-serverID- -o servercert.pfx -n
Server-Cert
> >>>
> >>> However, I don''t see anywhere where we make FDS aware
of
> >>> servercert.pfx?  I''d assume that we need to configure
FDS for this
> >>> pkcs12 db somewhere?
> >>>
> >>> Also, the wiki mentions the trailing - on the -P option but
does
> >>> not go into depth on it.  I''m pretty sure I executed
this command
> >>> correctly but am unsure how to double check it?
> >>>
> >>> Thanks again.
> >>>
> >>> - Kevin
> >>>
> >>> On 8/3/05, Adam Stokes <astokes@redhat.com> wrote:
> >>>   
> >>>
> >>>> dn: cn=encryption,cn=config
> >>>> objectClass: top
> >>>> objectClass: nsEncryptionConfig
> >>>> cn: encryption
> >>>> nsSSLSessionTimeout: 0
> >>>> nsSSLClientAuth: allowed
> >>>> nsSSL2: off
> >>>> nsSSL3: on
> >>>> creatorsName: cn=server,cn=plugins,cn=config
> >>>> modifiersName: cn=directory manager
> >>>> createTimestamp: 20050701182744Z
> >>>> modifyTimestamp: 20050720192820Z
> >>>> nsSSL3Ciphers:
> >>>> -
> >>>>
rsa_null_md5,rsa_rc4_128_md5,rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_fips_des_sha,rsa_3des_sha,rsa_fips_3des_sha,fortezza,fortezza_rc4_128_sha,fortezza_null,tls_rsa_export1024_with_rc4_56_sha,tls_rsa_export1024_with_des_cbc_sha
> >>>>
> >>>> nsKeyfile: alias/slapd-directory-key3.db nsCertfile:
alias/slapd-
> >>>> directory-cert8.db numSubordinates: 1
> >>>>
> >>>> Above is my entry for reference
> >>>>
> >>>> On Wed, 2005-08-03 at 13:57 -0400, Kevin Kovach wrote:
> >>>>     
> >>>>
> >>>>> Thanks Nathan.  I''ve made this change and
again got farther than
> >>>>> I have before.
> >>>>>
> >>>>> FYI, I got that cipher list from the Wiki.  That will
need to be
> >>>>> updated to contain the complete list.
> >>>>>
> >>>>> Although I got farther the server is still not
starting up.  Now
> >>>>> it''s complaining that none of the ciphers are
valid?  How to I
> >>>>> ensure that I''m using a valid cypher? 
Here''s the error I''m
> >>>>> seeing in the error log ...
> >>>>>
> >>>>> [03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1
> >>>>> B2005.201.2115 starting up [03/Aug/2005:13:56:23
-0400] - SSL
> >>>>> failure: None of the cipher are valid
> >>>>>
> >>>>> Thanks again for the help.
> >>>>>
> >>>>> - Kevin
> >>>>>
> >>>>> And again have a different issue now.  Now
it''s complaining that
> >>>>> there are no
> >>>>>       
> >>>>
> >>>> -- 
> >>>> Fedora-directory-users mailing list
> >>>> Fedora-directory-users@redhat.com
> >>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>>>
> >>>>     
> >>>
> >>> -- 
> >>> Take back the web, http://www.switch2firefox.com/
> >>>
> >>> -- 
> >>> Fedora-directory-users mailing list
> >>> Fedora-directory-users@redhat.com
> >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>>   
> >>
> >>
> >>
> >>  
> >>
> >
> >
> >
> > -- 
> > Fedora-directory-users mailing list
> > Fedora-directory-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> 
> 
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

-- 
....<(^_^)> adam stokes ....

I double checked my key and cert files and they are of the correct
format.  Incidentally, those then correspond to the nsCertfile and
nsKeyfile attributes that are made in the config changes?  It''s not
real clear in the wiki.  The wiki suggests that the nsKeyfile and
nsCertfile attrs include ''slapd-directory''.

I ask because I originally made the config changes by just copying and
pasting the ldif and I went back and changed them afterwards to be
''slapd-<instance name>''.

Regardless of that I''m still not able to get the directory to start
up.  I''m still seeing the same error in the log ...

[03/Aug/2005:16:21:44 -0400] - Fedora-Directory/7.1 B2005.201.2115 starting up
[03/Aug/2005:16:21:44 -0400] - SSL failure: None of the cipher are valid

I''m going to continue playing with it and research it online, but any
further advice or suggestions would be appreciated.  Thanks.

- Kevin

On 8/3/05, Rich Megginson <rmeggins@redhat.com>
wrote:
> Kevin Kovach wrote:
> 
> >Adam,
> >
> >My entry looks the same.  I''m pretty certain I have the
ciphers correct now.
> >
> >I am curious about one thing though.  In following the wiki, I did as
> >suggested and converted the cert db to pkcs12 with the following
> >command ...
> >
> >pk12util -d . -P slapd-serverID- -o servercert.pfx -n Server-Cert
> >
> >However, I don''t see anywhere where we make FDS aware of
> >servercert.pfx?  I''d assume that we need to configure FDS for
this
> >pkcs12 db somewhere?
> >
> >
> If you followed the other steps up until this one, then you already have
> the required certs for slapd to use.  You only need to export the cert
> to the .pfx file if you need to import that key and cert into another
> program (e.g. use openssl to convert the .pfx file to other formats).
> 
> >Also, the wiki mentions the trailing - on the -P option but does not
> >go into depth on it.  I''m pretty sure I executed this command
> >correctly but am unsure how to double check it?
> >
> >
> Look in your /opt/fedora-ds/alias directory.  You should have files
> called slapd-serverID-cert8.db and slapd-serverID-key3.db, not
> slapd-serverIDcert8.db and slapd-serverIDkey3.db.
> 
> >Thanks again.
> >
> >- Kevin
> >
> >On 8/3/05, Adam Stokes <astokes@redhat.com> wrote:
> >
> >
> >>dn: cn=encryption,cn=config
> >>objectClass: top
> >>objectClass: nsEncryptionConfig
> >>cn: encryption
> >>nsSSLSessionTimeout: 0
> >>nsSSLClientAuth: allowed
> >>nsSSL2: off
> >>nsSSL3: on
> >>creatorsName: cn=server,cn=plugins,cn=config
> >>modifiersName: cn=directory manager
> >>createTimestamp: 20050701182744Z
> >>modifyTimestamp: 20050720192820Z
> >>nsSSL3Ciphers:
>
>>-rsa_null_md5,rsa_rc4_128_md5,rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_fips_des_sha,rsa_3des_sha,rsa_fips_3des_sha,fortezza,fortezza_rc4_128_sha,fortezza_null,tls_rsa_export1024_with_rc4_56_sha,tls_rsa_export1024_with_des_cbc_sha
> >>nsKeyfile: alias/slapd-directory-key3.db
> >>nsCertfile: alias/slapd-directory-cert8.db
> >>numSubordinates: 1
> >>
> >>Above is my entry for reference
> >>
> >>On Wed, 2005-08-03 at 13:57 -0400, Kevin Kovach wrote:
> >>
> >>
> >>>Thanks Nathan.  I''ve made this change and again got
farther than I have before.
> >>>
> >>>FYI, I got that cipher list from the Wiki.  That will need to
be
> >>>updated to contain the complete list.
> >>>
> >>>Although I got farther the server is still not starting up. 
Now it''s
> >>>complaining that none of the ciphers are valid?  How to I
ensure that
> >>>I''m using a valid cypher?  Here''s the error
I''m seeing in the error
> >>>log ...
> >>>
> >>>[03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1
B2005.201.2115 starting up
> >>>[03/Aug/2005:13:56:23 -0400] - SSL failure: None of the cipher
are valid
> >>>
> >>>Thanks again for the help.
> >>>
> >>>- Kevin
> >>>
> >>>
> >>>
> >>--
> >>Fedora-directory-users mailing list
> >>Fedora-directory-users@redhat.com
> >>https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>
> >>
> >>
> >
> >
> >
> >
> 
> 
> 

-- 
Take back the web, http://www.switch2firefox.com/

On Wed, 3 Aug 2005 16:54:09 -0400
Kevin Kovach <kovach@gmail.com> wrote:
> I double checked my key and cert files and they are of the correct
> format.  Incidentally, those then correspond to the nsCertfile and
> nsKeyfile attributes that are made in the config changes?  It''s
not
> real clear in the wiki.  The wiki suggests that the nsKeyfile and
> nsCertfile attrs include ''slapd-directory''.
> 
> I ask because I originally made the config changes by just copying and
> pasting the ldif and I went back and changed them afterwards to be
> ''slapd-<instance name>''.
The above is correct, again modified the wiki to resemble the
changes.
> 
> Regardless of that I''m still not able to get the directory to
start
> up.  I''m still seeing the same error in the log ...
> 
> [03/Aug/2005:16:21:44 -0400] - Fedora-Directory/7.1 B2005.201.2115
> starting up [03/Aug/2005:16:21:44 -0400] - SSL failure: None of the
> cipher are valid
> 
> I''m going to continue playing with it and research it online, but
any
> further advice or suggestions would be appreciated.  Thanks.
> 
> - Kevin
Could you post your changes as it shows in /opt/fedora-ds/slapd-
<instance>/config/dse.ldif?

-- 
....<(^_^)> adam stokes ....

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: on
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=root
createTimestamp: 20050726153224Z
modifyTimestamp: 20050803144437Z
nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des\
_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
nsKeyfile: alias/slapd-birdie-key3.db
nsCertfile: alias/slapd-birdie-cert8.db
numSubordinates: 1

In the following entry I wasn''t sure if ''(software)''
was a comment or
if it was part of the attr value so I''ve tried it both ways. 
Didn''t
seem to change anything.

dn: cn=RSA,cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionModule
cn: RSA
nsSSLToken: internal (software)
nsSSLPersonalitySSL: Server-Cert
creatorsName: cn=root
modifiersName: cn=root
createTimestamp: 20050803144438Z
modifyTimestamp: 20050803144438Z


dn: cn=config
cn: config
objectClass: top
objectClass: extensibleObject
objectClass: nsslapdConfig
nsslapd-accesslog-logging-enabled: on
nsslapd-accesslog-maxlogsperdir: 10
nsslapd-accesslog-mode: 600
nsslapd-accesslog-maxlogsize: 100
nsslapd-accesslog-logrotationtime: 1
nsslapd-accesslog-logrotationtimeunit: day
nsslapd-accesslog-logrotationsync-enabled: off
nsslapd-accesslog-logrotationsynchour: 0
nsslapd-accesslog-logrotationsyncmin: 0
nsslapd-accesslog: /opt/fedora-ds/slapd-birdie/logs/access
nsslapd-enquote-sup-oc: off
nsslapd-schemacheck: on
nsslapd-rewrite-rfc1274: off
nsslapd-return-exact-case: on
nsslapd-ssl-check-hostname: off

...

modifyTimestamp: 20050803144438Z
nsslapd-security: on


I think those were the three objects modified.  If you need more
please let me know.  Thanks.

- Kevin

On 8/3/05, Adam Stokes <astokes@redhat.com> wrote:
> On Wed, 3 Aug 2005 16:54:09 -0400
> Kevin Kovach <kovach@gmail.com> wrote:
> 
> > I double checked my key and cert files and they are of the correct
> > format.  Incidentally, those then correspond to the nsCertfile and
> > nsKeyfile attributes that are made in the config changes? 
It''s not
> > real clear in the wiki.  The wiki suggests that the nsKeyfile and
> > nsCertfile attrs include ''slapd-directory''.
> >
> > I ask because I originally made the config changes by just copying and
> > pasting the ldif and I went back and changed them afterwards to be
> > ''slapd-<instance name>''.
> 
> The above is correct, again modified the wiki to resemble the changes.
> >
> > Regardless of that I''m still not able to get the directory to
start
> > up.  I''m still seeing the same error in the log ...
> >
> > [03/Aug/2005:16:21:44 -0400] - Fedora-Directory/7.1 B2005.201.2115
> > starting up [03/Aug/2005:16:21:44 -0400] - SSL failure: None of the
> > cipher are valid
> >
> > I''m going to continue playing with it and research it online,
but any
> > further advice or suggestions would be appreciated.  Thanks.
> >
> > - Kevin
> 
> Could you post your changes as it shows in /opt/fedora-ds/slapd-
> <instance>/config/dse.ldif?
> 
> --
> ....<(^_^)> adam stokes ....
> 

-- 
Take back the web, http://www.switch2firefox.com/

That carriage return in the Cipher list is just from copying and
pasting.  I''ve checked.

- Kevin

On 8/3/05, Kevin Kovach <kovach@gmail.com> wrote:
> dn: cn=encryption,cn=config
> objectClass: top
> objectClass: nsEncryptionConfig
> cn: encryption
> nsSSLSessionTimeout: 0
> nsSSLClientAuth: allowed
> nsSSL2: off
> nsSSL3: on
> creatorsName: cn=server,cn=plugins,cn=config
> modifiersName: cn=root
> createTimestamp: 20050726153224Z
> modifyTimestamp: 20050803144437Z
> nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des\
>
_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
> nsKeyfile: alias/slapd-birdie-key3.db
> nsCertfile: alias/slapd-birdie-cert8.db
> numSubordinates: 1
> 
> In the following entry I wasn''t sure if
''(software)'' was a comment or
> if it was part of the attr value so I''ve tried it both ways. 
Didn''t
> seem to change anything.
> 
> dn: cn=RSA,cn=encryption,cn=config
> objectClass: top
> objectClass: nsEncryptionModule
> cn: RSA
> nsSSLToken: internal (software)
> nsSSLPersonalitySSL: Server-Cert
> creatorsName: cn=root
> modifiersName: cn=root
> createTimestamp: 20050803144438Z
> modifyTimestamp: 20050803144438Z
> 
> 
> dn: cn=config
> cn: config
> objectClass: top
> objectClass: extensibleObject
> objectClass: nsslapdConfig
> nsslapd-accesslog-logging-enabled: on
> nsslapd-accesslog-maxlogsperdir: 10
> nsslapd-accesslog-mode: 600
> nsslapd-accesslog-maxlogsize: 100
> nsslapd-accesslog-logrotationtime: 1
> nsslapd-accesslog-logrotationtimeunit: day
> nsslapd-accesslog-logrotationsync-enabled: off
> nsslapd-accesslog-logrotationsynchour: 0
> nsslapd-accesslog-logrotationsyncmin: 0
> nsslapd-accesslog: /opt/fedora-ds/slapd-birdie/logs/access
> nsslapd-enquote-sup-oc: off
> nsslapd-schemacheck: on
> nsslapd-rewrite-rfc1274: off
> nsslapd-return-exact-case: on
> nsslapd-ssl-check-hostname: off
> 
> ...
> 
> modifyTimestamp: 20050803144438Z
> nsslapd-security: on
> 
> 
> I think those were the three objects modified.  If you need more
> please let me know.  Thanks.
> 
> - Kevin
> 
> On 8/3/05, Adam Stokes <astokes@redhat.com> wrote:
> > On Wed, 3 Aug 2005 16:54:09 -0400
> > Kevin Kovach <kovach@gmail.com> wrote:
> >
> > > I double checked my key and cert files and they are of the
correct
> > > format.  Incidentally, those then correspond to the nsCertfile
and
> > > nsKeyfile attributes that are made in the config changes? 
It''s not
> > > real clear in the wiki.  The wiki suggests that the nsKeyfile and
> > > nsCertfile attrs include ''slapd-directory''.
> > >
> > > I ask because I originally made the config changes by just
copying and
> > > pasting the ldif and I went back and changed them afterwards to
be
> > > ''slapd-<instance name>''.
> >
> > The above is correct, again modified the wiki to resemble the changes.
> > >
> > > Regardless of that I''m still not able to get the
directory to start
> > > up.  I''m still seeing the same error in the log ...
> > >
> > > [03/Aug/2005:16:21:44 -0400] - Fedora-Directory/7.1
B2005.201.2115
> > > starting up [03/Aug/2005:16:21:44 -0400] - SSL failure: None of
the
> > > cipher are valid
> > >
> > > I''m going to continue playing with it and research it
online, but any
> > > further advice or suggestions would be appreciated.  Thanks.
> > >
> > > - Kevin
> >
> > Could you post your changes as it shows in /opt/fedora-ds/slapd-
> > <instance>/config/dse.ldif?
> >
> > --
> > ....<(^_^)> adam stokes ....
> >
> 
> 
> --
> Take back the web, http://www.switch2firefox.com/
> 

-- 
Take back the web, http://www.switch2firefox.com/

Kevin Kovach wrote:
>dn: cn=encryption,cn=config
>objectClass: top
>objectClass: nsEncryptionConfig
>cn: encryption
>nsSSLSessionTimeout: 0
>nsSSLClientAuth: allowed
>nsSSL2: off
>nsSSL3: on
>creatorsName: cn=server,cn=plugins,cn=config
>modifiersName: cn=root
>createTimestamp: 20050726153224Z
>modifyTimestamp: 20050803144437Z
>nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des\
>_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
>nsKeyfile: alias/slapd-birdie-key3.db
>nsCertfile: alias/slapd-birdie-cert8.db
>numSubordinates: 1
>
>In the following entry I wasn''t sure if
''(software)'' was a comment or
>if it was part of the attr value so I''ve tried it both ways. 
Didn''t
>seem to change anything.
>
>dn: cn=RSA,cn=encryption,cn=config
>objectClass: top
>objectClass: nsEncryptionModule
>cn: RSA
>nsSSLToken: internal (software)
>nsSSLPersonalitySSL: Server-Cert
>creatorsName: cn=root
>modifiersName: cn=root
>createTimestamp: 20050803144438Z
>modifyTimestamp: 20050803144438Z
>
>
>dn: cn=config
>cn: config
>objectClass: top
>objectClass: extensibleObject
>objectClass: nsslapdConfig
>nsslapd-accesslog-logging-enabled: on
>nsslapd-accesslog-maxlogsperdir: 10
>nsslapd-accesslog-mode: 600
>nsslapd-accesslog-maxlogsize: 100
>nsslapd-accesslog-logrotationtime: 1
>nsslapd-accesslog-logrotationtimeunit: day
>nsslapd-accesslog-logrotationsync-enabled: off
>nsslapd-accesslog-logrotationsynchour: 0
>nsslapd-accesslog-logrotationsyncmin: 0
>nsslapd-accesslog: /opt/fedora-ds/slapd-birdie/logs/access
>nsslapd-enquote-sup-oc: off
>nsslapd-schemacheck: on
>nsslapd-rewrite-rfc1274: off
>nsslapd-return-exact-case: on
>nsslapd-ssl-check-hostname: off
>
>...
>
>modifyTimestamp: 20050803144438Z
>nsslapd-security: on
>
>
>I think those were the three objects modified.  If you need more
>please let me know.  Thanks.
>
>- Kevin
>
>On 8/3/05, Adam Stokes <astokes@redhat.com> wrote:
>  
>
>>On Wed, 3 Aug 2005 16:54:09 -0400
>>Kevin Kovach <kovach@gmail.com> wrote:
>>
>>    
>>
>>>I double checked my key and cert files and they are of the correct
>>>format.  Incidentally, those then correspond to the nsCertfile and
>>>nsKeyfile attributes that are made in the config changes? 
It''s not
>>>real clear in the wiki.  The wiki suggests that the nsKeyfile and
>>>nsCertfile attrs include ''slapd-directory''.
>>>
>>>I ask because I originally made the config changes by just copying
and
>>>pasting the ldif and I went back and changed them afterwards to be
>>>''slapd-<instance name>''.
>>>      
>>>
>>The above is correct, again modified the wiki to resemble the changes.
>>    
>>
>>>Regardless of that I''m still not able to get the directory
to start
>>>up.  I''m still seeing the same error in the log ...
>>>
>>>[03/Aug/2005:16:21:44 -0400] - Fedora-Directory/7.1 B2005.201.2115
>>>starting up [03/Aug/2005:16:21:44 -0400] - SSL failure: None of the
>>>cipher are valid
>>>
>>>I''m going to continue playing with it and research it
online, but any
>>>further advice or suggestions would be appreciated.  Thanks.
>>>
>>>- Kevin
>>>      
>>>
>>Could you post your changes as it shows in /opt/fedora-ds/slapd-
>><instance>/config/dse.ldif?
>>
>>--
>>....<(^_^)> adam stokes ....
>>
>>    
>>
>
>
>  
>
In the dn: cn=RSA,cn=encryption,cn=config add the following line

nsSSLActivation: on

Sorry for the confusion let me know if this works and ill modify the 
wiki accordingly

Well that did it.  I had actually tried that before.  Saw it in some
Sun forum somewhere or something.  However, when I tried it I got some
other error so I took it back out.  I suspect I had the nsKeyfile and
nsCertfile set incorrectly when I tried it the first time.

Thanks so much for the help.

- Kevin

On 8/3/05, Adam Stokes <astokes@redhat.com> wrote:
> Kevin Kovach wrote:
> 
> >dn: cn=encryption,cn=config
> >objectClass: top
> >objectClass: nsEncryptionConfig
> >cn: encryption
> >nsSSLSessionTimeout: 0
> >nsSSLClientAuth: allowed
> >nsSSL2: off
> >nsSSL3: on
> >creatorsName: cn=server,cn=plugins,cn=config
> >modifiersName: cn=root
> >createTimestamp: 20050726153224Z
> >modifyTimestamp: 20050803144437Z
> >nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des\
>
>_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
> >nsKeyfile: alias/slapd-birdie-key3.db
> >nsCertfile: alias/slapd-birdie-cert8.db
> >numSubordinates: 1
> >
> >In the following entry I wasn''t sure if
''(software)'' was a comment or
> >if it was part of the attr value so I''ve tried it both ways. 
Didn''t
> >seem to change anything.
> >
> >dn: cn=RSA,cn=encryption,cn=config
> >objectClass: top
> >objectClass: nsEncryptionModule
> >cn: RSA
> >nsSSLToken: internal (software)
> >nsSSLPersonalitySSL: Server-Cert
> >creatorsName: cn=root
> >modifiersName: cn=root
> >createTimestamp: 20050803144438Z
> >modifyTimestamp: 20050803144438Z
> >
> >
> >dn: cn=config
> >cn: config
> >objectClass: top
> >objectClass: extensibleObject
> >objectClass: nsslapdConfig
> >nsslapd-accesslog-logging-enabled: on
> >nsslapd-accesslog-maxlogsperdir: 10
> >nsslapd-accesslog-mode: 600
> >nsslapd-accesslog-maxlogsize: 100
> >nsslapd-accesslog-logrotationtime: 1
> >nsslapd-accesslog-logrotationtimeunit: day
> >nsslapd-accesslog-logrotationsync-enabled: off
> >nsslapd-accesslog-logrotationsynchour: 0
> >nsslapd-accesslog-logrotationsyncmin: 0
> >nsslapd-accesslog: /opt/fedora-ds/slapd-birdie/logs/access
> >nsslapd-enquote-sup-oc: off
> >nsslapd-schemacheck: on
> >nsslapd-rewrite-rfc1274: off
> >nsslapd-return-exact-case: on
> >nsslapd-ssl-check-hostname: off
> >
> >...
> >
> >modifyTimestamp: 20050803144438Z
> >nsslapd-security: on
> >
> >
> >I think those were the three objects modified.  If you need more
> >please let me know.  Thanks.
> >
> >- Kevin
> >
> >On 8/3/05, Adam Stokes <astokes@redhat.com> wrote:
> >
> >
> >>On Wed, 3 Aug 2005 16:54:09 -0400
> >>Kevin Kovach <kovach@gmail.com> wrote:
> >>
> >>
> >>
> >>>I double checked my key and cert files and they are of the
correct
> >>>format.  Incidentally, those then correspond to the nsCertfile
and
> >>>nsKeyfile attributes that are made in the config changes? 
It''s not
> >>>real clear in the wiki.  The wiki suggests that the nsKeyfile
and
> >>>nsCertfile attrs include ''slapd-directory''.
> >>>
> >>>I ask because I originally made the config changes by just
copying and
> >>>pasting the ldif and I went back and changed them afterwards to
be
> >>>''slapd-<instance name>''.
> >>>
> >>>
> >>The above is correct, again modified the wiki to resemble the
changes.
> >>
> >>
> >>>Regardless of that I''m still not able to get the
directory to start
> >>>up.  I''m still seeing the same error in the log ...
> >>>
> >>>[03/Aug/2005:16:21:44 -0400] - Fedora-Directory/7.1
B2005.201.2115
> >>>starting up [03/Aug/2005:16:21:44 -0400] - SSL failure: None of
the
> >>>cipher are valid
> >>>
> >>>I''m going to continue playing with it and research it
online, but any
> >>>further advice or suggestions would be appreciated.  Thanks.
> >>>
> >>>- Kevin
> >>>
> >>>
> >>Could you post your changes as it shows in /opt/fedora-ds/slapd-
> >><instance>/config/dse.ldif?
> >>
> >>--
> >>....<(^_^)> adam stokes ....
> >>
> >>
> >>
> >
> >
> >
> >
> In the dn: cn=RSA,cn=encryption,cn=config add the following line
> 
> nsSSLActivation: on
> 
> Sorry for the confusion let me know if this works and ill modify the
> wiki accordingly
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 

-- 
Take back the web, http://www.switch2firefox.com/

Kevin Kovach wrote:
>Well that did it.  I had actually tried that before.  Saw it in some
>Sun forum somewhere or something.  However, when I tried it I got some
>other error so I took it back out.  I suspect I had the nsKeyfile and
>nsCertfile set incorrectly when I tried it the first time.
>
>Thanks so much for the help.
>
>- Kevin
>
>On 8/3/05, Adam Stokes <astokes@redhat.com> wrote:
>  
>
>>Kevin Kovach wrote:
>>
>>    
>>
>>>dn: cn=encryption,cn=config
>>>objectClass: top
>>>objectClass: nsEncryptionConfig
>>>cn: encryption
>>>nsSSLSessionTimeout: 0
>>>nsSSLClientAuth: allowed
>>>nsSSL2: off
>>>nsSSL3: on
>>>creatorsName: cn=server,cn=plugins,cn=config
>>>modifiersName: cn=root
>>>createTimestamp: 20050726153224Z
>>>modifyTimestamp: 20050803144437Z
>>>nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des\
>>>_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
>>>nsKeyfile: alias/slapd-birdie-key3.db
>>>nsCertfile: alias/slapd-birdie-cert8.db
>>>numSubordinates: 1
>>>
>>>In the following entry I wasn''t sure if
''(software)'' was a comment or
>>>if it was part of the attr value so I''ve tried it both
ways.  Didn''t
>>>seem to change anything.
>>>
>>>dn: cn=RSA,cn=encryption,cn=config
>>>objectClass: top
>>>objectClass: nsEncryptionModule
>>>cn: RSA
>>>nsSSLToken: internal (software)
>>>nsSSLPersonalitySSL: Server-Cert
>>>creatorsName: cn=root
>>>modifiersName: cn=root
>>>createTimestamp: 20050803144438Z
>>>modifyTimestamp: 20050803144438Z
>>>
>>>
>>>dn: cn=config
>>>cn: config
>>>objectClass: top
>>>objectClass: extensibleObject
>>>objectClass: nsslapdConfig
>>>nsslapd-accesslog-logging-enabled: on
>>>nsslapd-accesslog-maxlogsperdir: 10
>>>nsslapd-accesslog-mode: 600
>>>nsslapd-accesslog-maxlogsize: 100
>>>nsslapd-accesslog-logrotationtime: 1
>>>nsslapd-accesslog-logrotationtimeunit: day
>>>nsslapd-accesslog-logrotationsync-enabled: off
>>>nsslapd-accesslog-logrotationsynchour: 0
>>>nsslapd-accesslog-logrotationsyncmin: 0
>>>nsslapd-accesslog: /opt/fedora-ds/slapd-birdie/logs/access
>>>nsslapd-enquote-sup-oc: off
>>>nsslapd-schemacheck: on
>>>nsslapd-rewrite-rfc1274: off
>>>nsslapd-return-exact-case: on
>>>nsslapd-ssl-check-hostname: off
>>>
>>>...
>>>
>>>modifyTimestamp: 20050803144438Z
>>>nsslapd-security: on
>>>
>>>
>>>I think those were the three objects modified.  If you need more
>>>please let me know.  Thanks.
>>>
>>>- Kevin
>>>
>>>On 8/3/05, Adam Stokes <astokes@redhat.com> wrote:
>>>
>>>
>>>      
>>>
>>>>On Wed, 3 Aug 2005 16:54:09 -0400
>>>>Kevin Kovach <kovach@gmail.com> wrote:
>>>>
>>>>
>>>>
>>>>        
>>>>
>>>>>I double checked my key and cert files and they are of the
correct
>>>>>format.  Incidentally, those then correspond to the
nsCertfile and
>>>>>nsKeyfile attributes that are made in the config changes? 
It''s not
>>>>>real clear in the wiki.  The wiki suggests that the
nsKeyfile and
>>>>>nsCertfile attrs include
''slapd-directory''.
>>>>>
>>>>>I ask because I originally made the config changes by just
copying and
>>>>>pasting the ldif and I went back and changed them afterwards
to be
>>>>>''slapd-<instance name>''.
>>>>>
>>>>>
>>>>>          
>>>>>
>>>>The above is correct, again modified the wiki to resemble the
changes.
>>>>
>>>>
>>>>        
>>>>
>>>>>Regardless of that I''m still not able to get the
directory to start
>>>>>up.  I''m still seeing the same error in the log ...
>>>>>
>>>>>[03/Aug/2005:16:21:44 -0400] - Fedora-Directory/7.1
B2005.201.2115
>>>>>starting up [03/Aug/2005:16:21:44 -0400] - SSL failure: None
of the
>>>>>cipher are valid
>>>>>
>>>>>I''m going to continue playing with it and research
it online, but any
>>>>>further advice or suggestions would be appreciated.  Thanks.
>>>>>
>>>>>- Kevin
>>>>>
>>>>>
>>>>>          
>>>>>
>>>>Could you post your changes as it shows in /opt/fedora-ds/slapd-
>>>><instance>/config/dse.ldif?
>>>>
>>>>--
>>>>....<(^_^)> adam stokes ....
>>>>
>>>>
>>>>
>>>>        
>>>>
>>>
>>>
>>>      
>>>
>>In the dn: cn=RSA,cn=encryption,cn=config add the following line
>>
>>nsSSLActivation: on
>>
>>Sorry for the confusion let me know if this works and ill modify the
>>wiki accordingly
>>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users@redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>    
>>
>
>
>  
>
good to hear, will update the wiki to reflect the change