Kevin Kovach wrote:
Well that did it. I had actually tried that before. Saw it in some
Sun forum somewhere or something. However, when I tried it I got some
other error so I took it back out. I suspect I had the nsKeyfile and
nsCertfile set incorrectly when I tried it the first time.
Thanks so much for the help.
- Kevin
On 8/3/05, Adam Stokes <astokes(a)redhat.com> wrote:
>Kevin Kovach wrote:
>
>
>
>>dn: cn=encryption,cn=config
>>objectClass: top
>>objectClass: nsEncryptionConfig
>>cn: encryption
>>nsSSLSessionTimeout: 0
>>nsSSLClientAuth: allowed
>>nsSSL2: off
>>nsSSL3: on
>>creatorsName: cn=server,cn=plugins,cn=config
>>modifiersName: cn=root
>>createTimestamp: 20050726153224Z
>>modifyTimestamp: 20050803144437Z
>>nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des\
>>_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
>>nsKeyfile: alias/slapd-birdie-key3.db
>>nsCertfile: alias/slapd-birdie-cert8.db
>>numSubordinates: 1
>>
>>In the following entry I wasn't sure if '(software)' was a comment or
>>if it was part of the attr value so I've tried it both ways. Didn't
>>seem to change anything.
>>
>>dn: cn=RSA,cn=encryption,cn=config
>>objectClass: top
>>objectClass: nsEncryptionModule
>>cn: RSA
>>nsSSLToken: internal (software)
>>nsSSLPersonalitySSL: Server-Cert
>>creatorsName: cn=root
>>modifiersName: cn=root
>>createTimestamp: 20050803144438Z
>>modifyTimestamp: 20050803144438Z
>>
>>
>>dn: cn=config
>>cn: config
>>objectClass: top
>>objectClass: extensibleObject
>>objectClass: nsslapdConfig
>>nsslapd-accesslog-logging-enabled: on
>>nsslapd-accesslog-maxlogsperdir: 10
>>nsslapd-accesslog-mode: 600
>>nsslapd-accesslog-maxlogsize: 100
>>nsslapd-accesslog-logrotationtime: 1
>>nsslapd-accesslog-logrotationtimeunit: day
>>nsslapd-accesslog-logrotationsync-enabled: off
>>nsslapd-accesslog-logrotationsynchour: 0
>>nsslapd-accesslog-logrotationsyncmin: 0
>>nsslapd-accesslog: /opt/fedora-ds/slapd-birdie/logs/access
>>nsslapd-enquote-sup-oc: off
>>nsslapd-schemacheck: on
>>nsslapd-rewrite-rfc1274: off
>>nsslapd-return-exact-case: on
>>nsslapd-ssl-check-hostname: off
>>
>>...
>>
>>modifyTimestamp: 20050803144438Z
>>nsslapd-security: on
>>
>>
>>I think those were the three objects modified. If you need more
>>please let me know. Thanks.
>>
>>- Kevin
>>
>>On 8/3/05, Adam Stokes <astokes(a)redhat.com> wrote:
>>
>>
>>
>>
>>>On Wed, 3 Aug 2005 16:54:09 -0400
>>>Kevin Kovach <kovach(a)gmail.com> wrote:
>>>
>>>
>>>
>>>
>>>
>>>>I double checked my key and cert files and they are of the correct
>>>>format. Incidentally, those then correspond to the nsCertfile and
>>>>nsKeyfile attributes that are made in the config changes? It's not
>>>>real clear in the wiki. The wiki suggests that the nsKeyfile and
>>>>nsCertfile attrs include 'slapd-directory'.
>>>>
>>>>I ask because I originally made the config changes by just copying and
>>>>pasting the ldif and I went back and changed them afterwards to be
>>>>'slapd-<instance name>'.
>>>>
>>>>
>>>>
>>>>
>>>The above is correct, again modified the wiki to resemble the changes.
>>>
>>>
>>>
>>>
>>>>Regardless of that I'm still not able to get the directory to start
>>>>up. I'm still seeing the same error in the log ...
>>>>
>>>>[03/Aug/2005:16:21:44 -0400] - Fedora-Directory/7.1 B2005.201.2115
>>>>starting up [03/Aug/2005:16:21:44 -0400] - SSL failure: None of the
>>>>cipher are valid
>>>>
>>>>I'm going to continue playing with it and research it online, but any
>>>>further advice or suggestions would be appreciated. Thanks.
>>>>
>>>>- Kevin
>>>>
>>>>
>>>>
>>>>
>>>Could you post your changes as it shows in /opt/fedora-ds/slapd-
>>><instance>/config/dse.ldif?
>>>
>>>--
>>>....<(^_^)> adam stokes ....
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>In the dn: cn=RSA,cn=encryption,cn=config add the following line
>
>nsSSLActivation: on
>
>Sorry for the confusion let me know if this works and ill modify the
>wiki accordingly
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users(a)redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
good to hear, will update the wiki to reflect the change