Rich Megginson wrote: > Kevin Kovach wrote: > >>Thanks for the help. I've added that object and was able to modify >>the configuration without further issues. >> >>Unfortunately, I've run into another problem now. Now when I try to >>start the directory it's complaining about one of the ciphers. I get >>the following error when I attempt to start the server ... >> >>[03/Aug/2005:13:19:35 -0400] - SSL alert: Security Initialization: >>Failed to set SSL cipher preference information: unknown cipher fo >>(Netscape Portable Runtime error -5950 - File not found.) >>[03/Aug/2005:13:19:35 -0400] - ERROR: SSL Initialization Failed. >> >>It looks like it's complaining about the 'fo cipher' that was added in >>the same configuration modifications? The change I'm talking about is >>the following ... >> >>add: nsSSL3Ciphers >>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha, >>+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo >> >> > That's definitely truncated. +fo is not correct. It's probably > another Fortezza cipher. There may be other ciphers that are missing. Rich is correct. Here is what the audit log shows when SSL is enabled via Console: nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha -NGK >>I looked at the dse.ldif file and it looks like it was added correctly >>(as it's presented in the SSL HOWTO) Any advice? Thanks. >> >>- Kevin >> >> >>On 8/3/05, Adam Stokes <astokes at redhat.com> wrote: >> >> >>>On Wed, 2005-08-03 at 10:35 -0400, Kevin Kovach wrote: >>> >>> >>>>Hello, >>>> >>>>I've worked through the SSL howto on the FDS site and everything went >>>>well until I got to the part where I modified the schema. >>>> >>>>The /tmp/ssl_enable.ldif modifications that are suggested work well up >>>>to the point where it tries to modify cn=RSA,cn=encryption,cn=config >>>> >>>>To be specific, the recommended changes are as follows... >>>> >>>>dn: cn=encryption,cn=config >>>>changetype: modify >>>>replace: nsSSL3 >>>>nsSSL3: on >>>>- >>>>replace: nsSSLClientAuth >>>>nsSSLClientAuth: allowed >>>>- >>>>add: nsSSL3Ciphers >>>>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha, >>>>+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo >>>>- >>>>add: nsKeyfile >>>>nsKeyfile: alias/slapd-directory-key3.db >>>>- >>>>add: nsCertfile >>>>nsCertfile: alias/slapd-directory-cert8.db >>>> >>>>dn: cn=RSA,cn=encryption,cn=config >>>>changetype: modify >>>>add: nsSSLPersonalitySSL >>>>nsSSLPersonalitySSL: Server-Cert >>>> >>>>dn: cn=config >>>>changetype: modify >>>>add: nsslapd-security >>>>nsslapd-security: on >>>>- >>>>replace: nsslapd-ssl-check-hostname >>>>nsslapd-ssl-check-hostname: off >>>> >>>>It seems as though when I get to the point where I want to add the >>>>'nsSSLPersonalitySSL' attribute my directory server complains that the >>>>'cn=RSA,cn=encryption,cn=config' object does not exist to be modified. >>>> >>>>I don't see anywhere in the HOWTO where I would have created this >>>>object. Am I missing something? Thanks. >>>> >>>>- Kevin >>>> >>>>-- >>>>Fedora-directory-users mailing list >>>>Fedora-directory-users at redhat.com >>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>Refresh the wiki page I have updated this problem. >>> >>>Thanks for pointing that out please create an ldif /tmp/addrsa.ldif and >>>have the following : >>> >>>dn: cn=RSA,cn=encryption,cn=config >>>objectclass: top >>>objectclass: nsEncryptionModule >>>cn: RSA >>>nsSSLPersonalitySSL: Server-Cert >>>nsSSLToken: internal (software) >>> >>>Use ldapadd to add the entry into the directory server.. Ill fix the >>>how-to now as well :) >>> >>> >>> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> >> >> >> >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3174 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20050803/4bad9cf9/attachment.bin
