Thanks Nathan. I've made this change and again got farther than I have before. FYI, I got that cipher list from the Wiki. That will need to be updated to contain the complete list. Although I got farther the server is still not starting up. Now it's complaining that none of the ciphers are valid? How to I ensure that I'm using a valid cypher? Here's the error I'm seeing in the error log ... [03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1 B2005.201.2115 starting up [03/Aug/2005:13:56:23 -0400] - SSL failure: None of the cipher are valid Thanks again for the help. - Kevin And again have a different issue now. Now it's complaining that there are no On 8/3/05, Nathan Kinder <nkinder at redhat.com> wrote: > Rich Megginson wrote: > > > Kevin Kovach wrote: > > > >>Thanks for the help. I've added that object and was able to modify > >>the configuration without further issues. > >> > >>Unfortunately, I've run into another problem now. Now when I try to > >>start the directory it's complaining about one of the ciphers. I get > >>the following error when I attempt to start the server ... > >> > >>[03/Aug/2005:13:19:35 -0400] - SSL alert: Security Initialization: > >>Failed to set SSL cipher preference information: unknown cipher fo > >>(Netscape Portable Runtime error -5950 - File not found.) > >>[03/Aug/2005:13:19:35 -0400] - ERROR: SSL Initialization Failed. > >> > >>It looks like it's complaining about the 'fo cipher' that was added in > >>the same configuration modifications? The change I'm talking about is > >>the following ... > >> > >>add: nsSSL3Ciphers > >>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha, > >>+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo > >> > >> > > That's definitely truncated. +fo is not correct. It's probably > > another Fortezza cipher. There may be other ciphers that are missing. > > Rich is correct. Here is what the audit log shows when SSL is enabled > via Console: > > nsSSL3Ciphers: > -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha > > -NGK > > >>I looked at the dse.ldif file and it looks like it was added correctly > >>(as it's presented in the SSL HOWTO) Any advice? Thanks. > >> > >>- Kevin > >> > >> > >>On 8/3/05, Adam Stokes <astokes at redhat.com> wrote: > >> > >> > >>>On Wed, 2005-08-03 at 10:35 -0400, Kevin Kovach wrote: > >>> > >>> > >>>>Hello, > >>>> > >>>>I've worked through the SSL howto on the FDS site and everything went > >>>>well until I got to the part where I modified the schema. > >>>> > >>>>The /tmp/ssl_enable.ldif modifications that are suggested work well up > >>>>to the point where it tries to modify cn=RSA,cn=encryption,cn=config > >>>> > >>>>To be specific, the recommended changes are as follows... > >>>> > >>>>dn: cn=encryption,cn=config > >>>>changetype: modify > >>>>replace: nsSSL3 > >>>>nsSSL3: on > >>>>- > >>>>replace: nsSSLClientAuth > >>>>nsSSLClientAuth: allowed > >>>>- > >>>>add: nsSSL3Ciphers > >>>>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha, > >>>>+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo > >>>>- > >>>>add: nsKeyfile > >>>>nsKeyfile: alias/slapd-directory-key3.db > >>>>- > >>>>add: nsCertfile > >>>>nsCertfile: alias/slapd-directory-cert8.db > >>>> > >>>>dn: cn=RSA,cn=encryption,cn=config > >>>>changetype: modify > >>>>add: nsSSLPersonalitySSL > >>>>nsSSLPersonalitySSL: Server-Cert > >>>> > >>>>dn: cn=config > >>>>changetype: modify > >>>>add: nsslapd-security > >>>>nsslapd-security: on > >>>>- > >>>>replace: nsslapd-ssl-check-hostname > >>>>nsslapd-ssl-check-hostname: off > >>>> > >>>>It seems as though when I get to the point where I want to add the > >>>>'nsSSLPersonalitySSL' attribute my directory server complains that the > >>>>'cn=RSA,cn=encryption,cn=config' object does not exist to be modified. > >>>> > >>>>I don't see anywhere in the HOWTO where I would have created this > >>>>object. Am I missing something? Thanks. > >>>> > >>>>- Kevin > >>>> > >>>>-- > >>>>Fedora-directory-users mailing list > >>>>Fedora-directory-users at redhat.com > >>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>> > >>>> > >>>Refresh the wiki page I have updated this problem. > >>> > >>>Thanks for pointing that out please create an ldif /tmp/addrsa.ldif and > >>>have the following : > >>> > >>>dn: cn=RSA,cn=encryption,cn=config > >>>objectclass: top > >>>objectclass: nsEncryptionModule > >>>cn: RSA > >>>nsSSLPersonalitySSL: Server-Cert > >>>nsSSLToken: internal (software) > >>> > >>>Use ldapadd to add the entry into the directory server.. Ill fix the > >>>how-to now as well :) > >>> > >>> > >>> > >>>-- > >>>Fedora-directory-users mailing list > >>>Fedora-directory-users at redhat.com > >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > >>> > >>> > >> > >> > >> > >> > >------------------------------------------------------------------------ > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > -- Take back the web, http://www.switch2firefox.com/
