Rich Megginson wrote:
Kevin Kovach wrote:That's definitely truncated. +fo is not correct. It's probably another Fortezza cipher. There may be other ciphers that are missing.Thanks for the help. I've added that object and was able to modify the configuration without further issues. Unfortunately, I've run into another problem now. Now when I try to start the directory it's complaining about one of the ciphers. I get the following error when I attempt to start the server ... [03/Aug/2005:13:19:35 -0400] - SSL alert: Security Initialization: Failed to set SSL cipher preference information: unknown cipher fo (Netscape Portable Runtime error -5950 - File not found.) [03/Aug/2005:13:19:35 -0400] - ERROR: SSL Initialization Failed. It looks like it's complaining about the 'fo cipher' that was added in the same configuration modifications? The change I'm talking about is the following ... add: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha, +rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
Rich is correct. Here is what the audit log shows when SSL is enabled via Console:
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
-NGK
I looked at the dse.ldif file and it looks like it was added correctly (as it's presented in the SSL HOWTO) Any advice? Thanks. - Kevin On 8/3/05, Adam Stokes <astokes@xxxxxxxxxx> wrote:On Wed, 2005-08-03 at 10:35 -0400, Kevin Kovach wrote:Hello, I've worked through the SSL howto on the FDS site and everything went well until I got to the part where I modified the schema. The /tmp/ssl_enable.ldif modifications that are suggested work well up to the point where it tries to modify cn=RSA,cn=encryption,cn=config To be specific, the recommended changes are as follows... dn: cn=encryption,cn=config changetype: modify replace: nsSSL3 nsSSL3: on - replace: nsSSLClientAuth nsSSLClientAuth: allowed - add: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha, +rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo - add: nsKeyfile nsKeyfile: alias/slapd-directory-key3.db - add: nsCertfile nsCertfile: alias/slapd-directory-cert8.db dn: cn=RSA,cn=encryption,cn=config changetype: modify add: nsSSLPersonalitySSL nsSSLPersonalitySSL: Server-Cert dn: cn=config changetype: modify add: nsslapd-security nsslapd-security: on - replace: nsslapd-ssl-check-hostname nsslapd-ssl-check-hostname: off It seems as though when I get to the point where I want to add the 'nsSSLPersonalitySSL' attribute my directory server complains that the 'cn=RSA,cn=encryption,cn=config' object does not exist to be modified. I don't see anywhere in the HOWTO where I would have created this object. Am I missing something? Thanks. - Kevin -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-usersRefresh the wiki page I have updated this problem. Thanks for pointing that out please create an ldif /tmp/addrsa.ldif and have the following : dn: cn=RSA,cn=encryption,cn=config objectclass: top objectclass: nsEncryptionModule cn: RSA nsSSLPersonalitySSL: Server-Cert nsSSLToken: internal (software) Use ldapadd to add the entry into the directory server.. Ill fix the how-to now as well :) -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users------------------------------------------------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
