3 Feb
2006
3 Feb
'06
9:55 a.m.
Jan Janak wrote:
Hi Klaus,
Klaus Darilion wrote:
modparam("tls", "tls_log", 3)
modparam("tls", "send_timeout", 15)
modparam("tls", "handshake_timeout", 15)
modparam("tls", "connection_timeout", 120)
# default incoming (server) domain
modparam("tls", "method", "TLSv1")
modparam("tls", "verify_certificate", "0")
modparam("tls", "require_certificate", "0")
modparam("tls", "certificate", "/etc/proxyCert1/cert.pem")
modparam("tls", "private_key",
"/etc/proxyCert1/privkey.pem")
modparam("tls", "ca_list", "/etc/demoCA/cacert.pem")
# default outgoing (client) domain
#
# add patch to support "@" for client configuration
#
modparam("tls", "method", "@TLSv1")
modparam("tls", "verify_certificate", "@0")
modparam("tls", "require_certificate", "@0")
modparam("tls", "certificate", "(a)/etc/proxyCert1/cert.pem")
modparam("tls", "private_key",
"(a)/etc/proxyCert1/privkey.pem")
modparam("tls", "ca_list", "(a)/etc/demoCA/cacert.pem")
Note that I'm using my patch to configure the default client domain.
regarding "LS1_SETUP_KEY_BLOCK:cipher or hash unavailable":
Which openssl version do you use?
regards
klaus
Hi all!
I wonder if this TLS module if even working. First, I had to patch ser
to allow settings for the default client TLS domain, but still I can't
connect. Not even ser<-->ser works.
Yes, it works. Configuration of the client part was not done yet(see my
email on serdev, it was mentioned there), I fixed that already and will
commit it shortly. But this is not a problem as long as you only use
the default client domain, because in that case you can just put the
certificate in the default path and it will work.
I always get the following error on the client
side:
ser[2559]: ERROR: tls_server.c:281: SSL error:error:140D308A:SSL
routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable
I've tried setting the cipher manually but I still get the same error.
Is this TLS module really wokring for you?
I have tested this several times and it working for me. Could you
send me your tls configuration, so that I can retry it ?