[Serusers] TLS configuration problem (was TLS comments)
Klaus Darilion
klaus.mailinglists at pernau.at
Fri Feb 3 15:55:58 CET 2006
Jan Janak wrote:
> Hi Klaus,
>
> Klaus Darilion wrote:
>
>>Hi all!
>>
>>I wonder if this TLS module if even working. First, I had to patch ser
>>to allow settings for the default client TLS domain, but still I can't
>>connect. Not even ser<-->ser works.
>
>
> Yes, it works. Configuration of the client part was not done yet(see my
> email on serdev, it was mentioned there), I fixed that already and will
> commit it shortly. But this is not a problem as long as you only use
> the default client domain, because in that case you can just put the
> certificate in the default path and it will work.
>
>
>>I always get the following error on the client side:
>>
>>ser[2559]: ERROR: tls_server.c:281: SSL error:error:140D308A:SSL
>>routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable
>>
>>I've tried setting the cipher manually but I still get the same error.
>>Is this TLS module really wokring for you?
>
>
> I have tested this several times and it working for me. Could you
> send me your tls configuration, so that I can retry it ?
modparam("tls", "tls_log", 3)
modparam("tls", "send_timeout", 15)
modparam("tls", "handshake_timeout", 15)
modparam("tls", "connection_timeout", 120)
# default incoming (server) domain
modparam("tls", "method", "TLSv1")
modparam("tls", "verify_certificate", "0")
modparam("tls", "require_certificate", "0")
modparam("tls", "certificate", "/etc/proxyCert1/cert.pem")
modparam("tls", "private_key", "/etc/proxyCert1/privkey.pem")
modparam("tls", "ca_list", "/etc/demoCA/cacert.pem")
# default outgoing (client) domain
#
# add patch to support "@" for client configuration
#
modparam("tls", "method", "@TLSv1")
modparam("tls", "verify_certificate", "@0")
modparam("tls", "require_certificate", "@0")
modparam("tls", "certificate", "@/etc/proxyCert1/cert.pem")
modparam("tls", "private_key", "@/etc/proxyCert1/privkey.pem")
modparam("tls", "ca_list", "@/etc/demoCA/cacert.pem")
Note that I'm using my patch to configure the default client domain.
regarding "LS1_SETUP_KEY_BLOCK:cipher or hash unavailable":
Which openssl version do you use?
regards
klaus
More information about the sr-users
mailing list