Forum OpenACS Development: Re: Proposed corrections to OpenACS default nsopenssl configuration

Hi Richard,

The context "admin" is basically there as a documented example, if one wants to have multiple contexts. It is commented out by default.

The client context is setup for outbound SSL connections. It's only activated if nsopenssl module is activated.

What messages do you see in the logfile that indicates there is a problem?

I'm all for documentation improvements. What is unclear? I can see how there should be a note in config.tcl nsopenssl/defaults section stating that a separate set of files must be used for each context.. What else?

Torben,

The reason I posted this was because of a conversation (can't find it in the forum - may have been on the openacs chat) with DaveB in which this came up. Dave's comments suggested that there was a problem with the default config.tcl file that led to ns_log errors being recorded.

I have always based my config on the README within the nsopenssl source directory and have had no error log entries. After you very kindly helped me to sort out the issue over the hard-coded 'users' context, it has been my intention to propose some alterations to config.tcl.

I have never needed a 'client' context and have not seem any code that uses it, however I can see that this may be useful in the case of, for example, payment processing gateways.

The only things that look 'not quite right' to me in the default config.tcl are:

1) Comments saying that this file will cause errors in the logfile but don't worry folks it works anyway!

2) The fact that the CADir and CAFile declarations are commented out. As I understand it, these are required to verify the chain of trust for the SSL key and cert files for the context and should be set. I suspect that this is the source of the logfile error. I have mine set and I see no errors in the ns_log output.

My intention really was just to eliminate any log errors, simplify and clarify by adding information to the comments.

This reply to Bart T from Scott G has useful reference material in it:

http://www.mail-archive.com/aolserver@listserv.aol.com/msg06022.html

I would be interested in working with someone to remove the hard-coded context from the OpenACS security procs so that OpenACS can work with the full flexibility of nsopenssl.

Please be assured that no criticism of anyone or anything was intended or implied by my posting.

Regards
Richard