Hi,
(Off list posting, please include me in replies)
I'm having issues getting a freshly provisioned instance of 389 working
with SSL.
In my instance directory, I created a self signed CA and server cert
with:
certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,,"
-m 1000 -v
120 -d . -2 -f ./pwdfile
certutil -S -n "Server-Cert" -s "cn=ammy.its.adelaide.edu.au" -c
"CA
certificate" -t "u,u,u" -m 1001 -v 120 -d . -f ./pwdfile -8 localhost
certutil -d . -V -n Server-Cert -u V
certutil: certificate is valid
Restarting nsslapd I see:
[19/Sep/2014:10:04:47 +091800] - SSL failure: None of the cipher are
valid
[19/Sep/2014:10:04:47 +091800] - ERROR: SSL Initialization phase 2
Failed.
With NO OTHER errors. Higher log levels have not helped.
Here are the relevant parts of dse.ldif for my configuration.
cn=config:
nsslapd-security: on
nsslapd-ssl-check-hostname: off
nsslapd-validate-cert: warn
dn: cn=encryption,cn=config
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: on
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
This was from the steps at
http://directory.fedoraproject.org/wiki/Howto:SSL
None of this configuration seems unreasonable.
I would like to know if there are ways to improve my debug output around
this matter. Is there an NSS environment variable I can use to help with
this for example?