Menu
▾
▴
Re: [Sblim-devel] sfcb 1.4.5 - https connection
|
From: David H. <hel...@us...> - 2013-10-22 16:06:14
|
Hi George, This is actually a bug in wbemcli. Please see: https://sourceforge.net/p/sblim/bugs/2629/ and let me know if you have questions following that. Thanks, Dave David E. Heller IBM Linux Technology Center hel...@us... George varghese <geo...@gm...> wrote on 10/22/2013 06:36:57 AM: > George varghese <geo...@gm...> > 10/22/2013 06:36 AM > > To > > sbl...@li..., > > cc > > Subject > > [Sblim-devel] sfcb 1.4.5 - https connection > > Hi, > > I had configure sfcb using --enable-ssl option. > Then I created cert file using as genSslCert.sh script file. the > opied the files in /etc/ssl folder. > > ## These options only apply if configured with --enable-ssl > > ## Enable HTTPS. > ## Default is false. If HTTPS is configured, default is true. > enableHttps: true > > ## The HTTP port that SFCB should listen on for secure connections. > ## Default is 5989 > httpsPort: 5989 > > ## Filename containing the private key for the server's certificate.The file > ## must be in PEM format and may not be passphrase-protected. The file is > ## relevant for both client connect and indications sent via https. > ## For client connect: the file must be present if enableHttps is true. > ## For indications: the file is required only if the indication receiver > ## will attempt to verify the sender (sfcb) certificate. > ## Default is /etc/sfcb/file.pem > sslKeyFilePath: /etc/ssl/certs/file.pem > > ## Filename containing the server's certificate. Must be in PEM format. > ## The file is relevant for both client connect and indications sentvia https. > ## For client connect: the file must be present if enableHttps is true. > ## For indications: the file is required only if the indication receiver > ## will attempt to verify the sender (sfcb) certificate. > ## Default is /etc/sfcb/server.pem > sslCertificateFilePath: /etc/ssl/certs/server.pem > > ## Filename containing list of certificates server accepts. > ## The file is relevant client connect only. > ## Default is /etc/sfcb/clist.pem > sslCertList: /etc/ssl/clist.pem > > ## How SFCB handles client certificate based authentication. > ## ignore - do not request a certificate from the client > ## accept - request a certificate from the client; do not fail if > not presented > ## require - refuse the client connection if the client doesn't present a > ## certificate > ## Default is ignore > sslClientCertificate: ignore > > ## How SFCB handles verification of the endpoint certificate when sending > ## an indication via https. > ## ignore - do not attempt to validate the endpoint certificate > ## verify - validate the certificate against known CA certs in the > trust store; > ## do not send the indication if verification fails. > ## verifyhostname - additionally validate the certificate CN (common name) > ## against the indication handler Destination address; > ## do not send the indication if verification fails. > ## Default is ignore (always send the indication) > sslIndicationReceiverCert: ignore > > ## Location of the trust store. Contains one or more CA certificates. > ## The file is relevant for both client connect and indications sentvia https. > ## For client connect: if sslClientCertificate is set to "require", > ## certificate presented must present valid according to the trust store. > ## For indications: if sslIndicationReceiverCert is set to "verify" or > ## "verifyhostname", the endpoint's certificate is checked against this file. > ## Default: /etc/sfcb/client.pem > sslClientTrustStore: /etc/ssl/client.pem > > ## Name of the local library to call for client-certificate based user > ## authentication. > ## Applicable only if sslClientCertificate is not set to "accept" or"require". > ## Default is sfcCertificateAuthentication > certificateAuthLib: sfcCertificateAuthentication > > ## List of SSL ciphers to enable. > ## Default is "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH" which disables > ## weak ciphers. > sslCiphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH > > I got error when I request the following command.. > > $wbemcli ecn https://localhost/root/cimv2 > > * > * wbemcli: Http Exception: Problem with the SSL CA cert (path? access rights?) > * > > displaying following logs in sfcbd , > > --- SSL_ERROR_SYSCALL during handshake: EOF occurred: client may have aborted > > *** httpAdapter.c:1638 SSL_ERROR_SYSCALL error during SSL handshake -- exiting > > How to resolve this issue? > > Regards, > George > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk > _______________________________________________ > Sblim-devel mailing list > Sbl...@li... > https://lists.sourceforge.net/lists/listinfo/sblim-devel |
