From luisneves at hotmail.com Fri Aug 20 14:36:36 2010 From: luisneves at hotmail.com (Luis Neves) Date: Fri, 20 Aug 2010 14:36:36 +0000 Subject: [Mod_nss-list] some questions regarding mod_nss and CRLs Message-ID: Hi there, Can someone help me on this questions I have? How can I update a NSS crl list?, just running the same command Ive used to create the CRL list, but this time with a more recent CRL file is enought? for example, I've created the CRL database using crlutil -B -I -d /etc/httpd/alias/ -i ./LatestCRL.crl if I now download a more updated version of Latest.crl, its enought to use the same command to replace the existing list with the updated one? next question: after the above operation, is it necessary to restart Apache? (so it sees the most recent changes on the nss database?) and a final one: As you can see, Ive used the "B" option when importing the CRL, if not, I get some errors about the CA validation Now, to query the CRL DB list using the command crlutil -L -d /etc/httpd/alias/ I get CRL names CRL Type crlutil: could not find signing certificate in database: security library: bad database. CN=BT/DigitalSign Qualified CA,OU=Class 2 Managed PKI Individual Subscriber CA,OU=Terms of use at https://www.trustwise.com/rpa (c)08,OU=VeriSign Trust Network,OU=LRA - DigitalSign Certificadora Digital (PT507015851),O=British Telecommunications plc,C=GB CRL Can I ignore this crutil error? is my database bad? can this DB still be used? Thanks for reading this Luis Neves -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Aug 20 15:53:59 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 Aug 2010 11:53:59 -0400 Subject: [Mod_nss-list] some questions regarding mod_nss and CRLs In-Reply-To: References: Message-ID: <4C6EA517.5060402@redhat.com> Luis Neves wrote: > Hi there, > > Can someone help me on this questions I have? > > How can I update a NSS crl list?, just running the same command Ive used > to create the CRL list, but this time with a more recent CRL file is > enought? > for example, I've created the CRL database using > > crlutil -B -I -d /etc/httpd/alias/ -i ./LatestCRL.crl > > if I now download a more updated version of Latest.crl, its enought to > use the same command to replace the existing list with the updated one? > I believe it will replace the old CRL. > next question: > after the above operation, is it necessary to restart Apache? (so it > sees the most recent changes on the nss database?) Yes, a restart is required. You might want to look at mod_revocator. It is another Apache module that can be configured to automatically retrieve CRLs and make them available to a running NSS database. The CRL isn't installed into the database but made available over PKCS#11. > > and a final one: > > As you can see, Ive used the "B" option when importing the CRL, if not, > I get some errors about the CA validation > Now, to query the CRL DB list using the command > > crlutil -L -d /etc/httpd/alias/ > > I get > > CRL names CRL Type > > crlutil: could not find signing certificate in database: security > library: bad database. > CN=BT/DigitalSign Qualified CA,OU=Class 2 Managed PKI Individual > Subscriber CA,OU=Terms of use at https://www.trustwise.com/rpa > (c)08,OU=VeriSign Trust Network,OU=LRA - DigitalSign Certificadora > Digital (PT507015851),O=British Telecommunications plc,C=GB CRL > > Can I ignore this crutil error? is my database bad? can this DB still be > used? Looks like you need to add the CA that is signing the CRL to your NSS database. rob From luisneves at hotmail.com Sun Aug 22 10:24:29 2010 From: luisneves at hotmail.com (Luis Neves) Date: Sun, 22 Aug 2010 10:24:29 +0000 Subject: [Mod_nss-list] some questions regarding mod_nss and CRLs In-Reply-To: <4C6EA517.5060402@redhat.com> References: , <4C6EA517.5060402@redhat.com> Message-ID: > Looks like you need to add the CA that is signing the CRL to your NSS > database. Im doing it, at last I think I am! will check it agai. Must be something related to intermediate CA. > Yes, a restart is required. You might want to look at mod_revocator. It > is another Apache module that can be configured to automatically > retrieve CRLs and make them available to a running NSS database. The CRL > isn't installed into the database but made available over PKCS#11. Thank you Rob, I will try mod_revocator tomorrow Luis > Date: Fri, 20 Aug 2010 11:53:59 -0400 > From: rcritten at redhat.com > To: luisneves at hotmail.com > CC: mod_nss-list at redhat.com > Subject: Re: [Mod_nss-list] some questions regarding mod_nss and CRLs > > Luis Neves wrote: > > Hi there, > > > > Can someone help me on this questions I have? > > > > How can I update a NSS crl list?, just running the same command Ive used > > to create the CRL list, but this time with a more recent CRL file is > > enought? > > for example, I've created the CRL database using > > > > crlutil -B -I -d /etc/httpd/alias/ -i ./LatestCRL.crl > > > > if I now download a more updated version of Latest.crl, its enought to > > use the same command to replace the existing list with the updated one? > > > > I believe it will replace the old CRL. > > > next question: > > after the above operation, is it necessary to restart Apache? (so it > > sees the most recent changes on the nss database?) > > Yes, a restart is required. You might want to look at mod_revocator. It > is another Apache module that can be configured to automatically > retrieve CRLs and make them available to a running NSS database. The CRL > isn't installed into the database but made available over PKCS#11. > > > > > and a final one: > > > > As you can see, Ive used the "B" option when importing the CRL, if not, > > I get some errors about the CA validation > > Now, to query the CRL DB list using the command > > > > crlutil -L -d /etc/httpd/alias/ > > > > I get > > > > CRL names CRL Type > > > > crlutil: could not find signing certificate in database: security > > library: bad database. > > CN=BT/DigitalSign Qualified CA,OU=Class 2 Managed PKI Individual > > Subscriber CA,OU=Terms of use at https://www.trustwise.com/rpa > > (c)08,OU=VeriSign Trust Network,OU=LRA - DigitalSign Certificadora > > Digital (PT507015851),O=British Telecommunications plc,C=GB CRL > > > > Can I ignore this crutil error? is my database bad? can this DB still be > > used? > > Looks like you need to add the CA that is signing the CRL to your NSS > database. > > rob -------------- next part -------------- An HTML attachment was scrubbed... URL: From ttormo at indenova.com Mon Aug 30 12:24:00 2010 From: ttormo at indenova.com (=?ISO-8859-1?Q?Tom=E1s_Tormo?=) Date: Mon, 30 Aug 2010 14:24:00 +0200 Subject: [Mod_nss-list] Problem configuring Client certificate Authentication Message-ID: <4C7BA2E0.8000209@indenova.com> Greetings I'm trying to configure mod_nss in Apache in order to use it as my client certificate authentication mechanism, but I'm having problems with it.. I'd like to use client authentication in some parts of a website... so I tried to do it as with mod_ssl, using the Location directive with the NSSVerifyClient require directive inside, but I never works... I always get this error... Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): Performing full renegotiation: complete handshake protocol [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting re-negotiation handshake *[Mon Aug 30 14:17:34 2010] [info] Read error -12176 [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake failed: Not accepted by client!?* [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer: https://amsterdam/ [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input filter read failed. [Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed (server amsterdam:443, client 192.168.125.53) After this, I checked the documentation and it says I can work per-server or per-directory context... So I tried to do it per-server and It works perfectly.. but, as I told you, this is not the solution I'm looking for.. so I tried to configure it per-directory... but it doesn't work neither... Here I attach my per-directory configuration... Is just a test but this is more or less how it should look at the end: / ServerName amsterdam LogLevel debug ErrorLog /var/log/apache2/testmodnss/error.log CustomLog /var/log/apache2/testmodnss/access.log combined DocumentRoot /var/www/testmodnss # ssl NSSEngine on RewriteEngine on NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol All ## Certificate database. It contains both public and private key of the ssl server. It also contains the CA certificate of the allowed client certificates NSSCertificateDatabase /etc/apache2/certs/nss/ NSSNickName Server-Cert # ssl client AllowOverride all NSSVerifyClient require NSSOptions +ExportCertData NSSOptions +StdEnvVars NSSPassPhraseHelper /usr/sbin/nss_pcache / Could you please help me? Thank you very much -- Un saludo, Tom?s Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2? B Pol?gono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 ttormo at indenova.com http://www.indenova.com Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php -------------- next part -------------- An HTML attachment was scrubbed... URL: From luisneves at hotmail.com Tue Aug 31 08:11:13 2010 From: luisneves at hotmail.com (Luis Neves) Date: Tue, 31 Aug 2010 08:11:13 +0000 Subject: [Mod_nss-list] Problem configuring Client certificate Authentication In-Reply-To: <4C7BA2E0.8000209@indenova.com> References: <4C7BA2E0.8000209@indenova.com> Message-ID: Hi Tomas, Its missing something on your post, like the first location, etc, but anyway, is when using the "location" tag that is giving the problem? I dont use it but will make a test to see what happens here Luis Date: Mon, 30 Aug 2010 14:24:00 +0200 From: ttormo at indenova.com To: mod_nss-list at redhat.com Subject: [Mod_nss-list] Problem configuring Client certificate Authentication Greetings I'm trying to configure mod_nss in Apache in order to use it as my client certificate authentication mechanism, but I'm having problems with it.. I'd like to use client authentication in some parts of a website... so I tried to do it as with mod_ssl, using the Location directive with the NSSVerifyClient require directive inside, but I never works... I always get this error... Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): Performing full renegotiation: complete handshake protocol [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting re-negotiation handshake [Mon Aug 30 14:17:34 2010] [info] Read error -12176 [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake failed: Not accepted by client!? [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer: https://amsterdam/ [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input filter read failed. [Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed (server amsterdam:443, client 192.168.125.53) After this, I checked the documentation and it says I can work per-server or per-directory context... So I tried to do it per-server and It works perfectly.. but, as I told you, this is not the solution I'm looking for.. so I tried to configure it per-directory... but it doesn't work neither... Here I attach my per-directory configuration... Is just a test but this is more or less how it should look at the end: ServerName amsterdam LogLevel debug ErrorLog /var/log/apache2/testmodnss/error.log CustomLog /var/log/apache2/testmodnss/access.log combined DocumentRoot /var/www/testmodnss # ssl NSSEngine on RewriteEngine on NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol All ## Certificate database. It contains both public and private key of the ssl server. It also contains the CA certificate of the allowed client certificates NSSCertificateDatabase /etc/apache2/certs/nss/ NSSNickName Server-Cert # ssl client AllowOverride all NSSVerifyClient require NSSOptions +ExportCertData NSSOptions +StdEnvVars NSSPassPhraseHelper /usr/sbin/nss_pcache Could you please help me? Thank you very much -- Un saludo, Tom?s Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2? B Pol?gono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 ttormo at indenova.com http://www.indenova.com Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php _______________________________________________ Mod_nss-list mailing list Mod_nss-list at redhat.com https://www.redhat.com/mailman/listinfo/mod_nss-list -------------- next part -------------- An HTML attachment was scrubbed... URL: From ttormo at indenova.com Tue Aug 31 08:17:02 2010 From: ttormo at indenova.com (=?ISO-8859-1?Q?Tom=E1s_Tormo?=) Date: Tue, 31 Aug 2010 10:17:02 +0200 Subject: [Mod_nss-list] Problem configuring Client certificate Authentication In-Reply-To: References: <4C7BA2E0.8000209@indenova.com> Message-ID: <4C7CBA7E.3040800@indenova.com> Wow!! Actually I had directory directive instead of location at that moment (I was just trying that). I made a copy-paste and changed it on-the-fly but I guess I didn't realize about the first ... hehehe sorry So... do you do something similar in your virtualhost? I mean, do you need users to use a client certificate only in some parts of the website? Thank you very much On 31/08/10 10:11, Luis Neves wrote: > Hi Tomas, > > Its missing something on your post, like the first location, etc, but > anyway, is when using the "location" tag that is giving the problem? I > dont use it but will make a test to see what happens here > > Luis > > > > ------------------------------------------------------------------------ > Date: Mon, 30 Aug 2010 14:24:00 +0200 > From: ttormo at indenova.com > To: mod_nss-list at redhat.com > Subject: [Mod_nss-list] Problem configuring Client certificate > Authentication > > Greetings > > I'm trying to configure mod_nss in Apache in order to use it as my > client certificate authentication mechanism, but I'm having problems > with it.. > > I'd like to use client authentication in some parts of a website... so > I tried to do it as with mod_ssl, using the Location directive with > the NSSVerifyClient require directive inside, but I never works... I > always get this error... > > Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): > Performing full renegotiation: complete handshake protocol > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting > re-negotiation handshake > *[Mon Aug 30 14:17:34 2010] [info] Read error -12176 > [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake failed: > Not accepted by client!?* > [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client > 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer: > https://amsterdam/ > [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input > filter read failed. > [Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed > (server amsterdam:443, client 192.168.125.53) > > After this, I checked the documentation and it says I can work > per-server or per-directory context... So I tried to do it per-server > and It works perfectly.. but, as I told you, this is not the solution > I'm looking for.. so I tried to configure it per-directory... but it > doesn't work neither... > > Here I attach my per-directory configuration... Is just a test but > this is more or less how it should look at the end: > > > > / > > ServerName amsterdam > > LogLevel debug > ErrorLog /var/log/apache2/testmodnss/error.log > CustomLog /var/log/apache2/testmodnss/access.log combined > DocumentRoot /var/www/testmodnss > > # ssl > NSSEngine on > RewriteEngine on > NSSCipherSuite > -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha > > NSSProtocol All > > ## Certificate database. It contains both public and private key of > the ssl server. It also contains the CA certificate of the allowed > client certificates > NSSCertificateDatabase /etc/apache2/certs/nss/ > > NSSNickName Server-Cert > > > # ssl client > > > > AllowOverride all > NSSVerifyClient require > NSSOptions +ExportCertData > NSSOptions +StdEnvVars > > > > > > NSSPassPhraseHelper /usr/sbin/nss_pcache > > / > > Could you please help me? > > Thank you very much > > > -- > Un saludo, > > Tom?s Tormo Franco > Area de sistemas > > INDENOVA S.L. > C/ Dels Traginers 14, 2? B > Pol?gono Vara de Quart > 46014 Valencia > Tel. (34) 96 381 99 47 > Fax. (34) 96 381 99 48 > > ttormo at indenova.com > http://www.indenova.com > > Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente:http://www.indenova.com/eSignaViewer.php > > > _______________________________________________ Mod_nss-list mailing > list Mod_nss-list at redhat.com > https://www.redhat.com/mailman/listinfo/mod_nss-list -- Un saludo, Tom?s Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2? B Pol?gono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 ttormo at indenova.com http://www.indenova.com Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php -------------- next part -------------- An HTML attachment was scrubbed... URL: From luisneves at hotmail.com Tue Aug 31 08:36:42 2010 From: luisneves at hotmail.com (Luis Neves) Date: Tue, 31 Aug 2010 08:36:42 +0000 Subject: [Mod_nss-list] Problem configuring Client certificate Authentication In-Reply-To: <4C7CBA7E.3040800@indenova.com> References: <4C7BA2E0.8000209@indenova.com>, , <4C7CBA7E.3040800@indenova.com> Message-ID: But after fixing "location" it worked?? no, for now I really didnt need that, I am trying to make a reverse proxy to protect internal pages and give them access via some smartcards, But boy had so many problem so far that I was almost quitting on this.....! Luis Date: Tue, 31 Aug 2010 10:17:02 +0200 From: ttormo at indenova.com CC: mod_nss-list at redhat.com Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication Wow!! Actually I had directory directive instead of location at that moment (I was just trying that). I made a copy-paste and changed it on-the-fly but I guess I didn't realize about the first ... hehehe sorry So... do you do something similar in your virtualhost? I mean, do you need users to use a client certificate only in some parts of the website? Thank you very much On 31/08/10 10:11, Luis Neves wrote: Hi Tomas, Its missing something on your post, like the first location, etc, but anyway, is when using the "location" tag that is giving the problem? I dont use it but will make a test to see what happens here Luis Date: Mon, 30 Aug 2010 14:24:00 +0200 From: ttormo at indenova.com To: mod_nss-list at redhat.com Subject: [Mod_nss-list] Problem configuring Client certificate Authentication Greetings I'm trying to configure mod_nss in Apache in order to use it as my client certificate authentication mechanism, but I'm having problems with it.. I'd like to use client authentication in some parts of a website... so I tried to do it as with mod_ssl, using the Location directive with the NSSVerifyClient require directive inside, but I never works... I always get this error... Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): Performing full renegotiation: complete handshake protocol [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting re-negotiation handshake [Mon Aug 30 14:17:34 2010] [info] Read error -12176 [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake failed: Not accepted by client!? [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer: https://amsterdam/ [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input filter read failed. [Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed (server amsterdam:443, client 192.168.125.53) After this, I checked the documentation and it says I can work per-server or per-directory context... So I tried to do it per-server and It works perfectly.. but, as I told you, this is not the solution I'm looking for.. so I tried to configure it per-directory... but it doesn't work neither... Here I attach my per-directory configuration... Is just a test but this is more or less how it should look at the end: ServerName amsterdam LogLevel debug ErrorLog /var/log/apache2/testmodnss/error.log CustomLog /var/log/apache2/testmodnss/access.log combined DocumentRoot /var/www/testmodnss # ssl NSSEngine on RewriteEngine on NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol All ## Certificate database. It contains both public and private key of the ssl server. It also contains the CA certificate of the allowed client certificates NSSCertificateDatabase /etc/apache2/certs/nss/ NSSNickName Server-Cert # ssl client AllowOverride all NSSVerifyClient require NSSOptions +ExportCertData NSSOptions +StdEnvVars NSSPassPhraseHelper /usr/sbin/nss_pcache Could you please help me? Thank you very much -- Un saludo, Tom?s Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2? B Pol?gono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 ttormo at indenova.com http://www.indenova.com Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php _______________________________________________ Mod_nss-list mailing list Mod_nss-list at redhat.com https://www.redhat.com/mailman/listinfo/mod_nss-list -- Un saludo, Tom?s Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2? B Pol?gono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 ttormo at indenova.com http://www.indenova.com Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php _______________________________________________ Mod_nss-list mailing list Mod_nss-list at redhat.com https://www.redhat.com/mailman/listinfo/mod_nss-list -------------- next part -------------- An HTML attachment was scrubbed... URL: From ttormo at indenova.com Tue Aug 31 08:41:13 2010 From: ttormo at indenova.com (=?ISO-8859-1?Q?Tom=E1s_Tormo?=) Date: Tue, 31 Aug 2010 10:41:13 +0200 Subject: [Mod_nss-list] Problem configuring Client certificate Authentication In-Reply-To: References: <4C7BA2E0.8000209@indenova.com>, , <4C7CBA7E.3040800@indenova.com> Message-ID: <4C7CC029.5090201@indenova.com> No... It didn't work with location neither.. But maybe if I follow your aproach It could work for me as well... On 31/08/10 10:36, Luis Neves wrote: > But after fixing "location" it worked?? > > no, for now I really didnt need that, > I am trying to make a reverse proxy to protect internal pages and give > them access via some smartcards, But boy had so many problem so far > that I was almost quitting on this.....! > > Luis > > ------------------------------------------------------------------------ > Date: Tue, 31 Aug 2010 10:17:02 +0200 > From: ttormo at indenova.com > CC: mod_nss-list at redhat.com > Subject: Re: [Mod_nss-list] Problem configuring Client certificate > Authentication > > Wow!! Actually I had directory directive instead of location at that > moment (I was just trying that). I made a copy-paste and changed it > on-the-fly but I guess I didn't realize about the first ... > hehehe sorry > > So... do you do something similar in your virtualhost? I mean, do you > need users to use a client certificate only in some parts of the website? > > Thank you very much > > > > On 31/08/10 10:11, Luis Neves wrote: > > Hi Tomas, > > Its missing something on your post, like the first location, etc, > but anyway, is when using the "location" tag that is giving the > problem? I dont use it but will make a test to see what happens here > > Luis > > > > ------------------------------------------------------------------------ > Date: Mon, 30 Aug 2010 14:24:00 +0200 > From: ttormo at indenova.com > To: mod_nss-list at redhat.com > Subject: [Mod_nss-list] Problem configuring Client certificate > Authentication > > Greetings > > I'm trying to configure mod_nss in Apache in order to use it as my > client certificate authentication mechanism, but I'm having > problems with it.. > > I'd like to use client authentication in some parts of a > website... so I tried to do it as with mod_ssl, using the Location > directive with the NSSVerifyClient require directive inside, but I > never works... I always get this error... > > Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): > Performing full renegotiation: complete handshake protocol > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): > Awaiting re-negotiation handshake > *[Mon Aug 30 14:17:34 2010] [info] Read error -12176 > [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake > failed: Not accepted by client!?* > [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client > 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer: > https://amsterdam/ > [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL > input filter read failed. > [Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed > (server amsterdam:443, client 192.168.125.53) > > After this, I checked the documentation and it says I can work > per-server or per-directory context... So I tried to do it > per-server and It works perfectly.. but, as I told you, this is > not the solution I'm looking for.. so I tried to configure it > per-directory... but it doesn't work neither... > > Here I attach my per-directory configuration... Is just a test but > this is more or less how it should look at the end: > > > > / > > ServerName amsterdam > > LogLevel debug > ErrorLog /var/log/apache2/testmodnss/error.log > CustomLog /var/log/apache2/testmodnss/access.log combined > DocumentRoot /var/www/testmodnss > > # ssl > NSSEngine on > RewriteEngine on > NSSCipherSuite > -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha > > NSSProtocol All > > ## Certificate database. It contains both public and private key > of the ssl server. It also contains the CA certificate of the > allowed client certificates > NSSCertificateDatabase /etc/apache2/certs/nss/ > > NSSNickName Server-Cert > > > # ssl client > > > > AllowOverride all > NSSVerifyClient require > NSSOptions +ExportCertData > NSSOptions +StdEnvVars > > > > > > NSSPassPhraseHelper /usr/sbin/nss_pcache > > / > > Could you please help me? > > Thank you very much > > > -- > Un saludo, > > Tom?s Tormo Franco > Area de sistemas > > INDENOVA S.L. > C/ Dels Traginers 14, 2? B > Pol?gono Vara de Quart > 46014 Valencia > Tel. (34) 96 381 99 47 > Fax. (34) 96 381 99 48 > > ttormo at indenova.com > http://www.indenova.com > > Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente:http://www.indenova.com/eSignaViewer.php > > > > _______________________________________________ Mod_nss-list > mailing list Mod_nss-list at redhat.com > > https://www.redhat.com/mailman/listinfo/mod_nss-list > > > > -- > Un saludo, > > Tom?s Tormo Franco > Area de sistemas > > INDENOVA S.L. > C/ Dels Traginers 14, 2? B > Pol?gono Vara de Quart > 46014 Valencia > Tel. (34) 96 381 99 47 > Fax. (34) 96 381 99 48 > > ttormo at indenova.com > http://www.indenova.com > > Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente:http://www.indenova.com/eSignaViewer.php > > > _______________________________________________ Mod_nss-list mailing > list Mod_nss-list at redhat.com > https://www.redhat.com/mailman/listinfo/mod_nss-list -- Un saludo, Tom?s Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2? B Pol?gono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 ttormo at indenova.com http://www.indenova.com Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php -------------- next part -------------- An HTML attachment was scrubbed... URL: From luisneves at hotmail.com Tue Aug 31 08:57:27 2010 From: luisneves at hotmail.com (Luis Neves) Date: Tue, 31 Aug 2010 08:57:27 +0000 Subject: [Mod_nss-list] Problem configuring Client certificate Authentication In-Reply-To: <4C7CC029.5090201@indenova.com> References: <4C7BA2E0.8000209@indenova.com>, , , , <4C7CBA7E.3040800@indenova.com>, , <4C7CC029.5090201@indenova.com> Message-ID: I dumb test: restart apache with /etc/ini.d/httpd restart, close and open the client browser and try again just to be sure Date: Tue, 31 Aug 2010 10:41:13 +0200 From: ttormo at indenova.com CC: mod_nss-list at redhat.com Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication No... It didn't work with location neither.. But maybe if I follow your aproach It could work for me as well... On 31/08/10 10:36, Luis Neves wrote: But after fixing "location" it worked?? no, for now I really didnt need that, I am trying to make a reverse proxy to protect internal pages and give them access via some smartcards, But boy had so many problem so far that I was almost quitting on this.....! Luis Date: Tue, 31 Aug 2010 10:17:02 +0200 From: ttormo at indenova.com CC: mod_nss-list at redhat.com Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication Wow!! Actually I had directory directive instead of location at that moment (I was just trying that). I made a copy-paste and changed it on-the-fly but I guess I didn't realize about the first ... hehehe sorry So... do you do something similar in your virtualhost? I mean, do you need users to use a client certificate only in some parts of the website? Thank you very much On 31/08/10 10:11, Luis Neves wrote: Hi Tomas, Its missing something on your post, like the first location, etc, but anyway, is when using the "location" tag that is giving the problem? I dont use it but will make a test to see what happens here Luis Date: Mon, 30 Aug 2010 14:24:00 +0200 From: ttormo at indenova.com To: mod_nss-list at redhat.com Subject: [Mod_nss-list] Problem configuring Client certificate Authentication Greetings I'm trying to configure mod_nss in Apache in order to use it as my client certificate authentication mechanism, but I'm having problems with it.. I'd like to use client authentication in some parts of a website... so I tried to do it as with mod_ssl, using the Location directive with the NSSVerifyClient require directive inside, but I never works... I always get this error... Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): Performing full renegotiation: complete handshake protocol [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting re-negotiation handshake [Mon Aug 30 14:17:34 2010] [info] Read error -12176 [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake failed: Not accepted by client!? [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer: https://amsterdam/ [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input filter read failed. [Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed (server amsterdam:443, client 192.168.125.53) After this, I checked the documentation and it says I can work per-server or per-directory context... So I tried to do it per-server and It works perfectly.. but, as I told you, this is not the solution I'm looking for.. so I tried to configure it per-directory... but it doesn't work neither... Here I attach my per-directory configuration... Is just a test but this is more or less how it should look at the end: ServerName amsterdam LogLevel debug ErrorLog /var/log/apache2/testmodnss/error.log CustomLog /var/log/apache2/testmodnss/access.log combined DocumentRoot /var/www/testmodnss # ssl NSSEngine on RewriteEngine on NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol All ## Certificate database. It contains both public and private key of the ssl server. It also contains the CA certificate of the allowed client certificates NSSCertificateDatabase /etc/apache2/certs/nss/ NSSNickName Server-Cert # ssl client AllowOverride all NSSVerifyClient require NSSOptions +ExportCertData NSSOptions +StdEnvVars NSSPassPhraseHelper /usr/sbin/nss_pcache Could you please help me? Thank you very much -- Un saludo, Tom?s Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2? B Pol?gono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 ttormo at indenova.com http://www.indenova.com Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php _______________________________________________ Mod_nss-list mailing list Mod_nss-list at redhat.com https://www.redhat.com/mailman/listinfo/mod_nss-list -- Un saludo, Tom?s Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2? B Pol?gono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 ttormo at indenova.com http://www.indenova.com Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php _______________________________________________ Mod_nss-list mailing list Mod_nss-list at redhat.com https://www.redhat.com/mailman/listinfo/mod_nss-list -- Un saludo, Tom?s Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2? B Pol?gono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 ttormo at indenova.com http://www.indenova.com Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php _______________________________________________ Mod_nss-list mailing list Mod_nss-list at redhat.com https://www.redhat.com/mailman/listinfo/mod_nss-list -------------- next part -------------- An HTML attachment was scrubbed... URL: From luisneves at hotmail.com Tue Aug 31 09:16:46 2010 From: luisneves at hotmail.com (Luis Neves) Date: Tue, 31 Aug 2010 09:16:46 +0000 Subject: [Mod_nss-list] Problem configuring Client certificate Authentication In-Reply-To: <4C7CC029.5090201@indenova.com> References: <4C7BA2E0.8000209@indenova.com>, , , , <4C7CBA7E.3040800@indenova.com>, , <4C7CC029.5090201@indenova.com> Message-ID: try this! # Only renegotiate if the peer's hello bears the TLS renegotiation_info # extension. Default off. NSSRenegotiation off # Peer must send Signaling Cipher Suite Value (SCSV) or # Renegotiation Info (RI) extension in ALL handshakes. Default: off NSSRequireSafeNegotiation off Date: Tue, 31 Aug 2010 10:41:13 +0200 From: ttormo at indenova.com CC: mod_nss-list at redhat.com Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication No... It didn't work with location neither.. But maybe if I follow your aproach It could work for me as well... On 31/08/10 10:36, Luis Neves wrote: But after fixing "location" it worked?? no, for now I really didnt need that, I am trying to make a reverse proxy to protect internal pages and give them access via some smartcards, But boy had so many problem so far that I was almost quitting on this.....! Luis Date: Tue, 31 Aug 2010 10:17:02 +0200 From: ttormo at indenova.com CC: mod_nss-list at redhat.com Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication Wow!! Actually I had directory directive instead of location at that moment (I was just trying that). I made a copy-paste and changed it on-the-fly but I guess I didn't realize about the first ... hehehe sorry So... do you do something similar in your virtualhost? I mean, do you need users to use a client certificate only in some parts of the website? Thank you very much On 31/08/10 10:11, Luis Neves wrote: Hi Tomas, Its missing something on your post, like the first location, etc, but anyway, is when using the "location" tag that is giving the problem? I dont use it but will make a test to see what happens here Luis Date: Mon, 30 Aug 2010 14:24:00 +0200 From: ttormo at indenova.com To: mod_nss-list at redhat.com Subject: [Mod_nss-list] Problem configuring Client certificate Authentication Greetings I'm trying to configure mod_nss in Apache in order to use it as my client certificate authentication mechanism, but I'm having problems with it.. I'd like to use client authentication in some parts of a website... so I tried to do it as with mod_ssl, using the Location directive with the NSSVerifyClient require directive inside, but I never works... I always get this error... Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): Performing full renegotiation: complete handshake protocol [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting re-negotiation handshake [Mon Aug 30 14:17:34 2010] [info] Read error -12176 [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake failed: Not accepted by client!? [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer: https://amsterdam/ [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input filter read failed. [Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed (server amsterdam:443, client 192.168.125.53) After this, I checked the documentation and it says I can work per-server or per-directory context... So I tried to do it per-server and It works perfectly.. but, as I told you, this is not the solution I'm looking for.. so I tried to configure it per-directory... but it doesn't work neither... Here I attach my per-directory configuration... Is just a test but this is more or less how it should look at the end: ServerName amsterdam LogLevel debug ErrorLog /var/log/apache2/testmodnss/error.log CustomLog /var/log/apache2/testmodnss/access.log combined DocumentRoot /var/www/testmodnss # ssl NSSEngine on RewriteEngine on NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol All ## Certificate database. It contains both public and private key of the ssl server. It also contains the CA certificate of the allowed client certificates NSSCertificateDatabase /etc/apache2/certs/nss/ NSSNickName Server-Cert # ssl client AllowOverride all NSSVerifyClient require NSSOptions +ExportCertData NSSOptions +StdEnvVars NSSPassPhraseHelper /usr/sbin/nss_pcache Could you please help me? Thank you very much -- Un saludo, Tom?s Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2? B Pol?gono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 ttormo at indenova.com http://www.indenova.com Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php _______________________________________________ Mod_nss-list mailing list Mod_nss-list at redhat.com https://www.redhat.com/mailman/listinfo/mod_nss-list -- Un saludo, Tom?s Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2? B Pol?gono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 ttormo at indenova.com http://www.indenova.com Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php _______________________________________________ Mod_nss-list mailing list Mod_nss-list at redhat.com https://www.redhat.com/mailman/listinfo/mod_nss-list -- Un saludo, Tom?s Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2? B Pol?gono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 ttormo at indenova.com http://www.indenova.com Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php _______________________________________________ Mod_nss-list mailing list Mod_nss-list at redhat.com https://www.redhat.com/mailman/listinfo/mod_nss-list -------------- next part -------------- An HTML attachment was scrubbed... URL: From luisneves at hotmail.com Tue Aug 31 09:26:12 2010 From: luisneves at hotmail.com (Luis Neves) Date: Tue, 31 Aug 2010 09:26:12 +0000 Subject: [Mod_nss-list] Problem configuring Client certificate Authentication In-Reply-To: References: <4C7BA2E0.8000209@indenova.com>, ,,, , , <4C7CBA7E.3040800@indenova.com>, , , , <4C7CC029.5090201@indenova.com>, Message-ID: or NSSProtocol SSLv3,TLSv1 Iam unable to test location today as I forgot my card at home...... But I think location has to work, your error seems something related to a "protocol re-negotiation error"..... Luis From: luisneves at hotmail.com To: ttormo at indenova.com Date: Tue, 31 Aug 2010 09:16:46 +0000 CC: mod_nss-list at redhat.com Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication try this! # Only renegotiate if the peer's hello bears the TLS renegotiation_info # extension. Default off. NSSRenegotiation off # Peer must send Signaling Cipher Suite Value (SCSV) or # Renegotiation Info (RI) extension in ALL handshakes. Default: off NSSRequireSafeNegotiation off Date: Tue, 31 Aug 2010 10:41:13 +0200 From: ttormo at indenova.com CC: mod_nss-list at redhat.com Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication No... It didn't work with location neither.. But maybe if I follow your aproach It could work for me as well... On 31/08/10 10:36, Luis Neves wrote: But after fixing "location" it worked?? no, for now I really didnt need that, I am trying to make a reverse proxy to protect internal pages and give them access via some smartcards, But boy had so many problem so far that I was almost quitting on this.....! Luis Date: Tue, 31 Aug 2010 10:17:02 +0200 From: ttormo at indenova.com CC: mod_nss-list at redhat.com Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication Wow!! Actually I had directory directive instead of location at that moment (I was just trying that). I made a copy-paste and changed it on-the-fly but I guess I didn't realize about the first ... hehehe sorry So... do you do something similar in your virtualhost? I mean, do you need users to use a client certificate only in some parts of the website? Thank you very much On 31/08/10 10:11, Luis Neves wrote: Hi Tomas, Its missing something on your post, like the first location, etc, but anyway, is when using the "location" tag that is giving the problem? I dont use it but will make a test to see what happens here Luis Date: Mon, 30 Aug 2010 14:24:00 +0200 From: ttormo at indenova.com To: mod_nss-list at redhat.com Subject: [Mod_nss-list] Problem configuring Client certificate Authentication Greetings I'm trying to configure mod_nss in Apache in order to use it as my client certificate authentication mechanism, but I'm having problems with it.. I'd like to use client authentication in some parts of a website... so I tried to do it as with mod_ssl, using the Location directive with the NSSVerifyClient require directive inside, but I never works... I always get this error... Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): Performing full renegotiation: complete handshake protocol [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting re-negotiation handshake [Mon Aug 30 14:17:34 2010] [info] Read error -12176 [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake failed: Not accepted by client!? [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer: https://amsterdam/ [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input filter read failed. [Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed (server amsterdam:443, client 192.168.125.53) After this, I checked the documentation and it says I can work per-server or per-directory context... So I tried to do it per-server and It works perfectly.. but, as I told you, this is not the solution I'm looking for.. so I tried to configure it per-directory... but it doesn't work neither... Here I attach my per-directory configuration... Is just a test but this is more or less how it should look at the end: ServerName amsterdam LogLevel debug ErrorLog /var/log/apache2/testmodnss/error.log CustomLog /var/log/apache2/testmodnss/access.log combined DocumentRoot /var/www/testmodnss # ssl NSSEngine on RewriteEngine on NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol All ## Certificate database. It contains both public and private key of the ssl server. It also contains the CA certificate of the allowed client certificates NSSCertificateDatabase /etc/apache2/certs/nss/ NSSNickName Server-Cert # ssl client AllowOverride all NSSVerifyClient require NSSOptions +ExportCertData NSSOptions +StdEnvVars NSSPassPhraseHelper /usr/sbin/nss_pcache Could you please help me? Thank you very much -- Un saludo, Tom?s Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2? B Pol?gono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 ttormo at indenova.com http://www.indenova.com Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php _______________________________________________ Mod_nss-list mailing list Mod_nss-list at redhat.com https://www.redhat.com/mailman/listinfo/mod_nss-list -- Un saludo, Tom?s Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2? B Pol?gono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 ttormo at indenova.com http://www.indenova.com Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php _______________________________________________ Mod_nss-list mailing list Mod_nss-list at redhat.com https://www.redhat.com/mailman/listinfo/mod_nss-list -- Un saludo, Tom?s Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2? B Pol?gono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 ttormo at indenova.com http://www.indenova.com Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php _______________________________________________ Mod_nss-list mailing list Mod_nss-list at redhat.com https://www.redhat.com/mailman/listinfo/mod_nss-list _______________________________________________ Mod_nss-list mailing list Mod_nss-list at redhat.com https://www.redhat.com/mailman/listinfo/mod_nss-list -------------- next part -------------- An HTML attachment was scrubbed... URL: From ttormo at indenova.com Tue Aug 31 09:35:42 2010 From: ttormo at indenova.com (=?ISO-8859-1?Q?Tom=E1s_Tormo?=) Date: Tue, 31 Aug 2010 11:35:42 +0200 Subject: [Mod_nss-list] Problem configuring Client certificate Authentication In-Reply-To: References: <4C7BA2E0.8000209@indenova.com>, , , , , , <4C7CBA7E.3040800@indenova.com>, , , , <4C7CC029.5090201@indenova.com>, Message-ID: <4C7CCCEE.6070203@indenova.com> Thank you very much for your help Luis I changed the directive to again. I realized I did really bad copy-paste, cause directive needs a url (in this case /files) instead of a directory. So, if I let the configuration just like before, Apache let me go to the webpage without asking for the certificate. This was because i didn't request a location "/var/www/testmodnss/files" (what's more, it doesn't exist). So I changed location to "/files" and I get the error again... I also tried all you told me but I still get the error... :( This is how my configuration looks like now (I didn't put the *NSSRenegotiation off* and *NSSRequireSafeNegotiation off* directives cause Apache is giving me an error at startup saying that are not recognized :S) / ServerName amsterdam LogLevel debug ErrorLog /var/log/apache2/testmodnss/error.log CustomLog /var/log/apache2/testmodnss/access.log combined DocumentRoot /var/www/testmodnss # ssl NSSEngine on RewriteEngine on NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha #NSSProtocol All NSSProtocol SSLv3,TLSv1 ## Certificate database. It contains both public and private key of the ssl server. It also contains the CA certificate of the allowed client certificates NSSCertificateDatabase /etc/apache2/certs/nss/ NSSNickName Server-Cert # ssl client NSSVerifyClient require NSSOptions +ExportCertData NSSOptions +StdEnvVars NSSPassPhraseHelper /usr/sbin/nss_pcache/ On 31/08/10 11:26, Luis Neves wrote: > or > NSSProtocol SSLv3,TLSv1 > > Iam unable to test location today as I forgot my card at home...... > But I think location has to work, your error seems something related > to a "protocol re-negotiation error"..... > > Luis > > ------------------------------------------------------------------------ > From: luisneves at hotmail.com > To: ttormo at indenova.com > Date: Tue, 31 Aug 2010 09:16:46 +0000 > CC: mod_nss-list at redhat.com > Subject: Re: [Mod_nss-list] Problem configuring Client certificate > Authentication > > try this! > > # Only renegotiate if the peer's hello bears the TLS renegotiation_info > # extension. Default off. > NSSRenegotiation off > > # Peer must send Signaling Cipher Suite Value (SCSV) or > # Renegotiation Info (RI) extension in ALL handshakes. Default: off > NSSRequireSafeNegotiation off > > > ------------------------------------------------------------------------ > Date: Tue, 31 Aug 2010 10:41:13 +0200 > From: ttormo at indenova.com > CC: mod_nss-list at redhat.com > Subject: Re: [Mod_nss-list] Problem configuring Client certificate > Authentication > > No... It didn't work with location neither.. > > But maybe if I follow your aproach It could work for me as well... > > > > On 31/08/10 10:36, Luis Neves wrote: > > But after fixing "location" it worked?? > > no, for now I really didnt need that, > I am trying to make a reverse proxy to protect internal pages and > give them access via some smartcards, But boy had so many problem > so far that I was almost quitting on this.....! > > Luis > > ------------------------------------------------------------------------ > Date: Tue, 31 Aug 2010 10:17:02 +0200 > From: ttormo at indenova.com > CC: mod_nss-list at redhat.com > Subject: Re: [Mod_nss-list] Problem configuring Client certificate > Authentication > > Wow!! Actually I had directory directive instead of location at > that moment (I was just trying that). I made a copy-paste and > changed it on-the-fly but I guess I didn't realize about the first > ... hehehe sorry > > So... do you do something similar in your virtualhost? I mean, do > you need users to use a client certificate only in some parts of > the website? > > Thank you very much > > > > On 31/08/10 10:11, Luis Neves wrote: > > Hi Tomas, > > Its missing something on your post, like the first location, > etc, but anyway, is when using the "location" tag that is > giving the problem? I dont use it but will make a test to see > what happens here > > Luis > > > > ------------------------------------------------------------------------ > Date: Mon, 30 Aug 2010 14:24:00 +0200 > From: ttormo at indenova.com > To: mod_nss-list at redhat.com > Subject: [Mod_nss-list] Problem configuring Client certificate > Authentication > > Greetings > > I'm trying to configure mod_nss in Apache in order to use it > as my client certificate authentication mechanism, but I'm > having problems with it.. > > I'd like to use client authentication in some parts of a > website... so I tried to do it as with mod_ssl, using the > Location directive with the NSSVerifyClient require directive > inside, but I never works... I always get this error... > > Mon Aug 30 14:17:34 2010] [info] Requesting connection > re-negotiation > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): > Performing full renegotiation: complete handshake protocol > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): > Awaiting re-negotiation handshake > *[Mon Aug 30 14:17:34 2010] [info] Read error -12176 > [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake > failed: Not accepted by client!?* > [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client > 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, > referer: https://amsterdam/ > [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: > SSL input filter read failed. > [Mon Aug 30 14:17:34 2010] [info] Connection to child 69 > closed (server amsterdam:443, client 192.168.125.53) > > After this, I checked the documentation and it says I can work > per-server or per-directory context... So I tried to do it > per-server and It works perfectly.. but, as I told you, this > is not the solution I'm looking for.. so I tried to configure > it per-directory... but it doesn't work neither... > > Here I attach my per-directory configuration... Is just a test > but this is more or less how it should look at the end: > > > > / > > ServerName amsterdam > > LogLevel debug > ErrorLog /var/log/apache2/testmodnss/error.log > CustomLog /var/log/apache2/testmodnss/access.log combined > DocumentRoot /var/www/testmodnss > > # ssl > NSSEngine on > RewriteEngine on > NSSCipherSuite > -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha > > NSSProtocol All > > ## Certificate database. It contains both public and private > key of the ssl server. It also contains the CA certificate of > the allowed client certificates > NSSCertificateDatabase /etc/apache2/certs/nss/ > > NSSNickName Server-Cert > > > # ssl client > > > > AllowOverride all > NSSVerifyClient require > NSSOptions +ExportCertData > NSSOptions +StdEnvVars > > > > > > NSSPassPhraseHelper /usr/sbin/nss_pcache > > / > > Could you please help me? > > Thank you very much > > > -- > Un saludo, > > Tom?s Tormo Franco > Area de sistemas > > INDENOVA S.L. > C/ Dels Traginers 14, 2? B > Pol?gono Vara de Quart > 46014 Valencia > Tel. (34) 96 381 99 47 > Fax. (34) 96 381 99 48 > > ttormo at indenova.com > http://www.indenova.com > > Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente:http://www.indenova.com/eSignaViewer.php > > > > _______________________________________________ Mod_nss-list > mailing list Mod_nss-list at redhat.com > > https://www.redhat.com/mailman/listinfo/mod_nss-list > > > > -- > Un saludo, > > Tom?s Tormo Franco > Area de sistemas > > INDENOVA S.L. > C/ Dels Traginers 14, 2? B > Pol?gono Vara de Quart > 46014 Valencia > Tel. (34) 96 381 99 47 > Fax. (34) 96 381 99 48 > > ttormo at indenova.com > http://www.indenova.com > > Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente:http://www.indenova.com/eSignaViewer.php > > > > _______________________________________________ Mod_nss-list > mailing list Mod_nss-list at redhat.com > > https://www.redhat.com/mailman/listinfo/mod_nss-list > > > > -- > Un saludo, > > Tom?s Tormo Franco > Area de sistemas > > INDENOVA S.L. > C/ Dels Traginers 14, 2? B > Pol?gono Vara de Quart > 46014 Valencia > Tel. (34) 96 381 99 47 > Fax. (34) 96 381 99 48 > > ttormo at indenova.com > http://www.indenova.com > > Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente:http://www.indenova.com/eSignaViewer.php > > > _______________________________________________ Mod_nss-list mailing > list Mod_nss-list at redhat.com > https://www.redhat.com/mailman/listinfo/mod_nss-list > _______________________________________________ Mod_nss-list mailing > list Mod_nss-list at redhat.com > https://www.redhat.com/mailman/listinfo/mod_nss-list -- Un saludo, Tom?s Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2? B Pol?gono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 ttormo at indenova.com http://www.indenova.com Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php -------------- next part -------------- An HTML attachment was scrubbed... URL: