From cglidden at gmail.com Thu Nov 4 21:29:03 2010 From: cglidden at gmail.com (Christopher Glidden) Date: Thu, 4 Nov 2010 17:29:03 -0400 Subject: [Mod_nss-list] assistance configuring mod_nss with hardware token Message-ID: Hi All, I am having some trouble getting mod_nss in fips mode to work with my hardware pkcs#11 token. I actually think I am having more of a nss.conf issue than anything between nss and my token. Private key and certificate fulfillment/import from my CA seem to be just fine. What is the best way to go about getting a little help? What information (config, logs, ssltap output, etc.) should I provide? Also, I am currently using the NSS components that shipped with Red Hat 5 (although I must admit I using CentOS right now - I hope that doesn't affect the likelihood of receiving a response). [cglidden at el55-apache-nssmod ~]$ sudo yum info nss nss-tools mod_nss nspr httpd | grep -C2 Version Name : httpd Arch : i386 Version : 2.2.3 Release : 43.el5.centos Size : 3.1 M -- Name : mod_nss Arch : i386 Version : 1.0.3 Release : 8.el5 Size : 197 k -- Name : nspr Arch : i386 Version : 4.7.6 Release : 1.el5_4 Size : 245 k -- Name : nss Arch : i386 Version : 3.12.3.99.3 Release : 1.el5.centos.2 Size : 2.6 M -- Name : nss-tools Arch : i386 Version : 3.12.3.99.3 Release : 1.el5.centos.2 Size : 2.9 M Are there any known issues with these version that I should avoid right away? I am using these versions because my customer has indicated a preference. If I have a good argument for it, we'll upgrade to better versions. Thanks, Chris -- ~~~~~~~~~~~~~~~~~~ Christopher Glidden cglidden at gmail.com ~~~~~~~~~~~~~~~~~~ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Nov 4 21:55:35 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 04 Nov 2010 17:55:35 -0400 Subject: [Mod_nss-list] assistance configuring mod_nss with hardware token In-Reply-To: References: Message-ID: <4CD32BD7.4070205@redhat.com> Christopher Glidden wrote: > Hi All, > > I am having some trouble getting mod_nss in fips mode to work with my > hardware pkcs#11 token. > > I actually think I am having more of a nss.conf issue than anything > between nss and my token. Private key and certificate > fulfillment/import from my CA seem to be just fine. > > What is the best way to go about getting a little help? What > information (config, logs, ssltap output, etc.) should I provide? > > Also, I am currently using the NSS components that shipped with Red Hat > 5 (although I must admit I using CentOS right now - I hope that doesn't > affect the likelihood of receiving a response). > > [cglidden at el55-apache-nssmod ~]$ sudo yum info nss nss-tools mod_nss > nspr httpd | grep -C2 Version > Name : httpd > Arch : i386 > Version : 2.2.3 > Release : 43.el5.centos > Size : 3.1 M > -- > Name : mod_nss > Arch : i386 > Version : 1.0.3 > Release : 8.el5 > Size : 197 k > -- > Name : nspr > Arch : i386 > Version : 4.7.6 > Release : 1.el5_4 > Size : 245 k > -- > Name : nss > Arch : i386 > Version : 3.12.3.99.3 > Release : 1.el5.centos.2 > Size : 2.6 M > -- > Name : nss-tools > Arch : i386 > Version : 3.12.3.99.3 > Release : 1.el5.centos.2 > Size : 2.9 M > > Are there any known issues with these version that I should avoid right > away? I am using these versions because my customer has indicated a > preference. If I have a good argument for it, we'll upgrade to better > versions. For debugging you'll want to set LogLevel debug in both /etc/httpd/conf/httpd.conf and /etc/httpd/conf.d/nss.conf and restart Apache. You are probably going to have problems with a hardware PKCS#11 device and this version of mod_nss. This version initializes NSS within the main Apache process and the children inherit the open NSS database. This is not allowed under the PKCS#11 spec, you have to init after fork. mod_nss is being rebased to 1.0.8 for RHEL 5.6 which will fix this. In the meantime you should be able to rebuild the Fedora mod_nss 1.0.8 package and give that a try. There are some slight variations between the RHEL and Fedora versions so you might want to compare the spec files for the two. That said, if your device doesn't enforce the init after fork you might have luck getting it to work with mod_nss 1.0.3, are you getting an error messages? Does it work in non-FIPS mode but not FIPS? rob From cglidden at gmail.com Tue Nov 9 13:52:10 2010 From: cglidden at gmail.com (Christopher Glidden) Date: Tue, 9 Nov 2010 08:52:10 -0500 Subject: [Mod_nss-list] assistance configuring mod_nss with hardware token In-Reply-To: References: Message-ID: Hi All, Just looking for a little more help getting mod_nss to work. After moving to Fedora 14 and getting recent updates, I am still having issues on the SSL Server side - my clients are giving me "bad mac alert" errors and terminating the SSL connection. I am running everything I can in FIPS mode - NSS, mod_nss, and my PKCS#11 hardware. I am currently re-re-testing with Fedora 14 and the built-in mod_nss: Name : httpd Arch : i686 Version : 2.2.16 Release : 1.fc14 Size : 2.7 M -- Name : mod_nss Arch : i686 Version : 1.0.8 Release : 7.fc14 Size : 215 k -- Name : nspr Arch : i686 Version : 4.8.6 Release : 1.fc14 Size : 258 k -- Name : nss Arch : i686 Version : 3.12.8 Release : 2.fc14 Size : 2.3 M I am still getting an "bad record mac" error from my client, which is currently just openssl: # openssl s_client -state -showcerts -connect 10.1.1.220:345 CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=local/O=cglidden/CN=optiplex745 verify error:num=19:self signed certificate in certificate chain verify return:0 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL3 alert read:fatal:bad record mac SSL_connect:failed in SSLv3 read finished A 6000:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1102:SSL alert number 20 6000:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: The ssltap server side looks like: [cglidden at f14-apache-nssmod ~]$ sudo ssltap -sl -p 345 10.1.1.220:8443 Looking up "10.1.1.220"... Proxy socket ready and listening Connection #1 [Mon Nov 8 17:49:27 2010] Connected to 10.1.1.220:8443 --> [ recordLen = 121 bytes (121 bytes of 121) [Mon Nov 8 17:49:27 2010] [ssl2] ClientHelloV2 { version = {0x03, 0x01} cipher-specs-length = 78 (0x4e) sid-length = 0 (0x00) challenge-length = 32 (0x20) cipher-suites = { (0x000039) TLS/DHE-RSA/AES256-CBC/SHA (0x000038) TLS/DHE-DSS/AES256-CBC/SHA (0x000035) TLS/RSA/AES256-CBC/SHA (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 (0x000033) TLS/DHE-RSA/AES128-CBC/SHA (0x000032) TLS/DHE-DSS/AES128-CBC/SHA (0x00002f) TLS/RSA/AES128-CBC/SHA (0x030080) SSL2/RSA/RC2CBC128/MD5 (0x000005) SSL3/RSA/RC4-128/SHA (0x000004) SSL3/RSA/RC4-128/MD5 (0x010080) SSL2/RSA/RC4-128/MD5 (0x000015) SSL3/DHE-RSA/DES56-CBC/SHA (0x000012) SSL3/DHE-DSS/DES56-CBC/SHA (0x000009) SSL3/RSA/DES56-CBC/SHA (0x060040) SSL2/RSA/DES56-CBC/MD5 (0x000014) SSL3/DHE-RSA/DES40-CBC/SHA (0x000011) SSL3/DHE-DSS/DES40-CBC/SHA (0x000008) SSL3/RSA/DES40-CBC/SHA (0x000006) SSL3/RSA/RC2CBC40/MD5 (0x040080) SSL2/RSA/RC2CBC40/MD5 (0x000003) SSL3/RSA/RC4-40/MD5 (0x020080) SSL2/RSA/RC4-40/MD5 (0x0000ff) TLS_EMPTY_RENEGOTIATION_INFO_SCSV } session-id = { } challenge = { 0xce62 0x904b 0x15d4 0x2915 0x0028 0x54e5 0xec2f 0x6eeb 0x9da4 0x3458 0xa686 0x6178 0xebd5 0x3924 0x7c6d 0x2435 } } ] <-- [ (2481 bytes of 2476) SSLRecord { [Mon Nov 8 17:49:27 2010] type = 22 (handshake) version = { 3,1 } length = 2476 (0x9ac) handshake { type = 2 (server_hello) length = 77 (0x00004d) ServerHello { server_version = {3, 1} random = {...} session ID = { length = 32 contents = {...} } cipher_suite = (0x0035) TLS/RSA/AES256-CBC/SHA compression method = (00) NULL extensions[5] = { extension type renegotiation_info, length [1] = { 0: 00 | . } } } type = 11 (certificate) length = 2387 (0x000953) CertificateChain { chainlength = 2384 (0x0950) Certificate { size = 1354 (0x054a) data = { saved in file 'cert.001' } } Certificate { size = 1024 (0x0400) data = { saved in file 'cert.002' } } } type = 14 (server_hello_done) length = 0 (0x000000) } } ] --> [ (326 bytes of 262, with 59 left over) SSLRecord { [Mon Nov 8 17:49:27 2010] type = 22 (handshake) version = { 3,1 } length = 262 (0x106) handshake { type = 16 (client_key_exchange) length = 258 (0x000102) ClientKeyExchange { message = {...} } } } (326 bytes of 1, with 53 left over) SSLRecord { [Mon Nov 8 17:49:27 2010] type = 20 (change_cipher_spec) version = { 3,1 } length = 1 (0x1) } (326 bytes of 48) SSLRecord { [Mon Nov 8 17:49:27 2010] type = 22 (handshake) version = { 3,1 } length = 48 (0x30) < encrypted > } ] <-- [ (7 bytes of 2) SSLRecord { [Mon Nov 8 17:49:27 2010] type = 21 (alert) version = { 3,1 } length = 2 (0x2) fatal: bad_record_mac } ] Read EOF on Client socket. [Mon Nov 8 17:49:27 2010] Read EOF on Server socket. [Mon Nov 8 17:49:27 2010] Connection 1 Complete [Mon Nov 8 17:49:27 2010] And my debug output contains (with nss and httpd set to debug to same file): [Mon Nov 08 17:47:02 2010] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 [Mon Nov 08 17:47:02 2010] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Mon Nov 08 17:47:02 2010] [info] Initializing SSL Session Cache of size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. [Mon Nov 08 17:47:13 2010] [info] Init: Seeding PRNG with 136 bytes of entropy [Mon Nov 08 17:47:13 2010] [info] Init: Initializing (virtual) servers for SSL [Mon Nov 08 17:47:13 2010] [info] Configuring server for SSL protocol [Mon Nov 08 17:47:13 2010] [info] In FIPS mode, enabling TLSv1 [Mon Nov 08 17:47:13 2010] [debug] nss_engine_init.c(783): FIPS mode enabled, permitted SSL ciphers are: [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:13 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:13 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:13 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:13 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. [Mon Nov 08 17:47:13 2010] [info] Server: Apache/2.2.15, Interface: mod_nss/2.2.15, Library: NSS/3.12.6.2 [Mon Nov 08 17:47:13 2010] [info] Shutting down SSL Session ID Cache [Mon Nov 08 17:47:13 2010] [notice] Digest: generating secret for digest authentication ... [Mon Nov 08 17:47:13 2010] [notice] Digest: done [Mon Nov 08 17:47:13 2010] [debug] util_ldap.c(1990): LDAP merging Shared Cache conf: shm=0xb75a9b08 rmm=0xb75a9b38 for VHOST: f14-apache-nssmod.cglidden.local [Mon Nov 08 17:47:13 2010] [info] APR LDAP: Built with OpenLDAP LDAP SDK [Mon Nov 08 17:47:13 2010] [info] LDAP: SSL support available [Mon Nov 08 17:47:13 2010] [info] Initializing SSL Session Cache of size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. [Mon Nov 08 17:47:14 2010] [info] Server: Apache/2.2.15, Interface: mod_nss/2.2.15, Library: NSS/3.12.6.2 [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 2863 for worker proxy:reverse [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 2863 for (*) [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 2866 for worker proxy:reverse [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 2867 for worker proxy:reverse [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 2868 for worker proxy:reverse [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 2865 for worker proxy:reverse [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 2865 for (*) [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 2864 for worker proxy:reverse [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 2864 for (*) [Mon Nov 08 17:47:14 2010] [notice] Apache/2.2.16 (Unix) DAV/2 mod_nss/2.2.15 NSS/3.12.6.2 configured -- resuming normal operations [Mon Nov 08 17:47:14 2010] [info] Server built: Jul 26 2010 09:13:08 [Mon Nov 08 17:47:14 2010] [debug] prefork.c(1013): AcceptMutex: sysvsem (default: sysvsem) [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 2866 for (*) [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 2867 for (*) [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 2868 for (*) [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 2870 for worker proxy:reverse [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 2869 for worker proxy:reverse [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 2869 for (*) [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 2870 for (*) [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of entropy [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode enabled, permitted SSL ciphers are: [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of entropy [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode enabled, permitted SSL ciphers are: [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of entropy [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode enabled, permitted SSL ciphers are: [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of entropy [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode enabled, permitted SSL ciphers are: [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of entropy [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode enabled, permitted SSL ciphers are: [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of entropy [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode enabled, permitted SSL ciphers are: [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. [Mon Nov 08 17:47:16 2010] [info] Init: Seeding PRNG with 136 bytes of entropy [Mon Nov 08 17:47:16 2010] [info] Configuring server for SSL protocol [Mon Nov 08 17:47:16 2010] [info] In FIPS mode, enabling TLSv1 [Mon Nov 08 17:47:16 2010] [debug] nss_engine_init.c(783): FIPS mode enabled, permitted SSL ciphers are: [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:16 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:16 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:16 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:16 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. [Mon Nov 08 17:47:46 2010] [error] Unable to read from pin store for slot: NSSOCS APR err: 70007 [Mon Nov 08 17:48:18 2010] [info] Connection to child 2 established (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199) [Mon Nov 08 17:48:18 2010] [info] SSL input filter read failed. [Mon Nov 08 17:48:18 2010] [error] SSL Library Error: -12273 SSL has received a record with an incorrect Message Authentication Code [Mon Nov 08 17:48:18 2010] [info] Connection to child 2 closed (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199) [Mon Nov 08 17:49:22 2010] [info] Connection to child 0 established (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199) [Mon Nov 08 17:49:22 2010] [info] SSL input filter read failed. [Mon Nov 08 17:49:22 2010] [error] SSL Library Error: -12273 SSL has received a record with an incorrect Message Authentication Code [Mon Nov 08 17:49:22 2010] [info] Connection to child 0 closed (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199) [Mon Nov 08 17:49:27 2010] [info] Connection to child 3 established (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.220) [Mon Nov 08 17:49:27 2010] [info] SSL input filter read failed. [Mon Nov 08 17:49:27 2010] [error] SSL Library Error: -12273 SSL has received a record with an incorrect Message Authentication Code [Mon Nov 08 17:49:27 2010] [info] Connection to child 3 closed (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.220) A reference to Unable to read from pin store for slot: NSSOCS APR err: 70007 jumps out at me. Maybe nss_pcache is having problems? I am not sure - any time or help that you can offer would be appreciated. Any additional debug that would help you should be easy for me to collect. Thank you, Chris On Thu, Nov 4, 2010 at 5:29 PM, Christopher Glidden wrote: > Hi All, > > I am having some trouble getting mod_nss in fips mode to work with my > hardware pkcs#11 token. > > I actually think I am having more of a nss.conf issue than anything between > nss and my token. Private key and certificate fulfillment/import from my CA > seem to be just fine. > > What is the best way to go about getting a little help? What information > (config, logs, ssltap output, etc.) should I provide? > > Also, I am currently using the NSS components that shipped with Red Hat 5 > (although I must admit I using CentOS right now - I hope that doesn't affect > the likelihood of receiving a response). > > [cglidden at el55-apache-nssmod ~]$ sudo yum info nss nss-tools mod_nss nspr > httpd | grep -C2 Version > Name : httpd > Arch : i386 > Version : 2.2.3 > Release : 43.el5.centos > Size : 3.1 M > -- > Name : mod_nss > Arch : i386 > Version : 1.0.3 > Release : 8.el5 > Size : 197 k > -- > Name : nspr > Arch : i386 > Version : 4.7.6 > Release : 1.el5_4 > Size : 245 k > -- > Name : nss > Arch : i386 > Version : 3.12.3.99.3 > Release : 1.el5.centos.2 > Size : 2.6 M > -- > Name : nss-tools > Arch : i386 > Version : 3.12.3.99.3 > Release : 1.el5.centos.2 > Size : 2.9 M > > Are there any known issues with these version that I should avoid right > away? I am using these versions because my customer has indicated a > preference. If I have a good argument for it, we'll upgrade to better > versions. > > Thanks, > > Chris > > -- > ~~~~~~~~~~~~~~~~~~ > Christopher Glidden > cglidden at gmail.com > ~~~~~~~~~~~~~~~~~~ > -- ~~~~~~~~~~~~~~~~~~ Christopher Glidden cglidden at gmail.com P: 857-222-4269 ~~~~~~~~~~~~~~~~~~ -------------- next part -------------- An HTML attachment was scrubbed... URL: From cglidden at gmail.com Tue Nov 9 15:24:57 2010 From: cglidden at gmail.com (Christopher Glidden) Date: Tue, 9 Nov 2010 10:24:57 -0500 Subject: [Mod_nss-list] assistance configuring mod_nss with hardware token In-Reply-To: References: Message-ID: I built mod_nss 1.0.8 from source ( http://directory.fedoraproject.org/sources/mod_nss-1.0.8.tar.gz as mentioned on http://www.directory.fedora.redhat.com/wiki/Mod_nss#What_can_I_get_the_source.3F) but I have the same behavior. This archive is dated July 2008 - any ideas where I can get something newer to test with? What I built also complains about nss.conf entries NSSRenegotiation and NSSRequireSafeNegotiation, which I am guessing a new recent entries to handle recent SSL exploits. Given that the Fedora-provided 1.0.8 and source-built 1.0.8 give me the same basic behavior - perhaps I am actually chasing a config or permission issue, not a software one? I did a "chmod 777" to my Certificate Database files and the same behavior remained. Any ideas for next steps? Chris On Tue, Nov 9, 2010 at 8:52 AM, Christopher Glidden wrote: > Hi All, > > Just looking for a little more help getting mod_nss to work. After moving > to Fedora 14 and getting recent updates, I am still having issues on the SSL > Server side - my clients are giving me "bad mac alert" errors and > terminating the SSL connection. I am running everything I can in FIPS mode > - NSS, mod_nss, and my PKCS#11 hardware. > > > I am currently re-re-testing with Fedora 14 and the built-in mod_nss: > > Name : httpd > Arch : i686 > Version : 2.2.16 > Release : 1.fc14 > Size : 2.7 M > -- > Name : mod_nss > > Arch : i686 > Version : 1.0.8 > Release : 7.fc14 > Size : 215 k > -- > Name : nspr > Arch : i686 > Version : 4.8.6 > Release : 1.fc14 > Size : 258 k > -- > Name : nss > Arch : i686 > Version : 3.12.8 > Release : 2.fc14 > Size : 2.3 M > > I am still getting an "bad record mac" error from my client, which is > currently just openssl: > > # openssl s_client -state -showcerts -connect 10.1.1.220:345 > CONNECTED(00000003) > SSL_connect:before/connect initialization > SSL_connect:SSLv2/v3 write client hello A > SSL_connect:SSLv3 read server hello A > depth=1 /C=local/O=cglidden/CN=optiplex745 > verify error:num=19:self signed certificate in certificate chain > verify return:0 > SSL_connect:SSLv3 read server certificate A > SSL_connect:SSLv3 read server done A > SSL_connect:SSLv3 write client key exchange A > SSL_connect:SSLv3 write change cipher spec A > SSL_connect:SSLv3 write finished A > SSL_connect:SSLv3 flush data > SSL3 alert read:fatal:bad record mac > SSL_connect:failed in SSLv3 read finished A > 6000:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record > mac:s3_pkt.c:1102:SSL alert number 20 > 6000:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:188: > > The ssltap server side looks like: > > [cglidden at f14-apache-nssmod ~]$ sudo ssltap -sl -p 345 10.1.1.220:8443 > Looking up "10.1.1.220"... > Proxy socket ready and listening > Connection #1 [Mon Nov 8 17:49:27 2010] > Connected to 10.1.1.220:8443 > --> [ > recordLen = 121 bytes > (121 bytes of 121) > [Mon Nov 8 17:49:27 2010] [ssl2] ClientHelloV2 { > version = {0x03, 0x01} > cipher-specs-length = 78 (0x4e) > sid-length = 0 (0x00) > challenge-length = 32 (0x20) > cipher-suites = { > (0x000039) TLS/DHE-RSA/AES256-CBC/SHA > (0x000038) TLS/DHE-DSS/AES256-CBC/SHA > (0x000035) TLS/RSA/AES256-CBC/SHA > (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA > (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA > (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA > (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 > (0x000033) TLS/DHE-RSA/AES128-CBC/SHA > (0x000032) TLS/DHE-DSS/AES128-CBC/SHA > (0x00002f) TLS/RSA/AES128-CBC/SHA > (0x030080) SSL2/RSA/RC2CBC128/MD5 > (0x000005) SSL3/RSA/RC4-128/SHA > (0x000004) SSL3/RSA/RC4-128/MD5 > (0x010080) SSL2/RSA/RC4-128/MD5 > (0x000015) SSL3/DHE-RSA/DES56-CBC/SHA > (0x000012) SSL3/DHE-DSS/DES56-CBC/SHA > (0x000009) SSL3/RSA/DES56-CBC/SHA > (0x060040) SSL2/RSA/DES56-CBC/MD5 > (0x000014) SSL3/DHE-RSA/DES40-CBC/SHA > (0x000011) SSL3/DHE-DSS/DES40-CBC/SHA > (0x000008) SSL3/RSA/DES40-CBC/SHA > (0x000006) SSL3/RSA/RC2CBC40/MD5 > (0x040080) SSL2/RSA/RC2CBC40/MD5 > (0x000003) SSL3/RSA/RC4-40/MD5 > (0x020080) SSL2/RSA/RC4-40/MD5 > (0x0000ff) TLS_EMPTY_RENEGOTIATION_INFO_SCSV > } > session-id = { } > challenge = { 0xce62 0x904b 0x15d4 0x2915 0x0028 0x54e5 0xec2f > 0x6eeb 0x9da4 0x3458 0xa686 0x6178 0xebd5 0x3924 0x7c6d 0x2435 } > } > ] > <-- [ > (2481 bytes of 2476) > SSLRecord { [Mon Nov 8 17:49:27 2010] > type = 22 (handshake) > version = { 3,1 } > length = 2476 (0x9ac) > handshake { > type = 2 (server_hello) > length = 77 (0x00004d) > ServerHello { > server_version = {3, 1} > random = {...} > session ID = { > length = 32 > contents = {...} > } > cipher_suite = (0x0035) TLS/RSA/AES256-CBC/SHA > compression method = (00) NULL > extensions[5] = { > extension type renegotiation_info, length [1] = { > 0: 00 | . > } > } > } > type = 11 (certificate) > length = 2387 (0x000953) > CertificateChain { > chainlength = 2384 (0x0950) > Certificate { > size = 1354 (0x054a) > data = { saved in file 'cert.001' } > } > Certificate { > size = 1024 (0x0400) > data = { saved in file 'cert.002' } > } > } > type = 14 (server_hello_done) > length = 0 (0x000000) > } > } > ] > --> [ > (326 bytes of 262, with 59 left over) > SSLRecord { [Mon Nov 8 17:49:27 2010] > type = 22 (handshake) > version = { 3,1 } > length = 262 (0x106) > handshake { > type = 16 (client_key_exchange) > length = 258 (0x000102) > ClientKeyExchange { > message = {...} > } > } > } > (326 bytes of 1, with 53 left over) > SSLRecord { [Mon Nov 8 17:49:27 2010] > type = 20 (change_cipher_spec) > version = { 3,1 } > length = 1 (0x1) > } > (326 bytes of 48) > SSLRecord { [Mon Nov 8 17:49:27 2010] > type = 22 (handshake) > version = { 3,1 } > length = 48 (0x30) > < encrypted > > } > ] > <-- [ > (7 bytes of 2) > SSLRecord { [Mon Nov 8 17:49:27 2010] > type = 21 (alert) > version = { 3,1 } > length = 2 (0x2) > fatal: bad_record_mac > } > ] > Read EOF on Client socket. [Mon Nov 8 17:49:27 2010] > Read EOF on Server socket. [Mon Nov 8 17:49:27 2010] > Connection 1 Complete [Mon Nov 8 17:49:27 2010] > > And my debug output contains (with nss and httpd set to debug to same > file): > > [Mon Nov 08 17:47:02 2010] [notice] SELinux policy enabled; httpd running > as context unconfined_u:system_r:httpd_t:s0 > [Mon Nov 08 17:47:02 2010] [notice] suEXEC mechanism enabled (wrapper: > /usr/sbin/suexec) > [Mon Nov 08 17:47:02 2010] [info] Initializing SSL Session Cache of size > 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. > [Mon Nov 08 17:47:13 2010] [info] Init: Seeding PRNG with 136 bytes of > entropy > [Mon Nov 08 17:47:13 2010] [info] Init: Initializing (virtual) servers for > SSL > [Mon Nov 08 17:47:13 2010] [info] Configuring server for SSL protocol > [Mon Nov 08 17:47:13 2010] [info] In FIPS mode, enabling TLSv1 > [Mon Nov 08 17:47:13 2010] [debug] nss_engine_init.c(783): FIPS mode > enabled, permitted SSL ciphers are: > [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:13 2010] [debug] nss_engine_init.c(788): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:13 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but > this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:13 2010] [warn] Cipher rsa_rc4_128_sha is enabled but > this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:13 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. > [Mon Nov 08 17:47:13 2010] [info] Server: Apache/2.2.15, Interface: > mod_nss/2.2.15, Library: NSS/3.12.6.2 > [Mon Nov 08 17:47:13 2010] [info] Shutting down SSL Session ID Cache > [Mon Nov 08 17:47:13 2010] [notice] Digest: generating secret for digest > authentication ... > [Mon Nov 08 17:47:13 2010] [notice] Digest: done > [Mon Nov 08 17:47:13 2010] [debug] util_ldap.c(1990): LDAP merging Shared > Cache conf: shm=0xb75a9b08 rmm=0xb75a9b38 for VHOST: > f14-apache-nssmod.cglidden.local > [Mon Nov 08 17:47:13 2010] [info] APR LDAP: Built with OpenLDAP LDAP SDK > [Mon Nov 08 17:47:13 2010] [info] LDAP: SSL support available > [Mon Nov 08 17:47:13 2010] [info] Initializing SSL Session Cache of size > 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. > [Mon Nov 08 17:47:14 2010] [info] Server: Apache/2.2.15, Interface: > mod_nss/2.2.15, Library: NSS/3.12.6.2 > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed > scoreboard slot 0 in child 2863 for worker proxy:reverse > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized > single connection worker 0 in child 2863 for (*) > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed > scoreboard slot 0 in child 2866 for worker proxy:reverse > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed > scoreboard slot 0 in child 2867 for worker proxy:reverse > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed > scoreboard slot 0 in child 2868 for worker proxy:reverse > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed > scoreboard slot 0 in child 2865 for worker proxy:reverse > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker > proxy:reverse already initialized > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized > single connection worker 0 in child 2865 for (*) > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed > scoreboard slot 0 in child 2864 for worker proxy:reverse > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker > proxy:reverse already initialized > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized > single connection worker 0 in child 2864 for (*) > [Mon Nov 08 17:47:14 2010] [notice] Apache/2.2.16 (Unix) DAV/2 > mod_nss/2.2.15 NSS/3.12.6.2 configured -- resuming normal operations > [Mon Nov 08 17:47:14 2010] [info] Server built: Jul 26 2010 09:13:08 > [Mon Nov 08 17:47:14 2010] [debug] prefork.c(1013): AcceptMutex: sysvsem > (default: sysvsem) > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker > proxy:reverse already initialized > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized > single connection worker 0 in child 2866 for (*) > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker > proxy:reverse already initialized > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized > single connection worker 0 in child 2867 for (*) > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker > proxy:reverse already initialized > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized > single connection worker 0 in child 2868 for (*) > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed > scoreboard slot 0 in child 2870 for worker proxy:reverse > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed > scoreboard slot 0 in child 2869 for worker proxy:reverse > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker > proxy:reverse already initialized > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized > single connection worker 0 in child 2869 for (*) > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker > proxy:reverse already initialized > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized > single connection worker 0 in child 2870 for (*) > [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of > entropy > [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol > [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode > enabled, permitted SSL ciphers are: > [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but > this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but > this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. > [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of > entropy > [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol > [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode > enabled, permitted SSL ciphers are: > [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but > this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but > this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. > [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of > entropy > [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol > [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode > enabled, permitted SSL ciphers are: > [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but > this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but > this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. > [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of > entropy > [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol > [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode > enabled, permitted SSL ciphers are: > [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but > this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but > this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. > [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of > entropy > [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol > [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode > enabled, permitted SSL ciphers are: > [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but > this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but > this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. > [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of > entropy > [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol > [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode > enabled, permitted SSL ciphers are: > [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but > this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but > this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. > [Mon Nov 08 17:47:16 2010] [info] Init: Seeding PRNG with 136 bytes of > entropy > [Mon Nov 08 17:47:16 2010] [info] Configuring server for SSL protocol > [Mon Nov 08 17:47:16 2010] [info] In FIPS mode, enabling TLSv1 > [Mon Nov 08 17:47:16 2010] [debug] nss_engine_init.c(783): FIPS mode > enabled, permitted SSL ciphers are: > [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:16 2010] [debug] nss_engine_init.c(788): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:16 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but > this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:16 2010] [warn] Cipher rsa_rc4_128_sha is enabled but > this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:16 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. > [Mon Nov 08 17:47:46 2010] [error] Unable to read from pin store for slot: > NSSOCS APR err: 70007 > [Mon Nov 08 17:48:18 2010] [info] Connection to child 2 established (server > f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199) > [Mon Nov 08 17:48:18 2010] [info] SSL input filter read failed. > [Mon Nov 08 17:48:18 2010] [error] SSL Library Error: -12273 SSL has > received a record with an incorrect Message Authentication Code > [Mon Nov 08 17:48:18 2010] [info] Connection to child 2 closed (server > f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199) > [Mon Nov 08 17:49:22 2010] [info] Connection to child 0 established (server > f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199) > [Mon Nov 08 17:49:22 2010] [info] SSL input filter read failed. > [Mon Nov 08 17:49:22 2010] [error] SSL Library Error: -12273 SSL has > received a record with an incorrect Message Authentication Code > [Mon Nov 08 17:49:22 2010] [info] Connection to child 0 closed (server > f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199) > [Mon Nov 08 17:49:27 2010] [info] Connection to child 3 established (server > f14-apache-nssmod.cglidden.local:8443, client 10.1.1.220) > [Mon Nov 08 17:49:27 2010] [info] SSL input filter read failed. > [Mon Nov 08 17:49:27 2010] [error] SSL Library Error: -12273 SSL has > received a record with an incorrect Message Authentication Code > [Mon Nov 08 17:49:27 2010] [info] Connection to child 3 closed (server > f14-apache-nssmod.cglidden.local:8443, client 10.1.1.220) > > A reference to Unable to read from pin store for slot: NSSOCS APR err: > 70007 jumps out at me. Maybe nss_pcache is having problems? > > I am not sure - any time or help that you can offer would be appreciated. > Any additional debug that would help you should be easy for me to collect. > > Thank you, > > Chris > > On Thu, Nov 4, 2010 at 5:29 PM, Christopher Glidden wrote: > >> Hi All, >> >> I am having some trouble getting mod_nss in fips mode to work with my >> hardware pkcs#11 token. >> >> I actually think I am having more of a nss.conf issue than anything >> between nss and my token. Private key and certificate fulfillment/import >> from my CA seem to be just fine. >> >> What is the best way to go about getting a little help? What information >> (config, logs, ssltap output, etc.) should I provide? >> >> Also, I am currently using the NSS components that shipped with Red Hat 5 >> (although I must admit I using CentOS right now - I hope that doesn't affect >> the likelihood of receiving a response). >> >> [cglidden at el55-apache-nssmod ~]$ sudo yum info nss nss-tools mod_nss nspr >> httpd | grep -C2 Version >> Name : httpd >> Arch : i386 >> Version : 2.2.3 >> Release : 43.el5.centos >> Size : 3.1 M >> -- >> Name : mod_nss >> Arch : i386 >> Version : 1.0.3 >> Release : 8.el5 >> Size : 197 k >> -- >> Name : nspr >> Arch : i386 >> Version : 4.7.6 >> Release : 1.el5_4 >> Size : 245 k >> -- >> Name : nss >> Arch : i386 >> Version : 3.12.3.99.3 >> Release : 1.el5.centos.2 >> Size : 2.6 M >> -- >> Name : nss-tools >> Arch : i386 >> Version : 3.12.3.99.3 >> Release : 1.el5.centos.2 >> Size : 2.9 M >> >> Are there any known issues with these version that I should avoid right >> away? I am using these versions because my customer has indicated a >> preference. If I have a good argument for it, we'll upgrade to better >> versions. >> >> Thanks, >> >> Chris >> >> -- >> ~~~~~~~~~~~~~~~~~~ >> Christopher Glidden >> cglidden at gmail.com >> ~~~~~~~~~~~~~~~~~~ >> > > > > -- > ~~~~~~~~~~~~~~~~~~ > Christopher Glidden > cglidden at gmail.com > P: 857-222-4269 > ~~~~~~~~~~~~~~~~~~ > -- ~~~~~~~~~~~~~~~~~~ Christopher Glidden cglidden at gmail.com P: 857-222-4269 ~~~~~~~~~~~~~~~~~~ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Nov 9 15:47:31 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 09 Nov 2010 10:47:31 -0500 Subject: [Mod_nss-list] assistance configuring mod_nss with hardware token In-Reply-To: References: Message-ID: <4CD96D13.4080105@redhat.com> Christopher Glidden wrote: > I built mod_nss 1.0.8 from source > (http://directory.fedoraproject.org/sources/mod_nss-1.0.8.tar.gz as > mentioned on > http://www.directory.fedora.redhat.com/wiki/Mod_nss#What_can_I_get_the_source.3F) > but I have the same behavior. > > This archive is dated July 2008 - any ideas where I can get something > newer to test with? Those are only in the source tip. I haven't done a release recently (been trying to find time to add a couple new features first). You'd need to pull the source from CVS. > What I built also complains about nss.conf entries NSSRenegotiation and > NSSRequireSafeNegotiation, which I am guessing a new recent entries to > handle recent SSL exploits. > > Given that the Fedora-provided 1.0.8 and source-built 1.0.8 give me the > same basic behavior - perhaps I am actually chasing a config or > permission issue, not a software one? > > I did a "chmod 777" to my Certificate Database files and the same > behavior remained. The bad mac are SSL errors. I haven't had a chance to look at your ssltap output in detail yet but nothing jumped out at me. Does it work in non-FIPS mode and only fail in FIPS? Does the software token work an only the hardware token fail? rob > > Any ideas for next steps? > > Chris > > On Tue, Nov 9, 2010 at 8:52 AM, Christopher Glidden > wrote: > > Hi All, > > Just looking for a little more help getting mod_nss to work. After > moving to Fedora 14 and getting recent updates, I am still having > issues on the SSL Server side - my clients are giving me "bad mac > alert" errors and terminating the SSL connection. I am running > everything I can in FIPS mode - NSS, mod_nss, and my PKCS#11 hardware. > > > I am currently re-re-testing with Fedora 14 and the built-in mod_nss: > > Name : httpd > Arch : i686 > Version : 2.2.16 > Release : 1.fc14 > Size : 2.7 M > -- > Name : mod_nss > > Arch : i686 > Version : 1.0.8 > Release : 7.fc14 > Size : 215 k > -- > Name : nspr > Arch : i686 > Version : 4.8.6 > Release : 1.fc14 > Size : 258 k > -- > Name : nss > Arch : i686 > Version : 3.12.8 > Release : 2.fc14 > Size : 2.3 M > > I am still getting an "bad record mac" error from my client, which > is currently just openssl: > > # openssl s_client -state -showcerts -connect 10.1.1.220:345 > > CONNECTED(00000003) > SSL_connect:before/connect initialization > SSL_connect:SSLv2/v3 write client hello A > SSL_connect:SSLv3 read server hello A > depth=1 /C=local/O=cglidden/CN=optiplex745 > verify error:num=19:self signed certificate in certificate chain > verify return:0 > SSL_connect:SSLv3 read server certificate A > SSL_connect:SSLv3 read server done A > SSL_connect:SSLv3 write client key exchange A > SSL_connect:SSLv3 write change cipher spec A > SSL_connect:SSLv3 write finished A > SSL_connect:SSLv3 flush data > SSL3 alert read:fatal:bad record mac > SSL_connect:failed in SSLv3 read finished A > 6000:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad > record mac:s3_pkt.c:1102:SSL alert number 20 > 6000:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:188: > > The ssltap server side looks like: > > [cglidden at f14-apache-nssmod ~]$ sudo ssltap -sl -p 345 > 10.1.1.220:8443 > Looking up "10.1.1.220"... > Proxy socket ready and listening > Connection #1 [Mon Nov 8 17:49:27 2010] > Connected to 10.1.1.220:8443 > --> [ > recordLen = 121 bytes > (121 bytes of 121) > [Mon Nov 8 17:49:27 2010] [ssl2] ClientHelloV2 { > version = {0x03, 0x01} > cipher-specs-length = 78 (0x4e) > sid-length = 0 (0x00) > challenge-length = 32 (0x20) > cipher-suites = { > (0x000039) TLS/DHE-RSA/AES256-CBC/SHA > (0x000038) TLS/DHE-DSS/AES256-CBC/SHA > (0x000035) TLS/RSA/AES256-CBC/SHA > (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA > (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA > (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA > (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 > (0x000033) TLS/DHE-RSA/AES128-CBC/SHA > (0x000032) TLS/DHE-DSS/AES128-CBC/SHA > (0x00002f) TLS/RSA/AES128-CBC/SHA > (0x030080) SSL2/RSA/RC2CBC128/MD5 > (0x000005) SSL3/RSA/RC4-128/SHA > (0x000004) SSL3/RSA/RC4-128/MD5 > (0x010080) SSL2/RSA/RC4-128/MD5 > (0x000015) SSL3/DHE-RSA/DES56-CBC/SHA > (0x000012) SSL3/DHE-DSS/DES56-CBC/SHA > (0x000009) SSL3/RSA/DES56-CBC/SHA > (0x060040) SSL2/RSA/DES56-CBC/MD5 > (0x000014) SSL3/DHE-RSA/DES40-CBC/SHA > (0x000011) SSL3/DHE-DSS/DES40-CBC/SHA > (0x000008) SSL3/RSA/DES40-CBC/SHA > (0x000006) SSL3/RSA/RC2CBC40/MD5 > (0x040080) SSL2/RSA/RC2CBC40/MD5 > (0x000003) SSL3/RSA/RC4-40/MD5 > (0x020080) SSL2/RSA/RC4-40/MD5 > (0x0000ff) TLS_EMPTY_RENEGOTIATION_INFO_SCSV > } > session-id = { } > challenge = { 0xce62 0x904b 0x15d4 0x2915 0x0028 0x54e5 > 0xec2f 0x6eeb 0x9da4 0x3458 0xa686 0x6178 0xebd5 0x3924 0x7c6d 0x2435 } > } > ] > <-- [ > (2481 bytes of 2476) > SSLRecord { [Mon Nov 8 17:49:27 2010] > type = 22 (handshake) > version = { 3,1 } > length = 2476 (0x9ac) > handshake { > type = 2 (server_hello) > length = 77 (0x00004d) > ServerHello { > server_version = {3, 1} > random = {...} > session ID = { > length = 32 > contents = {...} > } > cipher_suite = (0x0035) TLS/RSA/AES256-CBC/SHA > compression method = (00) NULL > extensions[5] = { > extension type renegotiation_info, length [1] = { > 0: 00 | . > } > } > } > type = 11 (certificate) > length = 2387 (0x000953) > CertificateChain { > chainlength = 2384 (0x0950) > Certificate { > size = 1354 (0x054a) > data = { saved in file 'cert.001' } > } > Certificate { > size = 1024 (0x0400) > data = { saved in file 'cert.002' } > } > } > type = 14 (server_hello_done) > length = 0 (0x000000) > } > } > ] > --> [ > (326 bytes of 262, with 59 left over) > SSLRecord { [Mon Nov 8 17:49:27 2010] > type = 22 (handshake) > version = { 3,1 } > length = 262 (0x106) > handshake { > type = 16 (client_key_exchange) > length = 258 (0x000102) > ClientKeyExchange { > message = {...} > } > } > } > (326 bytes of 1, with 53 left over) > SSLRecord { [Mon Nov 8 17:49:27 2010] > type = 20 (change_cipher_spec) > version = { 3,1 } > length = 1 (0x1) > } > (326 bytes of 48) > SSLRecord { [Mon Nov 8 17:49:27 2010] > type = 22 (handshake) > version = { 3,1 } > length = 48 (0x30) > < encrypted > > } > ] > <-- [ > (7 bytes of 2) > SSLRecord { [Mon Nov 8 17:49:27 2010] > type = 21 (alert) > version = { 3,1 } > length = 2 (0x2) > fatal: bad_record_mac > } > ] > Read EOF on Client socket. [Mon Nov 8 17:49:27 2010] > Read EOF on Server socket. [Mon Nov 8 17:49:27 2010] > Connection 1 Complete [Mon Nov 8 17:49:27 2010] > > And my debug output contains (with nss and httpd set to debug to > same file): > > [Mon Nov 08 17:47:02 2010] [notice] SELinux policy enabled; httpd > running as context unconfined_u:system_r:httpd_t:s0 > [Mon Nov 08 17:47:02 2010] [notice] suEXEC mechanism enabled > (wrapper: /usr/sbin/suexec) > [Mon Nov 08 17:47:02 2010] [info] Initializing SSL Session Cache of > size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. > [Mon Nov 08 17:47:13 2010] [info] Init: Seeding PRNG with 136 bytes > of entropy > [Mon Nov 08 17:47:13 2010] [info] Init: Initializing (virtual) > servers for SSL > [Mon Nov 08 17:47:13 2010] [info] Configuring server for SSL protocol > [Mon Nov 08 17:47:13 2010] [info] In FIPS mode, enabling TLSv1 > [Mon Nov 08 17:47:13 2010] [debug] nss_engine_init.c(783): FIPS mode > enabled, permitted SSL ciphers are: > [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:13 2010] [debug] nss_engine_init.c(788): > Configuring permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:13 2010] [warn] Cipher rsa_rc4_128_md5 is enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:13 2010] [warn] Cipher rsa_rc4_128_sha is enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:13 2010] [info] Using nickname > NSSOCS:f14-apache-nssmod. > [Mon Nov 08 17:47:13 2010] [info] Server: Apache/2.2.15, Interface: > mod_nss/2.2.15, Library: NSS/3.12.6.2 > [Mon Nov 08 17:47:13 2010] [info] Shutting down SSL Session ID Cache > [Mon Nov 08 17:47:13 2010] [notice] Digest: generating secret for > digest authentication ... > [Mon Nov 08 17:47:13 2010] [notice] Digest: done > [Mon Nov 08 17:47:13 2010] [debug] util_ldap.c(1990): LDAP merging > Shared Cache conf: shm=0xb75a9b08 rmm=0xb75a9b38 for VHOST: > f14-apache-nssmod.cglidden.local > [Mon Nov 08 17:47:13 2010] [info] APR LDAP: Built with OpenLDAP LDAP SDK > [Mon Nov 08 17:47:13 2010] [info] LDAP: SSL support available > [Mon Nov 08 17:47:13 2010] [info] Initializing SSL Session Cache of > size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. > [Mon Nov 08 17:47:14 2010] [info] Server: Apache/2.2.15, Interface: > mod_nss/2.2.15, Library: NSS/3.12.6.2 > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: > grabbed scoreboard slot 0 in child 2863 for worker proxy:reverse > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: > initialized single connection worker 0 in child 2863 for (*) > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: > grabbed scoreboard slot 0 in child 2866 for worker proxy:reverse > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: > grabbed scoreboard slot 0 in child 2867 for worker proxy:reverse > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: > grabbed scoreboard slot 0 in child 2868 for worker proxy:reverse > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: > grabbed scoreboard slot 0 in child 2865 for worker proxy:reverse > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker > proxy:reverse already initialized > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: > initialized single connection worker 0 in child 2865 for (*) > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: > grabbed scoreboard slot 0 in child 2864 for worker proxy:reverse > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker > proxy:reverse already initialized > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: > initialized single connection worker 0 in child 2864 for (*) > [Mon Nov 08 17:47:14 2010] [notice] Apache/2.2.16 (Unix) DAV/2 > mod_nss/2.2.15 NSS/3.12.6.2 configured -- > resuming normal operations > [Mon Nov 08 17:47:14 2010] [info] Server built: Jul 26 2010 09:13:08 > [Mon Nov 08 17:47:14 2010] [debug] prefork.c(1013): AcceptMutex: > sysvsem (default: sysvsem) > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker > proxy:reverse already initialized > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: > initialized single connection worker 0 in child 2866 for (*) > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker > proxy:reverse already initialized > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: > initialized single connection worker 0 in child 2867 for (*) > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker > proxy:reverse already initialized > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: > initialized single connection worker 0 in child 2868 for (*) > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: > grabbed scoreboard slot 0 in child 2870 for worker proxy:reverse > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: > grabbed scoreboard slot 0 in child 2869 for worker proxy:reverse > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker > proxy:reverse already initialized > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: > initialized single connection worker 0 in child 2869 for (*) > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker > proxy:reverse already initialized > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: > initialized single connection worker 0 in child 2870 for (*) > [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes > of entropy > [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol > [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode > enabled, permitted SSL ciphers are: > [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): > Configuring permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [info] Using nickname > NSSOCS:f14-apache-nssmod. > [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes > of entropy > [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol > [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode > enabled, permitted SSL ciphers are: > [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): > Configuring permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [info] Using nickname > NSSOCS:f14-apache-nssmod. > [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes > of entropy > [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol > [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode > enabled, permitted SSL ciphers are: > [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): > Configuring permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [info] Using nickname > NSSOCS:f14-apache-nssmod. > [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes > of entropy > [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol > [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode > enabled, permitted SSL ciphers are: > [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): > Configuring permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [info] Using nickname > NSSOCS:f14-apache-nssmod. > [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes > of entropy > [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol > [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode > enabled, permitted SSL ciphers are: > [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): > Configuring permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [info] Using nickname > NSSOCS:f14-apache-nssmod. > [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes > of entropy > [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol > [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode > enabled, permitted SSL ciphers are: > [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): > Configuring permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [info] Using nickname > NSSOCS:f14-apache-nssmod. > [Mon Nov 08 17:47:16 2010] [info] Init: Seeding PRNG with 136 bytes > of entropy > [Mon Nov 08 17:47:16 2010] [info] Configuring server for SSL protocol > [Mon Nov 08 17:47:16 2010] [info] In FIPS mode, enabling TLSv1 > [Mon Nov 08 17:47:16 2010] [debug] nss_engine_init.c(783): FIPS mode > enabled, permitted SSL ciphers are: > [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:16 2010] [debug] nss_engine_init.c(788): > Configuring permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:16 2010] [warn] Cipher rsa_rc4_128_md5 is enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:16 2010] [warn] Cipher rsa_rc4_128_sha is enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:16 2010] [info] Using nickname > NSSOCS:f14-apache-nssmod. > [Mon Nov 08 17:47:46 2010] [error] Unable to read from pin store for > slot: NSSOCS APR err: 70007 > [Mon Nov 08 17:48:18 2010] [info] Connection to child 2 established > (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199) > [Mon Nov 08 17:48:18 2010] [info] SSL input filter read failed. > [Mon Nov 08 17:48:18 2010] [error] SSL Library Error: -12273 SSL has > received a record with an incorrect Message Authentication Code > [Mon Nov 08 17:48:18 2010] [info] Connection to child 2 closed > (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199) > [Mon Nov 08 17:49:22 2010] [info] Connection to child 0 established > (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199) > [Mon Nov 08 17:49:22 2010] [info] SSL input filter read failed. > [Mon Nov 08 17:49:22 2010] [error] SSL Library Error: -12273 SSL has > received a record with an incorrect Message Authentication Code > [Mon Nov 08 17:49:22 2010] [info] Connection to child 0 closed > (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199) > [Mon Nov 08 17:49:27 2010] [info] Connection to child 3 established > (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.220) > [Mon Nov 08 17:49:27 2010] [info] SSL input filter read failed. > [Mon Nov 08 17:49:27 2010] [error] SSL Library Error: -12273 SSL has > received a record with an incorrect Message Authentication Code > [Mon Nov 08 17:49:27 2010] [info] Connection to child 3 closed > (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.220) > > A reference to Unable to read from pin store for slot: NSSOCS APR > err: 70007 jumps out at me. Maybe nss_pcache is having problems? > > I am not sure - any time or help that you can offer would be > appreciated. Any additional debug that would help you should be > easy for me to collect. > > Thank you, > > Chris > > On Thu, Nov 4, 2010 at 5:29 PM, Christopher Glidden > > wrote: > > Hi All, > > I am having some trouble getting mod_nss in fips mode to work > with my hardware pkcs#11 token. > > I actually think I am having more of a nss.conf issue than > anything between nss and my token. Private key and certificate > fulfillment/import from my CA seem to be just fine. > > What is the best way to go about getting a little help? What > information (config, logs, ssltap output, etc.) should I provide? > > Also, I am currently using the NSS components that shipped with > Red Hat 5 (although I must admit I using CentOS right now - I > hope that doesn't affect the likelihood of receiving a response). > > [cglidden at el55-apache-nssmod ~]$ sudo yum info nss nss-tools > mod_nss nspr httpd | grep -C2 Version > Name : httpd > Arch : i386 > Version : 2.2.3 > Release : 43.el5.centos > Size : 3.1 M > -- > Name : mod_nss > Arch : i386 > Version : 1.0.3 > Release : 8.el5 > Size : 197 k > -- > Name : nspr > Arch : i386 > Version : 4.7.6 > Release : 1.el5_4 > Size : 245 k > -- > Name : nss > Arch : i386 > Version : 3.12.3.99.3 > Release : 1.el5.centos.2 > Size : 2.6 M > -- > Name : nss-tools > Arch : i386 > Version : 3.12.3.99.3 > Release : 1.el5.centos.2 > Size : 2.9 M > > Are there any known issues with these version that I should > avoid right away? I am using these versions because my customer > has indicated a preference. If I have a good argument for it, > we'll upgrade to better versions. > > Thanks, > > Chris > > -- > ~~~~~~~~~~~~~~~~~~ > Christopher Glidden > cglidden at gmail.com > ~~~~~~~~~~~~~~~~~~ > > > > > -- > ~~~~~~~~~~~~~~~~~~ > Christopher Glidden > cglidden at gmail.com > P: 857-222-4269 > ~~~~~~~~~~~~~~~~~~ > > > > > -- > ~~~~~~~~~~~~~~~~~~ > Christopher Glidden > cglidden at gmail.com > P: 857-222-4269 > ~~~~~~~~~~~~~~~~~~ > > > > _______________________________________________ > Mod_nss-list mailing list > Mod_nss-list at redhat.com > https://www.redhat.com/mailman/listinfo/mod_nss-list From cglidden at gmail.com Tue Nov 9 17:59:33 2010 From: cglidden at gmail.com (Christopher Glidden) Date: Tue, 9 Nov 2010 12:59:33 -0500 Subject: [Mod_nss-list] assistance configuring mod_nss with hardware token In-Reply-To: <4CD96D13.4080105@redhat.com> References: <4CD96D13.4080105@redhat.com> Message-ID: Yes, I have had this working (with mod_nss 1.0.8 on CentOS) with non-FIPS components. However, I need this to run in all FIPS mode: - tokens initialized with "modutil -fips true" - "NSSFIPS on" in nss.conf - and the hardware token running in FIPS mode I may be able to get away with running the hardware token in FIPS mode and adjusting the ciphersuites to be FIPS-compliant and leave the other components non-FIPS, which should be OK because all the crypto/key stuff have FIPS enforced by the hardware token. And I think that is what is important. I did download the latest source via CVS, built mod_nss, and I am seeing the same behavior. I think it may actually be the hardware token and am focusing there. I think that the session key might be created on the token, which is something I can account for - I have seen other SSL apps want to create ephemeral keys in the token. I am still curious about "Unable to read from pin store for slot:" error that I am seeing. Chris On Tue, Nov 9, 2010 at 10:47 AM, Rob Crittenden wrote: > Christopher Glidden wrote: > >> I built mod_nss 1.0.8 from source >> (http://directory.fedoraproject.org/sources/mod_nss-1.0.8.tar.gz as >> mentioned on >> >> http://www.directory.fedora.redhat.com/wiki/Mod_nss#What_can_I_get_the_source.3F >> ) >> but I have the same behavior. >> >> This archive is dated July 2008 - any ideas where I can get something >> newer to test with? >> > > Those are only in the source tip. I haven't done a release recently (been > trying to find time to add a couple new features first). You'd need to pull > the source from CVS. > > > What I built also complains about nss.conf entries NSSRenegotiation and >> NSSRequireSafeNegotiation, which I am guessing a new recent entries to >> handle recent SSL exploits. >> >> Given that the Fedora-provided 1.0.8 and source-built 1.0.8 give me the >> same basic behavior - perhaps I am actually chasing a config or >> permission issue, not a software one? >> >> I did a "chmod 777" to my Certificate Database files and the same >> behavior remained. >> > > The bad mac are SSL errors. I haven't had a chance to look at your ssltap > output in detail yet but nothing jumped out at me. > > Does it work in non-FIPS mode and only fail in FIPS? Does the software > token work an only the hardware token fail? > > rob > > >> Any ideas for next steps? >> >> Chris >> >> On Tue, Nov 9, 2010 at 8:52 AM, Christopher Glidden > > wrote: >> >> Hi All, >> >> Just looking for a little more help getting mod_nss to work. After >> moving to Fedora 14 and getting recent updates, I am still having >> issues on the SSL Server side - my clients are giving me "bad mac >> alert" errors and terminating the SSL connection. I am running >> everything I can in FIPS mode - NSS, mod_nss, and my PKCS#11 hardware. >> >> >> I am currently re-re-testing with Fedora 14 and the built-in mod_nss: >> >> Name : httpd >> Arch : i686 >> Version : 2.2.16 >> Release : 1.fc14 >> Size : 2.7 M >> -- >> Name : mod_nss >> >> Arch : i686 >> Version : 1.0.8 >> Release : 7.fc14 >> Size : 215 k >> -- >> Name : nspr >> Arch : i686 >> Version : 4.8.6 >> Release : 1.fc14 >> Size : 258 k >> -- >> Name : nss >> Arch : i686 >> Version : 3.12.8 >> Release : 2.fc14 >> Size : 2.3 M >> >> I am still getting an "bad record mac" error from my client, which >> is currently just openssl: >> >> # openssl s_client -state -showcerts -connect 10.1.1.220:345 >> >> >> CONNECTED(00000003) >> SSL_connect:before/connect initialization >> SSL_connect:SSLv2/v3 write client hello A >> SSL_connect:SSLv3 read server hello A >> depth=1 /C=local/O=cglidden/CN=optiplex745 >> verify error:num=19:self signed certificate in certificate chain >> verify return:0 >> SSL_connect:SSLv3 read server certificate A >> SSL_connect:SSLv3 read server done A >> SSL_connect:SSLv3 write client key exchange A >> SSL_connect:SSLv3 write change cipher spec A >> SSL_connect:SSLv3 write finished A >> SSL_connect:SSLv3 flush data >> SSL3 alert read:fatal:bad record mac >> SSL_connect:failed in SSLv3 read finished A >> 6000:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad >> record mac:s3_pkt.c:1102:SSL alert number 20 >> 6000:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake >> failure:s23_lib.c:188: >> >> The ssltap server side looks like: >> >> [cglidden at f14-apache-nssmod ~]$ sudo ssltap -sl -p 345 >> 10.1.1.220:8443 >> >> Looking up "10.1.1.220"... >> Proxy socket ready and listening >> Connection #1 [Mon Nov 8 17:49:27 2010] >> Connected to 10.1.1.220:8443 >> >> --> [ >> recordLen = 121 bytes >> (121 bytes of 121) >> [Mon Nov 8 17:49:27 2010] [ssl2] ClientHelloV2 { >> version = {0x03, 0x01} >> cipher-specs-length = 78 (0x4e) >> sid-length = 0 (0x00) >> challenge-length = 32 (0x20) >> cipher-suites = { >> (0x000039) TLS/DHE-RSA/AES256-CBC/SHA >> (0x000038) TLS/DHE-DSS/AES256-CBC/SHA >> (0x000035) TLS/RSA/AES256-CBC/SHA >> (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA >> (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA >> (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA >> (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 >> (0x000033) TLS/DHE-RSA/AES128-CBC/SHA >> (0x000032) TLS/DHE-DSS/AES128-CBC/SHA >> (0x00002f) TLS/RSA/AES128-CBC/SHA >> (0x030080) SSL2/RSA/RC2CBC128/MD5 >> (0x000005) SSL3/RSA/RC4-128/SHA >> (0x000004) SSL3/RSA/RC4-128/MD5 >> (0x010080) SSL2/RSA/RC4-128/MD5 >> (0x000015) SSL3/DHE-RSA/DES56-CBC/SHA >> (0x000012) SSL3/DHE-DSS/DES56-CBC/SHA >> (0x000009) SSL3/RSA/DES56-CBC/SHA >> (0x060040) SSL2/RSA/DES56-CBC/MD5 >> (0x000014) SSL3/DHE-RSA/DES40-CBC/SHA >> (0x000011) SSL3/DHE-DSS/DES40-CBC/SHA >> (0x000008) SSL3/RSA/DES40-CBC/SHA >> (0x000006) SSL3/RSA/RC2CBC40/MD5 >> (0x040080) SSL2/RSA/RC2CBC40/MD5 >> (0x000003) SSL3/RSA/RC4-40/MD5 >> (0x020080) SSL2/RSA/RC4-40/MD5 >> (0x0000ff) TLS_EMPTY_RENEGOTIATION_INFO_SCSV >> } >> session-id = { } >> challenge = { 0xce62 0x904b 0x15d4 0x2915 0x0028 0x54e5 >> 0xec2f 0x6eeb 0x9da4 0x3458 0xa686 0x6178 0xebd5 0x3924 0x7c6d 0x2435 } >> } >> ] >> <-- [ >> (2481 bytes of 2476) >> SSLRecord { [Mon Nov 8 17:49:27 2010] >> type = 22 (handshake) >> version = { 3,1 } >> length = 2476 (0x9ac) >> handshake { >> type = 2 (server_hello) >> length = 77 (0x00004d) >> ServerHello { >> server_version = {3, 1} >> random = {...} >> session ID = { >> length = 32 >> contents = {...} >> } >> cipher_suite = (0x0035) TLS/RSA/AES256-CBC/SHA >> compression method = (00) NULL >> extensions[5] = { >> extension type renegotiation_info, length [1] = { >> 0: 00 | . >> } >> } >> } >> type = 11 (certificate) >> length = 2387 (0x000953) >> CertificateChain { >> chainlength = 2384 (0x0950) >> Certificate { >> size = 1354 (0x054a) >> data = { saved in file 'cert.001' } >> } >> Certificate { >> size = 1024 (0x0400) >> data = { saved in file 'cert.002' } >> } >> } >> type = 14 (server_hello_done) >> length = 0 (0x000000) >> } >> } >> ] >> --> [ >> (326 bytes of 262, with 59 left over) >> SSLRecord { [Mon Nov 8 17:49:27 2010] >> type = 22 (handshake) >> version = { 3,1 } >> length = 262 (0x106) >> handshake { >> type = 16 (client_key_exchange) >> length = 258 (0x000102) >> ClientKeyExchange { >> message = {...} >> } >> } >> } >> (326 bytes of 1, with 53 left over) >> SSLRecord { [Mon Nov 8 17:49:27 2010] >> type = 20 (change_cipher_spec) >> version = { 3,1 } >> length = 1 (0x1) >> } >> (326 bytes of 48) >> SSLRecord { [Mon Nov 8 17:49:27 2010] >> type = 22 (handshake) >> version = { 3,1 } >> length = 48 (0x30) >> < encrypted > >> } >> ] >> <-- [ >> (7 bytes of 2) >> SSLRecord { [Mon Nov 8 17:49:27 2010] >> type = 21 (alert) >> version = { 3,1 } >> length = 2 (0x2) >> fatal: bad_record_mac >> } >> ] >> Read EOF on Client socket. [Mon Nov 8 17:49:27 2010] >> Read EOF on Server socket. [Mon Nov 8 17:49:27 2010] >> Connection 1 Complete [Mon Nov 8 17:49:27 2010] >> >> And my debug output contains (with nss and httpd set to debug to >> same file): >> >> [Mon Nov 08 17:47:02 2010] [notice] SELinux policy enabled; httpd >> running as context unconfined_u:system_r:httpd_t:s0 >> [Mon Nov 08 17:47:02 2010] [notice] suEXEC mechanism enabled >> (wrapper: /usr/sbin/suexec) >> [Mon Nov 08 17:47:02 2010] [info] Initializing SSL Session Cache of >> size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. >> [Mon Nov 08 17:47:13 2010] [info] Init: Seeding PRNG with 136 bytes >> of entropy >> [Mon Nov 08 17:47:13 2010] [info] Init: Initializing (virtual) >> servers for SSL >> [Mon Nov 08 17:47:13 2010] [info] Configuring server for SSL protocol >> [Mon Nov 08 17:47:13 2010] [info] In FIPS mode, enabling TLSv1 >> [Mon Nov 08 17:47:13 2010] [debug] nss_engine_init.c(783): FIPS mode >> enabled, permitted SSL ciphers are: >> [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] >> [Mon Nov 08 17:47:13 2010] [debug] nss_engine_init.c(788): >> Configuring permitted SSL ciphers >> >> [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] >> [Mon Nov 08 17:47:13 2010] [warn] Cipher rsa_rc4_128_md5 is enabled >> but this is not a FIPS cipher, disabling. >> [Mon Nov 08 17:47:13 2010] [warn] Cipher rsa_rc4_128_sha is enabled >> but this is not a FIPS cipher, disabling. >> [Mon Nov 08 17:47:13 2010] [info] Using nickname >> NSSOCS:f14-apache-nssmod. >> [Mon Nov 08 17:47:13 2010] [info] Server: Apache/2.2.15, Interface: >> mod_nss/2.2.15, Library: NSS/3.12.6.2 >> >> [Mon Nov 08 17:47:13 2010] [info] Shutting down SSL Session ID Cache >> [Mon Nov 08 17:47:13 2010] [notice] Digest: generating secret for >> digest authentication ... >> [Mon Nov 08 17:47:13 2010] [notice] Digest: done >> [Mon Nov 08 17:47:13 2010] [debug] util_ldap.c(1990): LDAP merging >> Shared Cache conf: shm=0xb75a9b08 rmm=0xb75a9b38 for VHOST: >> f14-apache-nssmod.cglidden.local >> [Mon Nov 08 17:47:13 2010] [info] APR LDAP: Built with OpenLDAP LDAP >> SDK >> [Mon Nov 08 17:47:13 2010] [info] LDAP: SSL support available >> [Mon Nov 08 17:47:13 2010] [info] Initializing SSL Session Cache of >> size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. >> [Mon Nov 08 17:47:14 2010] [info] Server: Apache/2.2.15, Interface: >> mod_nss/2.2.15, Library: NSS/3.12.6.2 >> >> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: >> grabbed scoreboard slot 0 in child 2863 for worker proxy:reverse >> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: >> initialized single connection worker 0 in child 2863 for (*) >> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: >> grabbed scoreboard slot 0 in child 2866 for worker proxy:reverse >> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: >> grabbed scoreboard slot 0 in child 2867 for worker proxy:reverse >> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: >> grabbed scoreboard slot 0 in child 2868 for worker proxy:reverse >> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: >> grabbed scoreboard slot 0 in child 2865 for worker proxy:reverse >> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker >> proxy:reverse already initialized >> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: >> initialized single connection worker 0 in child 2865 for (*) >> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: >> grabbed scoreboard slot 0 in child 2864 for worker proxy:reverse >> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker >> proxy:reverse already initialized >> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: >> initialized single connection worker 0 in child 2864 for (*) >> [Mon Nov 08 17:47:14 2010] [notice] Apache/2.2.16 (Unix) DAV/2 >> mod_nss/2.2.15 NSS/3.12.6.2 configured -- >> >> resuming normal operations >> [Mon Nov 08 17:47:14 2010] [info] Server built: Jul 26 2010 09:13:08 >> [Mon Nov 08 17:47:14 2010] [debug] prefork.c(1013): AcceptMutex: >> sysvsem (default: sysvsem) >> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker >> proxy:reverse already initialized >> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: >> initialized single connection worker 0 in child 2866 for (*) >> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker >> proxy:reverse already initialized >> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: >> initialized single connection worker 0 in child 2867 for (*) >> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker >> proxy:reverse already initialized >> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: >> initialized single connection worker 0 in child 2868 for (*) >> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: >> grabbed scoreboard slot 0 in child 2870 for worker proxy:reverse >> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: >> grabbed scoreboard slot 0 in child 2869 for worker proxy:reverse >> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker >> proxy:reverse already initialized >> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: >> initialized single connection worker 0 in child 2869 for (*) >> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker >> proxy:reverse already initialized >> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: >> initialized single connection worker 0 in child 2870 for (*) >> [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes >> of entropy >> [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol >> [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 >> [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode >> enabled, permitted SSL ciphers are: >> [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] >> [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): >> Configuring permitted SSL ciphers >> >> [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] >> [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled >> but this is not a FIPS cipher, disabling. >> [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled >> but this is not a FIPS cipher, disabling. >> [Mon Nov 08 17:47:15 2010] [info] Using nickname >> NSSOCS:f14-apache-nssmod. >> [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes >> of entropy >> [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol >> [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 >> [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode >> enabled, permitted SSL ciphers are: >> [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] >> [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): >> Configuring permitted SSL ciphers >> >> [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] >> [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled >> but this is not a FIPS cipher, disabling. >> [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled >> but this is not a FIPS cipher, disabling. >> [Mon Nov 08 17:47:15 2010] [info] Using nickname >> NSSOCS:f14-apache-nssmod. >> [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes >> of entropy >> [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol >> [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 >> [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode >> enabled, permitted SSL ciphers are: >> [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] >> [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): >> Configuring permitted SSL ciphers >> >> [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] >> [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled >> but this is not a FIPS cipher, disabling. >> [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled >> but this is not a FIPS cipher, disabling. >> [Mon Nov 08 17:47:15 2010] [info] Using nickname >> NSSOCS:f14-apache-nssmod. >> [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes >> of entropy >> [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol >> [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 >> [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode >> enabled, permitted SSL ciphers are: >> [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] >> [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): >> Configuring permitted SSL ciphers >> >> [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] >> [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled >> but this is not a FIPS cipher, disabling. >> [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled >> but this is not a FIPS cipher, disabling. >> [Mon Nov 08 17:47:15 2010] [info] Using nickname >> NSSOCS:f14-apache-nssmod. >> [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes >> of entropy >> [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol >> [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 >> [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode >> enabled, permitted SSL ciphers are: >> [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] >> [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): >> Configuring permitted SSL ciphers >> >> [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] >> [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled >> but this is not a FIPS cipher, disabling. >> [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled >> but this is not a FIPS cipher, disabling. >> [Mon Nov 08 17:47:15 2010] [info] Using nickname >> NSSOCS:f14-apache-nssmod. >> [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes >> of entropy >> [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol >> [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 >> [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode >> enabled, permitted SSL ciphers are: >> [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] >> [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): >> Configuring permitted SSL ciphers >> >> [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] >> [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled >> but this is not a FIPS cipher, disabling. >> [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled >> but this is not a FIPS cipher, disabling. >> [Mon Nov 08 17:47:15 2010] [info] Using nickname >> NSSOCS:f14-apache-nssmod. >> [Mon Nov 08 17:47:16 2010] [info] Init: Seeding PRNG with 136 bytes >> of entropy >> [Mon Nov 08 17:47:16 2010] [info] Configuring server for SSL protocol >> [Mon Nov 08 17:47:16 2010] [info] In FIPS mode, enabling TLSv1 >> [Mon Nov 08 17:47:16 2010] [debug] nss_engine_init.c(783): FIPS mode >> enabled, permitted SSL ciphers are: >> [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] >> [Mon Nov 08 17:47:16 2010] [debug] nss_engine_init.c(788): >> Configuring permitted SSL ciphers >> >> [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] >> [Mon Nov 08 17:47:16 2010] [warn] Cipher rsa_rc4_128_md5 is enabled >> but this is not a FIPS cipher, disabling. >> [Mon Nov 08 17:47:16 2010] [warn] Cipher rsa_rc4_128_sha is enabled >> but this is not a FIPS cipher, disabling. >> [Mon Nov 08 17:47:16 2010] [info] Using nickname >> NSSOCS:f14-apache-nssmod. >> [Mon Nov 08 17:47:46 2010] [error] Unable to read from pin store for >> slot: NSSOCS APR err: 70007 >> [Mon Nov 08 17:48:18 2010] [info] Connection to child 2 established >> (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199) >> [Mon Nov 08 17:48:18 2010] [info] SSL input filter read failed. >> [Mon Nov 08 17:48:18 2010] [error] SSL Library Error: -12273 SSL has >> received a record with an incorrect Message Authentication Code >> [Mon Nov 08 17:48:18 2010] [info] Connection to child 2 closed >> (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199) >> [Mon Nov 08 17:49:22 2010] [info] Connection to child 0 established >> (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199) >> [Mon Nov 08 17:49:22 2010] [info] SSL input filter read failed. >> [Mon Nov 08 17:49:22 2010] [error] SSL Library Error: -12273 SSL has >> received a record with an incorrect Message Authentication Code >> [Mon Nov 08 17:49:22 2010] [info] Connection to child 0 closed >> (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199) >> [Mon Nov 08 17:49:27 2010] [info] Connection to child 3 established >> (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.220) >> [Mon Nov 08 17:49:27 2010] [info] SSL input filter read failed. >> [Mon Nov 08 17:49:27 2010] [error] SSL Library Error: -12273 SSL has >> received a record with an incorrect Message Authentication Code >> [Mon Nov 08 17:49:27 2010] [info] Connection to child 3 closed >> (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.220) >> >> A reference to Unable to read from pin store for slot: NSSOCS APR >> err: 70007 jumps out at me. Maybe nss_pcache is having problems? >> >> I am not sure - any time or help that you can offer would be >> appreciated. Any additional debug that would help you should be >> easy for me to collect. >> >> Thank you, >> >> Chris >> >> On Thu, Nov 4, 2010 at 5:29 PM, Christopher Glidden >> > wrote: >> >> Hi All, >> >> I am having some trouble getting mod_nss in fips mode to work >> with my hardware pkcs#11 token. >> >> I actually think I am having more of a nss.conf issue than >> anything between nss and my token. Private key and certificate >> fulfillment/import from my CA seem to be just fine. >> >> What is the best way to go about getting a little help? What >> information (config, logs, ssltap output, etc.) should I provide? >> >> Also, I am currently using the NSS components that shipped with >> Red Hat 5 (although I must admit I using CentOS right now - I >> hope that doesn't affect the likelihood of receiving a response). >> >> [cglidden at el55-apache-nssmod ~]$ sudo yum info nss nss-tools >> mod_nss nspr httpd | grep -C2 Version >> Name : httpd >> Arch : i386 >> Version : 2.2.3 >> Release : 43.el5.centos >> Size : 3.1 M >> -- >> Name : mod_nss >> Arch : i386 >> Version : 1.0.3 >> Release : 8.el5 >> Size : 197 k >> -- >> Name : nspr >> Arch : i386 >> Version : 4.7.6 >> Release : 1.el5_4 >> Size : 245 k >> -- >> Name : nss >> Arch : i386 >> Version : 3.12.3.99.3 >> Release : 1.el5.centos.2 >> Size : 2.6 M >> -- >> Name : nss-tools >> Arch : i386 >> Version : 3.12.3.99.3 >> Release : 1.el5.centos.2 >> Size : 2.9 M >> >> Are there any known issues with these version that I should >> avoid right away? I am using these versions because my customer >> has indicated a preference. If I have a good argument for it, >> we'll upgrade to better versions. >> >> Thanks, >> >> Chris >> >> -- >> ~~~~~~~~~~~~~~~~~~ >> Christopher Glidden >> cglidden at gmail.com >> ~~~~~~~~~~~~~~~~~~ >> >> >> >> >> -- >> ~~~~~~~~~~~~~~~~~~ >> Christopher Glidden >> cglidden at gmail.com >> >> P: 857-222-4269 >> ~~~~~~~~~~~~~~~~~~ >> >> >> >> >> -- >> ~~~~~~~~~~~~~~~~~~ >> Christopher Glidden >> cglidden at gmail.com >> P: 857-222-4269 >> ~~~~~~~~~~~~~~~~~~ >> >> >> >> _______________________________________________ >> Mod_nss-list mailing list >> Mod_nss-list at redhat.com >> https://www.redhat.com/mailman/listinfo/mod_nss-list >> > > -- ~~~~~~~~~~~~~~~~~~ Christopher Glidden cglidden at gmail.com P: 857-222-4269 ~~~~~~~~~~~~~~~~~~ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmarc at copacetic.net Tue Nov 9 23:34:05 2010 From: rmarc at copacetic.net (Marc Phillips) Date: Tue, 9 Nov 2010 17:34:05 -0600 Subject: [Mod_nss-list] Exec patch Message-ID: <20101109233405.GA25183@archwayconcepts.com> Added an exec patch to mod_nss. Thought others might find this useful. R. Marc -------------- next part -------------- A non-text attachment was scrubbed... Name: mod_nss-1.0.8-exec.patch Type: text/x-diff Size: 6633 bytes Desc: not available URL: From rcritten at redhat.com Fri Nov 12 17:45:05 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 12 Nov 2010 12:45:05 -0500 Subject: [Mod_nss-list] Exec patch In-Reply-To: <20101109233405.GA25183@archwayconcepts.com> References: <20101109233405.GA25183@archwayconcepts.com> Message-ID: <4CDD7D21.2030001@redhat.com> Marc Phillips wrote: > > Added an exec patch to mod_nss. Thought others might find this useful. > > R. Marc Cool, thanks. Is there a way to do per-token passwords? If one has multiple tokens configured how can they specify which one to get the password for? rob From rmarc at copacetic.net Fri Nov 12 19:28:44 2010 From: rmarc at copacetic.net (Marc Phillips) Date: Fri, 12 Nov 2010 13:28:44 -0600 Subject: [Mod_nss-list] Exec patch In-Reply-To: <4CDD7D21.2030001@redhat.com> References: <20101109233405.GA25183@archwayconcepts.com> <4CDD7D21.2030001@redhat.com> Message-ID: <20101112192843.GA6920@archwayconcepts.com> > Cool, thanks. Is there a way to do per-token passwords? If one has > multiple tokens configured how can they specify which one to get the > password for? Well, it really depends on your callout program. The one I use, you just give it the token name as an argument (it's a call to an encrypted database): "exec:/path/to/callout tokename" It all depends on the callout logic, really. Also note, I only tested this using the one use case (which is using my callout). I'm sure it can be improved greatly. R. Marc From rcritten at redhat.com Fri Nov 12 20:24:20 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 12 Nov 2010 15:24:20 -0500 Subject: [Mod_nss-list] assistance configuring mod_nss with hardware token In-Reply-To: References: <4CD96D13.4080105@redhat.com> Message-ID: <4CDDA274.6040007@redhat.com> Christopher Glidden wrote: > Yes, I have had this working (with mod_nss 1.0.8 on CentOS) with > non-FIPS components. > > However, I need this to run in all FIPS mode: > > * tokens initialized with "modutil -fips true" > * "NSSFIPS on" in nss.conf > * and the hardware token running in FIPS mode > > I may be able to get away with running the hardware token in FIPS mode > and adjusting the ciphersuites to be FIPS-compliant and leave the other > components non-FIPS, which should be OK because all the crypto/key stuff > have FIPS enforced by the hardware token. And I think that is what is > important. > > I did download the latest source via CVS, built mod_nss, and I am seeing > the same behavior. > > I think it may actually be the hardware token and am focusing there. I > think that the session key might be created on the token, which is > something I can account for - I have seen other SSL apps want to create > ephemeral keys in the token. > > I am still curious about "Unable to read from pin store for slot:" error > that I am seeing. Sorry for the delay. I don't think the error is related to what you are seeing. As far as I can tell it is APR_ENOTIME which might mean there is a timeout somewhere. Do you also see this in non-FIPS? rob > > Chris > > On Tue, Nov 9, 2010 at 10:47 AM, Rob Crittenden > wrote: > > Christopher Glidden wrote: > > I built mod_nss 1.0.8 from source > (http://directory.fedoraproject.org/sources/mod_nss-1.0.8.tar.gz as > mentioned on > http://www.directory.fedora.redhat.com/wiki/Mod_nss#What_can_I_get_the_source.3F) > but I have the same behavior. > > This archive is dated July 2008 - any ideas where I can get > something > newer to test with? > > > Those are only in the source tip. I haven't done a release recently > (been trying to find time to add a couple new features first). You'd > need to pull the source from CVS. > > > What I built also complains about nss.conf entries > NSSRenegotiation and > NSSRequireSafeNegotiation, which I am guessing a new recent > entries to > handle recent SSL exploits. > > Given that the Fedora-provided 1.0.8 and source-built 1.0.8 give > me the > same basic behavior - perhaps I am actually chasing a config or > permission issue, not a software one? > > I did a "chmod 777" to my Certificate Database files and the same > behavior remained. > > > The bad mac are SSL errors. I haven't had a chance to look at your > ssltap output in detail yet but nothing jumped out at me. > > Does it work in non-FIPS mode and only fail in FIPS? Does the > software token work an only the hardware token fail? > > rob > > > Any ideas for next steps? > > Chris > > On Tue, Nov 9, 2010 at 8:52 AM, Christopher Glidden > > >> wrote: > > Hi All, > > Just looking for a little more help getting mod_nss to work. > After > moving to Fedora 14 and getting recent updates, I am still > having > issues on the SSL Server side - my clients are giving me > "bad mac > alert" errors and terminating the SSL connection. I am running > everything I can in FIPS mode - NSS, mod_nss, and my PKCS#11 > hardware. > > > I am currently re-re-testing with Fedora 14 and the built-in > mod_nss: > > Name : httpd > Arch : i686 > Version : 2.2.16 > Release : 1.fc14 > Size : 2.7 M > -- > Name : mod_nss > > Arch : i686 > Version : 1.0.8 > Release : 7.fc14 > Size : 215 k > -- > Name : nspr > Arch : i686 > Version : 4.8.6 > Release : 1.fc14 > Size : 258 k > -- > Name : nss > Arch : i686 > Version : 3.12.8 > Release : 2.fc14 > Size : 2.3 M > > I am still getting an "bad record mac" error from my client, > which > is currently just openssl: > > # openssl s_client -state -showcerts -connect 10.1.1.220:345 > > > > CONNECTED(00000003) > SSL_connect:before/connect initialization > SSL_connect:SSLv2/v3 write client hello A > SSL_connect:SSLv3 read server hello A > depth=1 /C=local/O=cglidden/CN=optiplex745 > verify error:num=19:self signed certificate in certificate chain > verify return:0 > SSL_connect:SSLv3 read server certificate A > SSL_connect:SSLv3 read server done A > SSL_connect:SSLv3 write client key exchange A > SSL_connect:SSLv3 write change cipher spec A > SSL_connect:SSLv3 write finished A > SSL_connect:SSLv3 flush data > SSL3 alert read:fatal:bad record mac > SSL_connect:failed in SSLv3 read finished A > 6000:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad > record mac:s3_pkt.c:1102:SSL alert number 20 > 6000:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:188: > > The ssltap server side looks like: > > [cglidden at f14-apache-nssmod ~]$ sudo ssltap -sl -p 345 > 10.1.1.220:8443 > > Looking up "10.1.1.220"... > Proxy socket ready and listening > Connection #1 [Mon Nov 8 17:49:27 2010] > Connected to 10.1.1.220:8443 > > > --> [ > recordLen = 121 bytes > (121 bytes of 121) > [Mon Nov 8 17:49:27 2010] [ssl2] ClientHelloV2 { > version = {0x03, 0x01} > cipher-specs-length = 78 (0x4e) > sid-length = 0 (0x00) > challenge-length = 32 (0x20) > cipher-suites = { > (0x000039) TLS/DHE-RSA/AES256-CBC/SHA > (0x000038) TLS/DHE-DSS/AES256-CBC/SHA > (0x000035) TLS/RSA/AES256-CBC/SHA > (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA > (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA > (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA > (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 > (0x000033) TLS/DHE-RSA/AES128-CBC/SHA > (0x000032) TLS/DHE-DSS/AES128-CBC/SHA > (0x00002f) TLS/RSA/AES128-CBC/SHA > (0x030080) SSL2/RSA/RC2CBC128/MD5 > (0x000005) SSL3/RSA/RC4-128/SHA > (0x000004) SSL3/RSA/RC4-128/MD5 > (0x010080) SSL2/RSA/RC4-128/MD5 > (0x000015) SSL3/DHE-RSA/DES56-CBC/SHA > (0x000012) SSL3/DHE-DSS/DES56-CBC/SHA > (0x000009) SSL3/RSA/DES56-CBC/SHA > (0x060040) SSL2/RSA/DES56-CBC/MD5 > (0x000014) SSL3/DHE-RSA/DES40-CBC/SHA > (0x000011) SSL3/DHE-DSS/DES40-CBC/SHA > (0x000008) SSL3/RSA/DES40-CBC/SHA > (0x000006) SSL3/RSA/RC2CBC40/MD5 > (0x040080) SSL2/RSA/RC2CBC40/MD5 > (0x000003) SSL3/RSA/RC4-40/MD5 > (0x020080) SSL2/RSA/RC4-40/MD5 > (0x0000ff) TLS_EMPTY_RENEGOTIATION_INFO_SCSV > } > session-id = { } > challenge = { 0xce62 0x904b 0x15d4 0x2915 0x0028 > 0x54e5 > 0xec2f 0x6eeb 0x9da4 0x3458 0xa686 0x6178 0xebd5 0x3924 > 0x7c6d 0x2435 } > } > ] > <-- [ > (2481 bytes of 2476) > SSLRecord { [Mon Nov 8 17:49:27 2010] > type = 22 (handshake) > version = { 3,1 } > length = 2476 (0x9ac) > handshake { > type = 2 (server_hello) > length = 77 (0x00004d) > ServerHello { > server_version = {3, 1} > random = {...} > session ID = { > length = 32 > contents = {...} > } > cipher_suite = (0x0035) TLS/RSA/AES256-CBC/SHA > compression method = (00) NULL > extensions[5] = { > extension type renegotiation_info, length [1] = { > 0: 00 | . > } > } > } > type = 11 (certificate) > length = 2387 (0x000953) > CertificateChain { > chainlength = 2384 (0x0950) > Certificate { > size = 1354 (0x054a) > data = { saved in file 'cert.001' } > } > Certificate { > size = 1024 (0x0400) > data = { saved in file 'cert.002' } > } > } > type = 14 (server_hello_done) > length = 0 (0x000000) > } > } > ] > --> [ > (326 bytes of 262, with 59 left over) > SSLRecord { [Mon Nov 8 17:49:27 2010] > type = 22 (handshake) > version = { 3,1 } > length = 262 (0x106) > handshake { > type = 16 (client_key_exchange) > length = 258 (0x000102) > ClientKeyExchange { > message = {...} > } > } > } > (326 bytes of 1, with 53 left over) > SSLRecord { [Mon Nov 8 17:49:27 2010] > type = 20 (change_cipher_spec) > version = { 3,1 } > length = 1 (0x1) > } > (326 bytes of 48) > SSLRecord { [Mon Nov 8 17:49:27 2010] > type = 22 (handshake) > version = { 3,1 } > length = 48 (0x30) > < encrypted > > } > ] > <-- [ > (7 bytes of 2) > SSLRecord { [Mon Nov 8 17:49:27 2010] > type = 21 (alert) > version = { 3,1 } > length = 2 (0x2) > fatal: bad_record_mac > } > ] > Read EOF on Client socket. [Mon Nov 8 17:49:27 2010] > Read EOF on Server socket. [Mon Nov 8 17:49:27 2010] > Connection 1 Complete [Mon Nov 8 17:49:27 2010] > > And my debug output contains (with nss and httpd set to debug to > same file): > > [Mon Nov 08 17:47:02 2010] [notice] SELinux policy enabled; > httpd > running as context unconfined_u:system_r:httpd_t:s0 > [Mon Nov 08 17:47:02 2010] [notice] suEXEC mechanism enabled > (wrapper: /usr/sbin/suexec) > [Mon Nov 08 17:47:02 2010] [info] Initializing SSL Session > Cache of > size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. > [Mon Nov 08 17:47:13 2010] [info] Init: Seeding PRNG with > 136 bytes > of entropy > [Mon Nov 08 17:47:13 2010] [info] Init: Initializing (virtual) > servers for SSL > [Mon Nov 08 17:47:13 2010] [info] Configuring server for SSL > protocol > [Mon Nov 08 17:47:13 2010] [info] In FIPS mode, enabling TLSv1 > [Mon Nov 08 17:47:13 2010] [debug] nss_engine_init.c(783): > FIPS mode > enabled, permitted SSL ciphers are: > [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:13 2010] [debug] nss_engine_init.c(788): > Configuring permitted SSL ciphers > > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:13 2010] [warn] Cipher rsa_rc4_128_md5 is > enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:13 2010] [warn] Cipher rsa_rc4_128_sha is > enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:13 2010] [info] Using nickname > NSSOCS:f14-apache-nssmod. > [Mon Nov 08 17:47:13 2010] [info] Server: Apache/2.2.15, > Interface: > mod_nss/2.2.15, Library: NSS/3.12.6.2 > > > [Mon Nov 08 17:47:13 2010] [info] Shutting down SSL Session > ID Cache > [Mon Nov 08 17:47:13 2010] [notice] Digest: generating > secret for > digest authentication ... > [Mon Nov 08 17:47:13 2010] [notice] Digest: done > [Mon Nov 08 17:47:13 2010] [debug] util_ldap.c(1990): LDAP > merging > Shared Cache conf: shm=0xb75a9b08 rmm=0xb75a9b38 for VHOST: > f14-apache-nssmod.cglidden.local > [Mon Nov 08 17:47:13 2010] [info] APR LDAP: Built with > OpenLDAP LDAP SDK > [Mon Nov 08 17:47:13 2010] [info] LDAP: SSL support available > [Mon Nov 08 17:47:13 2010] [info] Initializing SSL Session > Cache of > size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. > [Mon Nov 08 17:47:14 2010] [info] Server: Apache/2.2.15, > Interface: > mod_nss/2.2.15, Library: NSS/3.12.6.2 > > > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: > grabbed scoreboard slot 0 in child 2863 for worker proxy:reverse > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: > initialized single connection worker 0 in child 2863 for (*) > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: > grabbed scoreboard slot 0 in child 2866 for worker proxy:reverse > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: > grabbed scoreboard slot 0 in child 2867 for worker proxy:reverse > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: > grabbed scoreboard slot 0 in child 2868 for worker proxy:reverse > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: > grabbed scoreboard slot 0 in child 2865 for worker proxy:reverse > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): > proxy: worker > proxy:reverse already initialized > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: > initialized single connection worker 0 in child 2865 for (*) > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: > grabbed scoreboard slot 0 in child 2864 for worker proxy:reverse > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): > proxy: worker > proxy:reverse already initialized > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: > initialized single connection worker 0 in child 2864 for (*) > [Mon Nov 08 17:47:14 2010] [notice] Apache/2.2.16 (Unix) DAV/2 > mod_nss/2.2.15 NSS/3.12.6.2 > configured -- > > resuming normal operations > [Mon Nov 08 17:47:14 2010] [info] Server built: Jul 26 2010 > 09:13:08 > [Mon Nov 08 17:47:14 2010] [debug] prefork.c(1013): AcceptMutex: > sysvsem (default: sysvsem) > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): > proxy: worker > proxy:reverse already initialized > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: > initialized single connection worker 0 in child 2866 for (*) > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): > proxy: worker > proxy:reverse already initialized > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: > initialized single connection worker 0 in child 2867 for (*) > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): > proxy: worker > proxy:reverse already initialized > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: > initialized single connection worker 0 in child 2868 for (*) > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: > grabbed scoreboard slot 0 in child 2870 for worker proxy:reverse > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: > grabbed scoreboard slot 0 in child 2869 for worker proxy:reverse > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): > proxy: worker > proxy:reverse already initialized > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: > initialized single connection worker 0 in child 2869 for (*) > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): > proxy: worker > proxy:reverse already initialized > [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: > initialized single connection worker 0 in child 2870 for (*) > [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with > 136 bytes > of entropy > [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL > protocol > [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): > FIPS mode > enabled, permitted SSL ciphers are: > [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): > Configuring permitted SSL ciphers > > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is > enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is > enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [info] Using nickname > NSSOCS:f14-apache-nssmod. > [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with > 136 bytes > of entropy > [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL > protocol > [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): > FIPS mode > enabled, permitted SSL ciphers are: > [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): > Configuring permitted SSL ciphers > > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is > enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is > enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [info] Using nickname > NSSOCS:f14-apache-nssmod. > [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with > 136 bytes > of entropy > [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL > protocol > [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): > FIPS mode > enabled, permitted SSL ciphers are: > [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): > Configuring permitted SSL ciphers > > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is > enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is > enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [info] Using nickname > NSSOCS:f14-apache-nssmod. > [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with > 136 bytes > of entropy > [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL > protocol > [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): > FIPS mode > enabled, permitted SSL ciphers are: > [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): > Configuring permitted SSL ciphers > > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is > enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is > enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [info] Using nickname > NSSOCS:f14-apache-nssmod. > [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with > 136 bytes > of entropy > [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL > protocol > [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): > FIPS mode > enabled, permitted SSL ciphers are: > [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): > Configuring permitted SSL ciphers > > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is > enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is > enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [info] Using nickname > NSSOCS:f14-apache-nssmod. > [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with > 136 bytes > of entropy > [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL > protocol > [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): > FIPS mode > enabled, permitted SSL ciphers are: > [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): > Configuring permitted SSL ciphers > > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is > enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is > enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:15 2010] [info] Using nickname > NSSOCS:f14-apache-nssmod. > [Mon Nov 08 17:47:16 2010] [info] Init: Seeding PRNG with > 136 bytes > of entropy > [Mon Nov 08 17:47:16 2010] [info] Configuring server for SSL > protocol > [Mon Nov 08 17:47:16 2010] [info] In FIPS mode, enabling TLSv1 > [Mon Nov 08 17:47:16 2010] [debug] nss_engine_init.c(783): > FIPS mode > enabled, permitted SSL ciphers are: > [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:16 2010] [debug] nss_engine_init.c(788): > Configuring permitted SSL ciphers > > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Mon Nov 08 17:47:16 2010] [warn] Cipher rsa_rc4_128_md5 is > enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:16 2010] [warn] Cipher rsa_rc4_128_sha is > enabled > but this is not a FIPS cipher, disabling. > [Mon Nov 08 17:47:16 2010] [info] Using nickname > NSSOCS:f14-apache-nssmod. > [Mon Nov 08 17:47:46 2010] [error] Unable to read from pin > store for > slot: NSSOCS APR err: 70007 > [Mon Nov 08 17:48:18 2010] [info] Connection to child 2 > established > (server f14-apache-nssmod.cglidden.local:8443, client > 10.1.1.199) > [Mon Nov 08 17:48:18 2010] [info] SSL input filter read failed. > [Mon Nov 08 17:48:18 2010] [error] SSL Library Error: -12273 > SSL has > received a record with an incorrect Message Authentication Code > [Mon Nov 08 17:48:18 2010] [info] Connection to child 2 closed > (server f14-apache-nssmod.cglidden.local:8443, client > 10.1.1.199) > [Mon Nov 08 17:49:22 2010] [info] Connection to child 0 > established > (server f14-apache-nssmod.cglidden.local:8443, client > 10.1.1.199) > [Mon Nov 08 17:49:22 2010] [info] SSL input filter read failed. > [Mon Nov 08 17:49:22 2010] [error] SSL Library Error: -12273 > SSL has > received a record with an incorrect Message Authentication Code > [Mon Nov 08 17:49:22 2010] [info] Connection to child 0 closed > (server f14-apache-nssmod.cglidden.local:8443, client > 10.1.1.199) > [Mon Nov 08 17:49:27 2010] [info] Connection to child 3 > established > (server f14-apache-nssmod.cglidden.local:8443, client > 10.1.1.220) > [Mon Nov 08 17:49:27 2010] [info] SSL input filter read failed. > [Mon Nov 08 17:49:27 2010] [error] SSL Library Error: -12273 > SSL has > received a record with an incorrect Message Authentication Code > [Mon Nov 08 17:49:27 2010] [info] Connection to child 3 closed > (server f14-apache-nssmod.cglidden.local:8443, client > 10.1.1.220) > > A reference to Unable to read from pin store for slot: > NSSOCS APR > err: 70007 jumps out at me. Maybe nss_pcache is having > problems? > > I am not sure - any time or help that you can offer would be > appreciated. Any additional debug that would help you should be > easy for me to collect. > > Thank you, > > Chris > > On Thu, Nov 4, 2010 at 5:29 PM, Christopher Glidden > > >> wrote: > > Hi All, > > I am having some trouble getting mod_nss in fips mode to > work > with my hardware pkcs#11 token. > > I actually think I am having more of a nss.conf issue than > anything between nss and my token. Private key and > certificate > fulfillment/import from my CA seem to be just fine. > > What is the best way to go about getting a little help? > What > information (config, logs, ssltap output, etc.) should I > provide? > > Also, I am currently using the NSS components that > shipped with > Red Hat 5 (although I must admit I using CentOS right > now - I > hope that doesn't affect the likelihood of receiving a > response). > > [cglidden at el55-apache-nssmod ~]$ sudo yum info nss nss-tools > mod_nss nspr httpd | grep -C2 Version > Name : httpd > Arch : i386 > Version : 2.2.3 > Release : 43.el5.centos > Size : 3.1 M > -- > Name : mod_nss > Arch : i386 > Version : 1.0.3 > Release : 8.el5 > Size : 197 k > -- > Name : nspr > Arch : i386 > Version : 4.7.6 > Release : 1.el5_4 > Size : 245 k > -- > Name : nss > Arch : i386 > Version : 3.12.3.99.3 > Release : 1.el5.centos.2 > Size : 2.6 M > -- > Name : nss-tools > Arch : i386 > Version : 3.12.3.99.3 > Release : 1.el5.centos.2 > Size : 2.9 M > > Are there any known issues with these version that I should > avoid right away? I am using these versions because my > customer > has indicated a preference. If I have a good argument > for it, > we'll upgrade to better versions. > > Thanks, > > Chris > > -- > ~~~~~~~~~~~~~~~~~~ > Christopher Glidden > cglidden at gmail.com > > > ~~~~~~~~~~~~~~~~~~ > > > > > -- > ~~~~~~~~~~~~~~~~~~ > Christopher Glidden > cglidden at gmail.com > > > > P: 857-222-4269 > ~~~~~~~~~~~~~~~~~~ > > > > > -- > ~~~~~~~~~~~~~~~~~~ > Christopher Glidden > cglidden at gmail.com > > > P: 857-222-4269 > ~~~~~~~~~~~~~~~~~~ > > > > _______________________________________________ > Mod_nss-list mailing list > Mod_nss-list at redhat.com > https://www.redhat.com/mailman/listinfo/mod_nss-list > > > > > > -- > ~~~~~~~~~~~~~~~~~~ > Christopher Glidden > cglidden at gmail.com > P: 857-222-4269 > ~~~~~~~~~~~~~~~~~~