[Mod_nss-list] assistance configuring mod_nss with hardware token
Christopher Glidden
cglidden at gmail.com
Tue Nov 9 13:52:10 UTC 2010
Hi All,
Just looking for a little more help getting mod_nss to work. After moving
to Fedora 14 and getting recent updates, I am still having issues on the SSL
Server side - my clients are giving me "bad mac alert" errors and
terminating the SSL connection. I am running everything I can in FIPS mode
- NSS, mod_nss, and my PKCS#11 hardware.
I am currently re-re-testing with Fedora 14 and the built-in mod_nss:
Name : httpd
Arch : i686
Version : 2.2.16
Release : 1.fc14
Size : 2.7 M
--
Name : mod_nss
Arch : i686
Version : 1.0.8
Release : 7.fc14
Size : 215 k
--
Name : nspr
Arch : i686
Version : 4.8.6
Release : 1.fc14
Size : 258 k
--
Name : nss
Arch : i686
Version : 3.12.8
Release : 2.fc14
Size : 2.3 M
I am still getting an "bad record mac" error from my client, which is
currently just openssl:
# openssl s_client -state -showcerts -connect 10.1.1.220:345
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=local/O=cglidden/CN=optiplex745
verify error:num=19:self signed certificate in certificate chain
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:bad record mac
SSL_connect:failed in SSLv3 read finished A
6000:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record
mac:s3_pkt.c:1102:SSL alert number 20
6000:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
The ssltap server side looks like:
[cglidden at f14-apache-nssmod ~]$ sudo ssltap -sl -p 345 10.1.1.220:8443
Looking up "10.1.1.220"...
Proxy socket ready and listening
Connection #1 [Mon Nov 8 17:49:27 2010]
Connected to 10.1.1.220:8443
--> [
recordLen = 121 bytes
(121 bytes of 121)
[Mon Nov 8 17:49:27 2010] [ssl2] ClientHelloV2 {
version = {0x03, 0x01}
cipher-specs-length = 78 (0x4e)
sid-length = 0 (0x00)
challenge-length = 32 (0x20)
cipher-suites = {
(0x000039) TLS/DHE-RSA/AES256-CBC/SHA
(0x000038) TLS/DHE-DSS/AES256-CBC/SHA
(0x000035) TLS/RSA/AES256-CBC/SHA
(0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
(0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
(0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
(0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
(0x000033) TLS/DHE-RSA/AES128-CBC/SHA
(0x000032) TLS/DHE-DSS/AES128-CBC/SHA
(0x00002f) TLS/RSA/AES128-CBC/SHA
(0x030080) SSL2/RSA/RC2CBC128/MD5
(0x000005) SSL3/RSA/RC4-128/SHA
(0x000004) SSL3/RSA/RC4-128/MD5
(0x010080) SSL2/RSA/RC4-128/MD5
(0x000015) SSL3/DHE-RSA/DES56-CBC/SHA
(0x000012) SSL3/DHE-DSS/DES56-CBC/SHA
(0x000009) SSL3/RSA/DES56-CBC/SHA
(0x060040) SSL2/RSA/DES56-CBC/MD5
(0x000014) SSL3/DHE-RSA/DES40-CBC/SHA
(0x000011) SSL3/DHE-DSS/DES40-CBC/SHA
(0x000008) SSL3/RSA/DES40-CBC/SHA
(0x000006) SSL3/RSA/RC2CBC40/MD5
(0x040080) SSL2/RSA/RC2CBC40/MD5
(0x000003) SSL3/RSA/RC4-40/MD5
(0x020080) SSL2/RSA/RC4-40/MD5
(0x0000ff) TLS_EMPTY_RENEGOTIATION_INFO_SCSV
}
session-id = { }
challenge = { 0xce62 0x904b 0x15d4 0x2915 0x0028 0x54e5 0xec2f
0x6eeb 0x9da4 0x3458 0xa686 0x6178 0xebd5 0x3924 0x7c6d 0x2435 }
}
]
<-- [
(2481 bytes of 2476)
SSLRecord { [Mon Nov 8 17:49:27 2010]
type = 22 (handshake)
version = { 3,1 }
length = 2476 (0x9ac)
handshake {
type = 2 (server_hello)
length = 77 (0x00004d)
ServerHello {
server_version = {3, 1}
random = {...}
session ID = {
length = 32
contents = {...}
}
cipher_suite = (0x0035) TLS/RSA/AES256-CBC/SHA
compression method = (00) NULL
extensions[5] = {
extension type renegotiation_info, length [1] = {
0: 00 | .
}
}
}
type = 11 (certificate)
length = 2387 (0x000953)
CertificateChain {
chainlength = 2384 (0x0950)
Certificate {
size = 1354 (0x054a)
data = { saved in file 'cert.001' }
}
Certificate {
size = 1024 (0x0400)
data = { saved in file 'cert.002' }
}
}
type = 14 (server_hello_done)
length = 0 (0x000000)
}
}
]
--> [
(326 bytes of 262, with 59 left over)
SSLRecord { [Mon Nov 8 17:49:27 2010]
type = 22 (handshake)
version = { 3,1 }
length = 262 (0x106)
handshake {
type = 16 (client_key_exchange)
length = 258 (0x000102)
ClientKeyExchange {
message = {...}
}
}
}
(326 bytes of 1, with 53 left over)
SSLRecord { [Mon Nov 8 17:49:27 2010]
type = 20 (change_cipher_spec)
version = { 3,1 }
length = 1 (0x1)
}
(326 bytes of 48)
SSLRecord { [Mon Nov 8 17:49:27 2010]
type = 22 (handshake)
version = { 3,1 }
length = 48 (0x30)
< encrypted >
}
]
<-- [
(7 bytes of 2)
SSLRecord { [Mon Nov 8 17:49:27 2010]
type = 21 (alert)
version = { 3,1 }
length = 2 (0x2)
fatal: bad_record_mac
}
]
Read EOF on Client socket. [Mon Nov 8 17:49:27 2010]
Read EOF on Server socket. [Mon Nov 8 17:49:27 2010]
Connection 1 Complete [Mon Nov 8 17:49:27 2010]
And my debug output contains (with nss and httpd set to debug to same file):
[Mon Nov 08 17:47:02 2010] [notice] SELinux policy enabled; httpd running as
context unconfined_u:system_r:httpd_t:s0
[Mon Nov 08 17:47:02 2010] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)
[Mon Nov 08 17:47:02 2010] [info] Initializing SSL Session Cache of size
10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400.
[Mon Nov 08 17:47:13 2010] [info] Init: Seeding PRNG with 136 bytes of
entropy
[Mon Nov 08 17:47:13 2010] [info] Init: Initializing (virtual) servers for
SSL
[Mon Nov 08 17:47:13 2010] [info] Configuring server for SSL protocol
[Mon Nov 08 17:47:13 2010] [info] In FIPS mode, enabling TLSv1
[Mon Nov 08 17:47:13 2010] [debug] nss_engine_init.c(783): FIPS mode
enabled, permitted SSL ciphers are:
[+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Mon Nov 08 17:47:13 2010] [debug] nss_engine_init.c(788): Configuring
permitted SSL ciphers
[+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Mon Nov 08 17:47:13 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this
is not a FIPS cipher, disabling.
[Mon Nov 08 17:47:13 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this
is not a FIPS cipher, disabling.
[Mon Nov 08 17:47:13 2010] [info] Using nickname NSSOCS:f14-apache-nssmod.
[Mon Nov 08 17:47:13 2010] [info] Server: Apache/2.2.15, Interface:
mod_nss/2.2.15, Library: NSS/3.12.6.2
[Mon Nov 08 17:47:13 2010] [info] Shutting down SSL Session ID Cache
[Mon Nov 08 17:47:13 2010] [notice] Digest: generating secret for digest
authentication ...
[Mon Nov 08 17:47:13 2010] [notice] Digest: done
[Mon Nov 08 17:47:13 2010] [debug] util_ldap.c(1990): LDAP merging Shared
Cache conf: shm=0xb75a9b08 rmm=0xb75a9b38 for VHOST:
f14-apache-nssmod.cglidden.local
[Mon Nov 08 17:47:13 2010] [info] APR LDAP: Built with OpenLDAP LDAP SDK
[Mon Nov 08 17:47:13 2010] [info] LDAP: SSL support available
[Mon Nov 08 17:47:13 2010] [info] Initializing SSL Session Cache of size
10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400.
[Mon Nov 08 17:47:14 2010] [info] Server: Apache/2.2.15, Interface:
mod_nss/2.2.15, Library: NSS/3.12.6.2
[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed
scoreboard slot 0 in child 2863 for worker proxy:reverse
[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized
single connection worker 0 in child 2863 for (*)
[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed
scoreboard slot 0 in child 2866 for worker proxy:reverse
[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed
scoreboard slot 0 in child 2867 for worker proxy:reverse
[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed
scoreboard slot 0 in child 2868 for worker proxy:reverse
[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed
scoreboard slot 0 in child 2865 for worker proxy:reverse
[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker
proxy:reverse already initialized
[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized
single connection worker 0 in child 2865 for (*)
[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed
scoreboard slot 0 in child 2864 for worker proxy:reverse
[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker
proxy:reverse already initialized
[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized
single connection worker 0 in child 2864 for (*)
[Mon Nov 08 17:47:14 2010] [notice] Apache/2.2.16 (Unix) DAV/2
mod_nss/2.2.15 NSS/3.12.6.2 configured -- resuming normal operations
[Mon Nov 08 17:47:14 2010] [info] Server built: Jul 26 2010 09:13:08
[Mon Nov 08 17:47:14 2010] [debug] prefork.c(1013): AcceptMutex: sysvsem
(default: sysvsem)
[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker
proxy:reverse already initialized
[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized
single connection worker 0 in child 2866 for (*)
[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker
proxy:reverse already initialized
[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized
single connection worker 0 in child 2867 for (*)
[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker
proxy:reverse already initialized
[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized
single connection worker 0 in child 2868 for (*)
[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed
scoreboard slot 0 in child 2870 for worker proxy:reverse
[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed
scoreboard slot 0 in child 2869 for worker proxy:reverse
[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker
proxy:reverse already initialized
[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized
single connection worker 0 in child 2869 for (*)
[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker
proxy:reverse already initialized
[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized
single connection worker 0 in child 2870 for (*)
[Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of
entropy
[Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol
[Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1
[Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode
enabled, permitted SSL ciphers are:
[+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring
permitted SSL ciphers
[+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this
is not a FIPS cipher, disabling.
[Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this
is not a FIPS cipher, disabling.
[Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod.
[Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of
entropy
[Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol
[Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1
[Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode
enabled, permitted SSL ciphers are:
[+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring
permitted SSL ciphers
[+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this
is not a FIPS cipher, disabling.
[Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this
is not a FIPS cipher, disabling.
[Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod.
[Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of
entropy
[Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol
[Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1
[Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode
enabled, permitted SSL ciphers are:
[+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring
permitted SSL ciphers
[+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this
is not a FIPS cipher, disabling.
[Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this
is not a FIPS cipher, disabling.
[Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod.
[Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of
entropy
[Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol
[Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1
[Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode
enabled, permitted SSL ciphers are:
[+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring
permitted SSL ciphers
[+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this
is not a FIPS cipher, disabling.
[Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this
is not a FIPS cipher, disabling.
[Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod.
[Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of
entropy
[Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol
[Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1
[Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode
enabled, permitted SSL ciphers are:
[+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring
permitted SSL ciphers
[+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this
is not a FIPS cipher, disabling.
[Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this
is not a FIPS cipher, disabling.
[Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod.
[Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of
entropy
[Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol
[Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1
[Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode
enabled, permitted SSL ciphers are:
[+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring
permitted SSL ciphers
[+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this
is not a FIPS cipher, disabling.
[Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this
is not a FIPS cipher, disabling.
[Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod.
[Mon Nov 08 17:47:16 2010] [info] Init: Seeding PRNG with 136 bytes of
entropy
[Mon Nov 08 17:47:16 2010] [info] Configuring server for SSL protocol
[Mon Nov 08 17:47:16 2010] [info] In FIPS mode, enabling TLSv1
[Mon Nov 08 17:47:16 2010] [debug] nss_engine_init.c(783): FIPS mode
enabled, permitted SSL ciphers are:
[+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Mon Nov 08 17:47:16 2010] [debug] nss_engine_init.c(788): Configuring
permitted SSL ciphers
[+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Mon Nov 08 17:47:16 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this
is not a FIPS cipher, disabling.
[Mon Nov 08 17:47:16 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this
is not a FIPS cipher, disabling.
[Mon Nov 08 17:47:16 2010] [info] Using nickname NSSOCS:f14-apache-nssmod.
[Mon Nov 08 17:47:46 2010] [error] Unable to read from pin store for slot:
NSSOCS APR err: 70007
[Mon Nov 08 17:48:18 2010] [info] Connection to child 2 established (server
f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199)
[Mon Nov 08 17:48:18 2010] [info] SSL input filter read failed.
[Mon Nov 08 17:48:18 2010] [error] SSL Library Error: -12273 SSL has
received a record with an incorrect Message Authentication Code
[Mon Nov 08 17:48:18 2010] [info] Connection to child 2 closed (server
f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199)
[Mon Nov 08 17:49:22 2010] [info] Connection to child 0 established (server
f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199)
[Mon Nov 08 17:49:22 2010] [info] SSL input filter read failed.
[Mon Nov 08 17:49:22 2010] [error] SSL Library Error: -12273 SSL has
received a record with an incorrect Message Authentication Code
[Mon Nov 08 17:49:22 2010] [info] Connection to child 0 closed (server
f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199)
[Mon Nov 08 17:49:27 2010] [info] Connection to child 3 established (server
f14-apache-nssmod.cglidden.local:8443, client 10.1.1.220)
[Mon Nov 08 17:49:27 2010] [info] SSL input filter read failed.
[Mon Nov 08 17:49:27 2010] [error] SSL Library Error: -12273 SSL has
received a record with an incorrect Message Authentication Code
[Mon Nov 08 17:49:27 2010] [info] Connection to child 3 closed (server
f14-apache-nssmod.cglidden.local:8443, client 10.1.1.220)
A reference to Unable to read from pin store for slot: NSSOCS APR err:
70007 jumps
out at me. Maybe nss_pcache is having problems?
I am not sure - any time or help that you can offer would be appreciated.
Any additional debug that would help you should be easy for me to collect.
Thank you,
Chris
On Thu, Nov 4, 2010 at 5:29 PM, Christopher Glidden <cglidden at gmail.com>wrote:
> Hi All,
>
> I am having some trouble getting mod_nss in fips mode to work with my
> hardware pkcs#11 token.
>
> I actually think I am having more of a nss.conf issue than anything between
> nss and my token. Private key and certificate fulfillment/import from my CA
> seem to be just fine.
>
> What is the best way to go about getting a little help? What information
> (config, logs, ssltap output, etc.) should I provide?
>
> Also, I am currently using the NSS components that shipped with Red Hat 5
> (although I must admit I using CentOS right now - I hope that doesn't affect
> the likelihood of receiving a response).
>
> [cglidden at el55-apache-nssmod ~]$ sudo yum info nss nss-tools mod_nss nspr
> httpd | grep -C2 Version
> Name : httpd
> Arch : i386
> Version : 2.2.3
> Release : 43.el5.centos
> Size : 3.1 M
> --
> Name : mod_nss
> Arch : i386
> Version : 1.0.3
> Release : 8.el5
> Size : 197 k
> --
> Name : nspr
> Arch : i386
> Version : 4.7.6
> Release : 1.el5_4
> Size : 245 k
> --
> Name : nss
> Arch : i386
> Version : 3.12.3.99.3
> Release : 1.el5.centos.2
> Size : 2.6 M
> --
> Name : nss-tools
> Arch : i386
> Version : 3.12.3.99.3
> Release : 1.el5.centos.2
> Size : 2.9 M
>
> Are there any known issues with these version that I should avoid right
> away? I am using these versions because my customer has indicated a
> preference. If I have a good argument for it, we'll upgrade to better
> versions.
>
> Thanks,
>
> Chris
>
> --
> ~~~~~~~~~~~~~~~~~~
> Christopher Glidden
> cglidden at gmail.com
> ~~~~~~~~~~~~~~~~~~
>
--
~~~~~~~~~~~~~~~~~~
Christopher Glidden
cglidden at gmail.com
P: 857-222-4269
~~~~~~~~~~~~~~~~~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20101109/a1d00459/attachment.htm>
More information about the Mod_nss-list
mailing list