From rcritten at redhat.com Wed Sep 1 12:59:01 2010
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 01 Sep 2010 08:59:01 -0400
Subject: [Mod_nss-list] Problem configuring Client certificate
Authentication
In-Reply-To: <4C7BA2E0.8000209@indenova.com>
References: <4C7BA2E0.8000209@indenova.com>
Message-ID: <4C7E4E15.10406@redhat.com>
Tom?s Tormo wrote:
> Greetings
>
> I'm trying to configure mod_nss in Apache in order to use it as my
> client certificate authentication mechanism, but I'm having problems
> with it..
>
> I'd like to use client authentication in some parts of a website... so I
> tried to do it as with mod_ssl, using the Location directive with the
> NSSVerifyClient require directive inside, but I never works... I always
> get this error...
>
> Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation
> [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): Performing
> full renegotiation: complete handshake protocol
> [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting
> re-negotiation handshake
> *[Mon Aug 30 14:17:34 2010] [info] Read error -12176
> [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake failed: Not
> accepted by client!?*
> [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client
> 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer:
> https://amsterdam/
> [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input
> filter read failed.
> [Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed (server
> amsterdam:443, client 192.168.125.53)
>
> After this, I checked the documentation and it says I can work
> per-server or per-directory context... So I tried to do it per-server
> and It works perfectly.. but, as I told you, this is not the solution
> I'm looking for.. so I tried to configure it per-directory... but it
> doesn't work neither...
>
> Here I attach my per-directory configuration... Is just a test but this
> is more or less how it should look at the end:
>
>
>
> /
>
> ServerName amsterdam
>
> LogLevel debug
> ErrorLog /var/log/apache2/testmodnss/error.log
> CustomLog /var/log/apache2/testmodnss/access.log combined
> DocumentRoot /var/www/testmodnss
>
> # ssl
> NSSEngine on
> RewriteEngine on
> NSSCipherSuite
> -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
>
> NSSProtocol All
>
> ## Certificate database. It contains both public and private key of the
> ssl server. It also contains the CA certificate of the allowed client
> certificates
> NSSCertificateDatabase /etc/apache2/certs/nss/
>
> NSSNickName Server-Cert
>
>
> # ssl client
>
>
>
> AllowOverride all
> NSSVerifyClient require
> NSSOptions +ExportCertData
> NSSOptions +StdEnvVars
>
>
>
>
>
> NSSPassPhraseHelper /usr/sbin/nss_pcache
>
> /
>
> Could you please help me?
>
> Thank you very much
Sorry for the delayed response.
What version of mod_nss and which browser (and version) are you using? I
wonder if you have a newer browser and an older mod_nss and are bumping
into the SSL renegotiation changes that went into the NSS crypto system
to handle http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555.
This KB article includes some tuning information for NSS in general:
https://access.redhat.com/kb/docs/DOC-20491
The latest mod_nss provides some tuning knobs for this as mentioned by
Luid (NSSRenegotiation and NSSRequireSafeNegotiation) that are
equivalent to the environment variables in the KB article, just more
convenient. mod_nss defaults to SSL_RENEGOTIATE_NEVER and setting
NSSRenegotiation is the equivalent of SSL_RENEGOTIATE_REQUIRES_XTN.
So this is a long way of saying, try adding export
NSS_SSL_ENABLE_RENEGOTIATION=u or NSS_SSL_ENABLE_RENEGOTIATION=r to your
Apache environment (/etc/sysconfig/httpd on Red Hat and Fedora systems).
I'll be away again until next week in case you have any follow-up questions.
rob
From luisneves at hotmail.com Thu Sep 2 08:15:45 2010
From: luisneves at hotmail.com (Luis Neves)
Date: Thu, 2 Sep 2010 08:15:45 +0000
Subject: [Mod_nss-list] Problem configuring Client certificate
Authentication
In-Reply-To: <4C7CCCEE.6070203@indenova.com>
References: <4C7BA2E0.8000209@indenova.com>, ,
,,, ,
,,<4C7CBA7E.3040800@indenova.com>,
,,,
, , <4C7CC029.5090201@indenova.com>, ,
,
,
<4C7CCCEE.6070203@indenova.com>
Message-ID:
Tomas, Here is the same, and the problem is this: (It happens also in SSL)
SSLVerifyClient fails when inside
http://www.linode.com/forums/viewtopic.php?t=5115
Will try to post in ssl list as well to see if someone helps on this
Luis
Date: Tue, 31 Aug 2010 11:35:42 +0200
From: ttormo at indenova.com
To: mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication
Thank you very much for your help Luis
I changed the directive to again. I realized I did
really bad copy-paste, cause directive needs a url (in
this case /files) instead of a directory. So, if I let the
configuration just like before, Apache let me go to the webpage without
asking for the certificate. This was because i didn't request a
location "/var/www/testmodnss/files" (what's more, it doesn't exist).
So I changed location to "/files" and I get the error again...
I also tried all you told me but I still get the error... :(
This is how my configuration looks like now (I didn't put the NSSRenegotiation
off and NSSRequireSafeNegotiation off directives cause
Apache is giving me an error at startup saying that are not recognized
:S)
ServerName amsterdam
LogLevel debug
ErrorLog /var/log/apache2/testmodnss/error.log
CustomLog /var/log/apache2/testmodnss/access.log combined
DocumentRoot /var/www/testmodnss
# ssl
NSSEngine on
RewriteEngine on
NSSCipherSuite
-des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
#NSSProtocol All
NSSProtocol SSLv3,TLSv1
## Certificate database. It contains both public and private key of the
ssl server. It also contains the CA certificate of the allowed client
certificates
NSSCertificateDatabase /etc/apache2/certs/nss/
NSSNickName Server-Cert
# ssl client
NSSVerifyClient require
NSSOptions +ExportCertData
NSSOptions +StdEnvVars
NSSPassPhraseHelper /usr/sbin/nss_pcache
On 31/08/10 11:26, Luis Neves wrote:
or
NSSProtocol SSLv3,TLSv1
Iam unable to test location today as I forgot my card at home......
But I think location has to work, your error seems something related to
a "protocol re-negotiation error".....
Luis
From: luisneves at hotmail.com
To: ttormo at indenova.com
Date: Tue, 31 Aug 2010 09:16:46 +0000
CC: mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication
try this!
# Only renegotiate if the peer's hello bears the TLS renegotiation_info
# extension. Default off.
NSSRenegotiation off
# Peer must send Signaling Cipher Suite Value (SCSV) or
# Renegotiation Info (RI) extension in ALL handshakes. Default: off
NSSRequireSafeNegotiation off
Date: Tue, 31 Aug 2010 10:41:13 +0200
From: ttormo at indenova.com
CC: mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication
No... It didn't work with location neither..
But maybe if I follow your aproach It could work for me as well...
On 31/08/10 10:36, Luis Neves wrote:
But
after fixing "location" it worked??
no, for now I really didnt need that,
I am trying to make a reverse proxy to protect internal pages and give
them access via some smartcards, But boy had so many problem so far
that I was almost quitting on this.....!
Luis
Date: Tue, 31 Aug 2010 10:17:02 +0200
From: ttormo at indenova.com
CC: mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication
Wow!! Actually I had directory directive instead of location at that
moment (I was just trying that). I made a copy-paste and changed it
on-the-fly but I guess I didn't realize about the first
... hehehe sorry
So... do you do something similar in your virtualhost? I mean, do you
need users to use a client certificate only in some parts of the
website?
Thank you very much
On 31/08/10 10:11, Luis Neves wrote:
Hi
Tomas,
Its missing something on your post, like the first location, etc, but
anyway, is when using the "location" tag that is giving the problem? I
dont use it but will make a test to see what happens here
Luis
Date: Mon, 30 Aug 2010 14:24:00 +0200
From: ttormo at indenova.com
To: mod_nss-list at redhat.com
Subject: [Mod_nss-list] Problem configuring Client certificate
Authentication
Greetings
I'm trying to configure mod_nss in Apache in order to use it as my
client certificate authentication mechanism, but I'm having problems
with it..
I'd like to use client authentication in some parts of a website... so
I tried to do it as with mod_ssl, using the Location directive with the
NSSVerifyClient require directive inside, but I never works... I always
get this error...
Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation
[Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): Performing
full renegotiation: complete handshake protocol
[Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting
re-negotiation handshake
[Mon Aug 30 14:17:34 2010] [info] Read error -12176
[Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake failed: Not
accepted by client!?
[Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client
192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer: https://amsterdam/
[Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input
filter read failed.
[Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed (server
amsterdam:443, client 192.168.125.53)
After this, I checked the documentation and it says I can work
per-server or per-directory context... So I tried to do it per-server
and It works perfectly.. but, as I told you, this is not the solution
I'm looking for.. so I tried to configure it per-directory... but it
doesn't work neither...
Here I attach my per-directory configuration... Is just a test but this
is more or less how it should look at the end:
ServerName amsterdam
LogLevel debug
ErrorLog /var/log/apache2/testmodnss/error.log
CustomLog /var/log/apache2/testmodnss/access.log combined
DocumentRoot /var/www/testmodnss
# ssl
NSSEngine on
RewriteEngine on
NSSCipherSuite
-des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
NSSProtocol All
## Certificate database. It contains both public and private key of the
ssl server. It also contains the CA certificate of the allowed client
certificates
NSSCertificateDatabase /etc/apache2/certs/nss/
NSSNickName Server-Cert
# ssl client
AllowOverride all
NSSVerifyClient require
NSSOptions +ExportCertData
NSSOptions +StdEnvVars
NSSPassPhraseHelper /usr/sbin/nss_pcache
Could you please help me?
Thank you very much
--
Un saludo,
Tom?s Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2? B
Pol?gono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php
_______________________________________________
Mod_nss-list mailing list Mod_nss-list at redhat.com https://www.redhat.com/mailman/listinfo/mod_nss-list
--
Un saludo,
Tom?s Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2? B
Pol?gono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php
_______________________________________________
Mod_nss-list mailing list
Mod_nss-list at redhat.com
https://www.redhat.com/mailman/listinfo/mod_nss-list
--
Un saludo,
Tom?s Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2? B
Pol?gono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php
_______________________________________________
Mod_nss-list mailing list
Mod_nss-list at redhat.com
https://www.redhat.com/mailman/listinfo/mod_nss-list
_______________________________________________
Mod_nss-list mailing list
Mod_nss-list at redhat.com
https://www.redhat.com/mailman/listinfo/mod_nss-list
--
Un saludo,
Tom?s Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2? B
Pol?gono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php
_______________________________________________
Mod_nss-list mailing list
Mod_nss-list at redhat.com
https://www.redhat.com/mailman/listinfo/mod_nss-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From luisneves at hotmail.com Thu Sep 2 08:36:20 2010
From: luisneves at hotmail.com (Luis Neves)
Date: Thu, 2 Sep 2010 08:36:20 +0000
Subject: [Mod_nss-list] Problem configuring Client certificate
Authentication
In-Reply-To: <4C7E4E15.10406@redhat.com>
References: <4C7BA2E0.8000209@indenova.com>,<4C7E4E15.10406@redhat.com>
Message-ID:
Hi Robe, indeed Ive tested by myself and have the same renegotiation error as well
Played with the settings Ive told to Tomas but still got the problem
Played with the Apache env variables you mentioned but to no avail, same problem.
Will read carefully your link but it looks the only solution is avoiding at all costs using verifyclient inside location tags... :(
Luis
> Date: Wed, 1 Sep 2010 08:59:01 -0400
> From: rcritten at redhat.com
> To: ttormo at indenova.com
> CC: mod_nss-list at redhat.com
> Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication
>
> Tom?s Tormo wrote:
> > Greetings
> >
> > I'm trying to configure mod_nss in Apache in order to use it as my
> > client certificate authentication mechanism, but I'm having problems
> > with it..
> >
> > I'd like to use client authentication in some parts of a website... so I
> > tried to do it as with mod_ssl, using the Location directive with the
> > NSSVerifyClient require directive inside, but I never works... I always
> > get this error...
> >
> > Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation
> > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): Performing
> > full renegotiation: complete handshake protocol
> > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting
> > re-negotiation handshake
> > *[Mon Aug 30 14:17:34 2010] [info] Read error -12176
> > [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake failed: Not
> > accepted by client!?*
> > [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client
> > 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer:
> > https://amsterdam/
> > [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input
> > filter read failed.
> > [Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed (server
> > amsterdam:443, client 192.168.125.53)
> >
> > After this, I checked the documentation and it says I can work
> > per-server or per-directory context... So I tried to do it per-server
> > and It works perfectly.. but, as I told you, this is not the solution
> > I'm looking for.. so I tried to configure it per-directory... but it
> > doesn't work neither...
> >
> > Here I attach my per-directory configuration... Is just a test but this
> > is more or less how it should look at the end:
> >
> >
> >
> > /
> >
> > ServerName amsterdam
> >
> > LogLevel debug
> > ErrorLog /var/log/apache2/testmodnss/error.log
> > CustomLog /var/log/apache2/testmodnss/access.log combined
> > DocumentRoot /var/www/testmodnss
> >
> > # ssl
> > NSSEngine on
> > RewriteEngine on
> > NSSCipherSuite
> > -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
> >
> > NSSProtocol All
> >
> > ## Certificate database. It contains both public and private key of the
> > ssl server. It also contains the CA certificate of the allowed client
> > certificates
> > NSSCertificateDatabase /etc/apache2/certs/nss/
> >
> > NSSNickName Server-Cert
> >
> >
> > # ssl client
> >
> >
> >
> > AllowOverride all
> > NSSVerifyClient require
> > NSSOptions +ExportCertData
> > NSSOptions +StdEnvVars
> >
> >
> >
> >
> >
> > NSSPassPhraseHelper /usr/sbin/nss_pcache
> >
> > /
> >
> > Could you please help me?
> >
> > Thank you very much
>
> Sorry for the delayed response.
>
> What version of mod_nss and which browser (and version) are you using? I
> wonder if you have a newer browser and an older mod_nss and are bumping
> into the SSL renegotiation changes that went into the NSS crypto system
> to handle http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555.
> This KB article includes some tuning information for NSS in general:
> https://access.redhat.com/kb/docs/DOC-20491
>
> The latest mod_nss provides some tuning knobs for this as mentioned by
> Luid (NSSRenegotiation and NSSRequireSafeNegotiation) that are
> equivalent to the environment variables in the KB article, just more
> convenient. mod_nss defaults to SSL_RENEGOTIATE_NEVER and setting
> NSSRenegotiation is the equivalent of SSL_RENEGOTIATE_REQUIRES_XTN.
>
> So this is a long way of saying, try adding export
> NSS_SSL_ENABLE_RENEGOTIATION=u or NSS_SSL_ENABLE_RENEGOTIATION=r to your
> Apache environment (/etc/sysconfig/httpd on Red Hat and Fedora systems).
>
> I'll be away again until next week in case you have any follow-up questions.
>
> rob
>
> _______________________________________________
> Mod_nss-list mailing list
> Mod_nss-list at redhat.com
> https://www.redhat.com/mailman/listinfo/mod_nss-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From luisneves at hotmail.com Thu Sep 2 09:31:04 2010
From: luisneves at hotmail.com (Luis Neves)
Date: Thu, 2 Sep 2010 09:31:04 +0000
Subject: [Mod_nss-list] Problem configuring Client certificate
Authentication
In-Reply-To:
References: <4C7BA2E0.8000209@indenova.com>,
,,,,,
, , , , <4C7CBA7E.3040800@indenova.com>, , , ,
, , ,
, <4C7CC029.5090201@indenova.com>,
, , , ,
, ,
<4C7CCCEE.6070203@indenova.com>,
Message-ID:
In the link provided by Rob
Client-initiated renegotiations disabled in mod_sslUpdated httpd packages were released that change mod_ssl to reject all client-initiated renegotiations, which mitigates this flaw for the majority of configurations using mod_ssl
to provide HTTPS service. However, an attack is still possible in
configurations where server-initiated renegotiations are required.
Configurations still affected by the issue are typically where:
Client certificates authentication is used for some part of the site, but is not required by default. This happens when "SSLVerifyClient require" is configured in a or context section, but not in the corresponding for the SSL server.Different
cipher suites are required for different parts of the web site. Cipher
suite requirements can be configured per-server or per-directory context
using the SSLCipherSuite directive. Server-initiated renegotiations can be avoided by:
Changing
the site layout so that a client certificate authentication is required
for the whole site, rather than only a part. In other words, so that "SSLVerifyClient" is used only when directly inside a section.Using
the same cipher suite for the whole site. The highest cipher strength
requirement of all directories and locations should be set in the section.
From: luisneves at hotmail.com
To: ttormo at indenova.com; mod_nss-list at redhat.com
Date: Thu, 2 Sep 2010 08:15:45 +0000
Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication
Tomas, Here is the same, and the problem is this: (It happens also in SSL)
SSLVerifyClient fails when inside
http://www.linode.com/forums/viewtopic.php?t=5115
Will try to post in ssl list as well to see if someone helps on this
Luis
Date: Tue, 31 Aug 2010 11:35:42 +0200
From: ttormo at indenova.com
To: mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication
Thank you very much for your help Luis
I changed the directive to again. I realized I did
really bad copy-paste, cause directive needs a url (in
this case /files) instead of a directory. So, if I let the
configuration just like before, Apache let me go to the webpage without
asking for the certificate. This was because i didn't request a
location "/var/www/testmodnss/files" (what's more, it doesn't exist).
So I changed location to "/files" and I get the error again...
I also tried all you told me but I still get the error... :(
This is how my configuration looks like now (I didn't put the NSSRenegotiation
off and NSSRequireSafeNegotiation off directives cause
Apache is giving me an error at startup saying that are not recognized
:S)
ServerName amsterdam
LogLevel debug
ErrorLog /var/log/apache2/testmodnss/error.log
CustomLog /var/log/apache2/testmodnss/access.log combined
DocumentRoot /var/www/testmodnss
# ssl
NSSEngine on
RewriteEngine on
NSSCipherSuite
-des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
#NSSProtocol All
NSSProtocol SSLv3,TLSv1
## Certificate database. It contains both public and private key of the
ssl server. It also contains the CA certificate of the allowed client
certificates
NSSCertificateDatabase /etc/apache2/certs/nss/
NSSNickName Server-Cert
# ssl client
NSSVerifyClient require
NSSOptions +ExportCertData
NSSOptions +StdEnvVars
NSSPassPhraseHelper /usr/sbin/nss_pcache
On 31/08/10 11:26, Luis Neves wrote:
or
NSSProtocol SSLv3,TLSv1
Iam unable to test location today as I forgot my card at home......
But I think location has to work, your error seems something related to
a "protocol re-negotiation error".....
Luis
From: luisneves at hotmail.com
To: ttormo at indenova.com
Date: Tue, 31 Aug 2010 09:16:46 +0000
CC: mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication
try this!
# Only renegotiate if the peer's hello bears the TLS renegotiation_info
# extension. Default off.
NSSRenegotiation off
# Peer must send Signaling Cipher Suite Value (SCSV) or
# Renegotiation Info (RI) extension in ALL handshakes. Default: off
NSSRequireSafeNegotiation off
Date: Tue, 31 Aug 2010 10:41:13 +0200
From: ttormo at indenova.com
CC: mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication
No... It didn't work with location neither..
But maybe if I follow your aproach It could work for me as well...
On 31/08/10 10:36, Luis Neves wrote:
But
after fixing "location" it worked??
no, for now I really didnt need that,
I am trying to make a reverse proxy to protect internal pages and give
them access via some smartcards, But boy had so many problem so far
that I was almost quitting on this.....!
Luis
Date: Tue, 31 Aug 2010 10:17:02 +0200
From: ttormo at indenova.com
CC: mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication
Wow!! Actually I had directory directive instead of location at that
moment (I was just trying that). I made a copy-paste and changed it
on-the-fly but I guess I didn't realize about the first
... hehehe sorry
So... do you do something similar in your virtualhost? I mean, do you
need users to use a client certificate only in some parts of the
website?
Thank you very much
On 31/08/10 10:11, Luis Neves wrote:
Hi
Tomas,
Its missing something on your post, like the first location, etc, but
anyway, is when using the "location" tag that is giving the problem? I
dont use it but will make a test to see what happens here
Luis
Date: Mon, 30 Aug 2010 14:24:00 +0200
From: ttormo at indenova.com
To: mod_nss-list at redhat.com
Subject: [Mod_nss-list] Problem configuring Client certificate
Authentication
Greetings
I'm trying to configure mod_nss in Apache in order to use it as my
client certificate authentication mechanism, but I'm having problems
with it..
I'd like to use client authentication in some parts of a website... so
I tried to do it as with mod_ssl, using the Location directive with the
NSSVerifyClient require directive inside, but I never works... I always
get this error...
Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation
[Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): Performing
full renegotiation: complete handshake protocol
[Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting
re-negotiation handshake
[Mon Aug 30 14:17:34 2010] [info] Read error -12176
[Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake failed: Not
accepted by client!?
[Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client
192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer: https://amsterdam/
[Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input
filter read failed.
[Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed (server
amsterdam:443, client 192.168.125.53)
After this, I checked the documentation and it says I can work
per-server or per-directory context... So I tried to do it per-server
and It works perfectly.. but, as I told you, this is not the solution
I'm looking for.. so I tried to configure it per-directory... but it
doesn't work neither...
Here I attach my per-directory configuration... Is just a test but this
is more or less how it should look at the end:
ServerName amsterdam
LogLevel debug
ErrorLog /var/log/apache2/testmodnss/error.log
CustomLog /var/log/apache2/testmodnss/access.log combined
DocumentRoot /var/www/testmodnss
# ssl
NSSEngine on
RewriteEngine on
NSSCipherSuite
-des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
NSSProtocol All
## Certificate database. It contains both public and private key of the
ssl server. It also contains the CA certificate of the allowed client
certificates
NSSCertificateDatabase /etc/apache2/certs/nss/
NSSNickName Server-Cert
# ssl client
AllowOverride all
NSSVerifyClient require
NSSOptions +ExportCertData
NSSOptions +StdEnvVars
NSSPassPhraseHelper /usr/sbin/nss_pcache
Could you please help me?
Thank you very much
--
Un saludo,
Tom?s Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2? B
Pol?gono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php
_______________________________________________
Mod_nss-list mailing list Mod_nss-list at redhat.com https://www.redhat.com/mailman/listinfo/mod_nss-list
--
Un saludo,
Tom?s Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2? B
Pol?gono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php
_______________________________________________
Mod_nss-list mailing list
Mod_nss-list at redhat.com
https://www.redhat.com/mailman/listinfo/mod_nss-list
--
Un saludo,
Tom?s Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2? B
Pol?gono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php
_______________________________________________
Mod_nss-list mailing list
Mod_nss-list at redhat.com
https://www.redhat.com/mailman/listinfo/mod_nss-list
_______________________________________________
Mod_nss-list mailing list
Mod_nss-list at redhat.com
https://www.redhat.com/mailman/listinfo/mod_nss-list
--
Un saludo,
Tom?s Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2? B
Pol?gono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php
_______________________________________________
Mod_nss-list mailing list
Mod_nss-list at redhat.com
https://www.redhat.com/mailman/listinfo/mod_nss-list
_______________________________________________
Mod_nss-list mailing list
Mod_nss-list at redhat.com
https://www.redhat.com/mailman/listinfo/mod_nss-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From luisneves at hotmail.com Thu Sep 2 10:07:18 2010
From: luisneves at hotmail.com (Luis Neves)
Date: Thu, 2 Sep 2010 10:07:18 +0000
Subject: [Mod_nss-list] Problem configuring Client certificate
Authentication
In-Reply-To:
References: <4C7BA2E0.8000209@indenova.com>, <4C7E4E15.10406@redhat.com>,
Message-ID:
Hi again! Sorry everybody for so much posts
Hola Tomas,
What seems the best practices on this case is
Putting the NSSverifyclient optional outside location and then playing with the SSLRequire (or NSSRequire in mod_nss case)
like for ex:
NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
and %{SSL_CLIENT_S_DN_O} eq "mycompany" \
and %{SSL_CLIENT_S_DN_OU} in {"myrole"})
or:
NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
and %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
or using a virtualhost just for the authenticated part of the site
Um abra?o
Luis
From: luisneves at hotmail.com
To: rcritten at redhat.com; ttormo at indenova.com
Date: Thu, 2 Sep 2010 08:36:20 +0000
CC: mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication
Hi Robe, indeed Ive tested by myself and have the same renegotiation error as well
Played with the settings Ive told to Tomas but still got the problem
Played with the Apache env variables you mentioned but to no avail, same problem.
Will read carefully your link but it looks the only solution is avoiding at all costs using verifyclient inside location tags... :(
Luis
> Date: Wed, 1 Sep 2010 08:59:01 -0400
> From: rcritten at redhat.com
> To: ttormo at indenova.com
> CC: mod_nss-list at redhat.com
> Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication
>
> Tom?s Tormo wrote:
> > Greetings
> >
> > I'm trying to configure mod_nss in Apache in order to use it as my
> > client certificate authentication mechanism, but I'm having problems
> > with it..
> >
> > I'd like to use client authentication in some parts of a website... so I
> > tried to do it as with mod_ssl, using the Location directive with the
> > NSSVerifyClient require directive inside, but I never works... I always
> > get this error...
> >
> > Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation
> > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): Performing
> > full renegotiation: complete handshake protocol
> > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting
> > re-negotiation handshake
> > *[Mon Aug 30 14:17:34 2010] [info] Read error -12176
> > [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake failed: Not
> > accepted by client!?*
> > [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client
> > 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer:
> > https://amsterdam/
> > [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input
> > filter read failed.
> > [Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed (server
> > amsterdam:443, client 192.168.125.53)
> >
> > After this, I checked the documentation and it says I can work
> > per-server or per-directory context... So I tried to do it per-server
> > and It works perfectly.. but, as I told you, this is not the solution
> > I'm looking for.. so I tried to configure it per-directory... but it
> > doesn't work neither...
> >
> > Here I attach my per-directory configuration... Is just a test but this
> > is more or less how it should look at the end:
> >
> >
> >
> > /
> >
> > ServerName amsterdam
> >
> > LogLevel debug
> > ErrorLog /var/log/apache2/testmodnss/error.log
> > CustomLog /var/log/apache2/testmodnss/access.log combined
> > DocumentRoot /var/www/testmodnss
> >
> > # ssl
> > NSSEngine on
> > RewriteEngine on
> > NSSCipherSuite
> > -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
> >
> > NSSProtocol All
> >
> > ## Certificate database. It contains both public and private key of the
> > ssl server. It also contains the CA certificate of the allowed client
> > certificates
> > NSSCertificateDatabase /etc/apache2/certs/nss/
> >
> > NSSNickName Server-Cert
> >
> >
> > # ssl client
> >
> >
> >
> > AllowOverride all
> > NSSVerifyClient require
> > NSSOptions +ExportCertData
> > NSSOptions +StdEnvVars
> >
> >
> >
> >
> >
> > NSSPassPhraseHelper /usr/sbin/nss_pcache
> >
> > /
> >
> > Could you please help me?
> >
> > Thank you very much
>
> Sorry for the delayed response.
>
> What version of mod_nss and which browser (and version) are you using? I
> wonder if you have a newer browser and an older mod_nss and are bumping
> into the SSL renegotiation changes that went into the NSS crypto system
> to handle http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555.
> This KB article includes some tuning information for NSS in general:
> https://access.redhat.com/kb/docs/DOC-20491
>
> The latest mod_nss provides some tuning knobs for this as mentioned by
> Luid (NSSRenegotiation and NSSRequireSafeNegotiation) that are
> equivalent to the environment variables in the KB article, just more
> convenient. mod_nss defaults to SSL_RENEGOTIATE_NEVER and setting
> NSSRenegotiation is the equivalent of SSL_RENEGOTIATE_REQUIRES_XTN.
>
> So this is a long way of saying, try adding export
> NSS_SSL_ENABLE_RENEGOTIATION=u or NSS_SSL_ENABLE_RENEGOTIATION=r to your
> Apache environment (/etc/sysconfig/httpd on Red Hat and Fedora systems).
>
> I'll be away again until next week in case you have any follow-up questions.
>
> rob
>
> _______________________________________________
> Mod_nss-list mailing list
> Mod_nss-list at redhat.com
> https://www.redhat.com/mailman/listinfo/mod_nss-list
_______________________________________________
Mod_nss-list mailing list
Mod_nss-list at redhat.com
https://www.redhat.com/mailman/listinfo/mod_nss-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From ttormo at indenova.com Fri Sep 3 06:33:48 2010
From: ttormo at indenova.com (=?ISO-8859-1?Q?Tom=E1s_Tormo?=)
Date: Fri, 03 Sep 2010 08:33:48 +0200
Subject: [Mod_nss-list] Problem configuring Client certificate
Authentication
In-Reply-To:
References: <4C7BA2E0.8000209@indenova.com>, <4C7E4E15.10406@redhat.com>,
Message-ID: <4C8096CC.6060203@indenova.com>
First of all, thank you very much to both of you for your help.
Yesterday I had a meeting the whole day, that's why I couldn't answer
the emails...
Currently, I'm doind all my tests with a Ubuntu Linux 10.04, using
Apache 2.2.14 with mod_nss 1.0.8. I downloaded the source from
*http://directory.fedoraproject.org/wiki/Mod_nss* and compiled it. The
SSL connection is working... but I have the problem I told you with SSL
client.
After all the emails, I'm trying the last solution, the one whi Luis
told me. I tried to use the directive
NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
and %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
and it works... but it also asks for the certificate the first time you
connect... I would like it to ask for the certificate just when the user
clicks some link (I got it working with mod_ssl). Do you know any
solution for this?
By the way.. wich language is the one _NSSRequire is using for the
conditions?
Thank you very much. I'll continue with the research
On 02/09/10 12:07, Luis Neves wrote:
> Hi again! Sorry everybody for so much posts
>
> Hola Tomas,
> What seems the best practices on this case is
>
> Putting the NSSverifyclient optional outside location and then playing
> with the SSLRequire (or NSSRequire in mod_nss case)
> like for ex:
>
>
> NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> and %{SSL_CLIENT_S_DN_O} eq "mycompany" \
> and %{SSL_CLIENT_S_DN_OU} in {"myrole"})
>
>
> or:
>
> NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> and %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
>
>
> or using a virtualhost just for the authenticated part of the site
>
> Um abra?o
> Luis
>
>
>
>
>
>
> ------------------------------------------------------------------------
> From: luisneves at hotmail.com
> To: rcritten at redhat.com; ttormo at indenova.com
> Date: Thu, 2 Sep 2010 08:36:20 +0000
> CC: mod_nss-list at redhat.com
> Subject: Re: [Mod_nss-list] Problem configuring Client certificate
> Authentication
>
> Hi Robe, indeed Ive tested by myself and have the same renegotiation
> error as well
>
> Played with the settings Ive told to Tomas but still got the problem
> Played with the Apache env variables you mentioned but to no avail,
> same problem.
>
> Will read carefully your link but it looks the only solution is
> avoiding at all costs using verifyclient inside location tags... :(
>
> Luis
>
>
> > Date: Wed, 1 Sep 2010 08:59:01 -0400
> > From: rcritten at redhat.com
> > To: ttormo at indenova.com
> > CC: mod_nss-list at redhat.com
> > Subject: Re: [Mod_nss-list] Problem configuring Client certificate
> Authentication
> >
> > Tom?s Tormo wrote:
> > > Greetings
> > >
> > > I'm trying to configure mod_nss in Apache in order to use it as my
> > > client certificate authentication mechanism, but I'm having problems
> > > with it..
> > >
> > > I'd like to use client authentication in some parts of a
> website... so I
> > > tried to do it as with mod_ssl, using the Location directive with the
> > > NSSVerifyClient require directive inside, but I never works... I
> always
> > > get this error...
> > >
> > > Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation
> > > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404):
> Performing
> > > full renegotiation: complete handshake protocol
> > > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting
> > > re-negotiation handshake
> > > *[Mon Aug 30 14:17:34 2010] [info] Read error -12176
> > > [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake
> failed: Not
> > > accepted by client!?*
> > > [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client
> > > 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer:
> > > https://amsterdam/
> > > [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input
> > > filter read failed.
> > > [Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed
> (server
> > > amsterdam:443, client 192.168.125.53)
> > >
> > > After this, I checked the documentation and it says I can work
> > > per-server or per-directory context... So I tried to do it per-server
> > > and It works perfectly.. but, as I told you, this is not the solution
> > > I'm looking for.. so I tried to configure it per-directory... but it
> > > doesn't work neither...
> > >
> > > Here I attach my per-directory configuration... Is just a test but
> this
> > > is more or less how it should look at the end:
> > >
> > >
> > >
> > > /
> > >
> > > ServerName amsterdam
> > >
> > > LogLevel debug
> > > ErrorLog /var/log/apache2/testmodnss/error.log
> > > CustomLog /var/log/apache2/testmodnss/access.log combined
> > > DocumentRoot /var/www/testmodnss
> > >
> > > # ssl
> > > NSSEngine on
> > > RewriteEngine on
> > > NSSCipherSuite
> > >
> -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
> > >
> > > NSSProtocol All
> > >
> > > ## Certificate database. It contains both public and private key
> of the
> > > ssl server. It also contains the CA certificate of the allowed client
> > > certificates
> > > NSSCertificateDatabase /etc/apache2/certs/nss/
> > >
> > > NSSNickName Server-Cert
> > >
> > >
> > > # ssl client
> > >
> > >
> > >
> > > AllowOverride all
> > > NSSVerifyClient require
> > > NSSOptions +ExportCertData
> > > NSSOptions +StdEnvVars
> > >
> > >
> > >
> > >
> > >
> > > NSSPassPhraseHelper /usr/sbin/nss_pcache
> > >
> > > /
> > >
> > > Could you please help me?
> > >
> > > Thank you very much
> >
> > Sorry for the delayed response.
> >
> > What version of mod_nss and which browser (and version) are you
> using? I
> > wonder if you have a newer browser and an older mod_nss and are bumping
> > into the SSL renegotiation changes that went into the NSS crypto system
> > to handle http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555.
> > This KB article includes some tuning information for NSS in general:
> > https://access.redhat.com/kb/docs/DOC-20491
> >
> > The latest mod_nss provides some tuning knobs for this as mentioned by
> > Luid (NSSRenegotiation and NSSRequireSafeNegotiation) that are
> > equivalent to the environment variables in the KB article, just more
> > convenient. mod_nss defaults to SSL_RENEGOTIATE_NEVER and setting
> > NSSRenegotiation is the equivalent of SSL_RENEGOTIATE_REQUIRES_XTN.
> >
> > So this is a long way of saying, try adding export
> > NSS_SSL_ENABLE_RENEGOTIATION=u or NSS_SSL_ENABLE_RENEGOTIATION=r to
> your
> > Apache environment (/etc/sysconfig/httpd on Red Hat and Fedora systems).
> >
> > I'll be away again until next week in case you have any follow-up
> questions.
> >
> > rob
> >
> > _______________________________________________
> > Mod_nss-list mailing list
> > Mod_nss-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/mod_nss-list
>
> _______________________________________________ Mod_nss-list mailing
> list Mod_nss-list at redhat.com
> https://www.redhat.com/mailman/listinfo/mod_nss-list
--
Un saludo,
Tom?s Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2? B
Pol?gono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From ttormo at indenova.com Fri Sep 3 07:33:57 2010
From: ttormo at indenova.com (=?ISO-8859-1?Q?Tom=E1s_Tormo?=)
Date: Fri, 03 Sep 2010 09:33:57 +0200
Subject: [Mod_nss-list] Problem configuring Client certificate
Authentication
In-Reply-To: <4C8096CC.6060203@indenova.com>
References: <4C7BA2E0.8000209@indenova.com>, <4C7E4E15.10406@redhat.com>,
<4C8096CC.6060203@indenova.com>
Message-ID: <4C80A4E5.9070305@indenova.com>
Well... I made it work!!!
I didn't try Robe solution yet... but when I tried it it worked like a
charm.
The problem is that in Ubuntu you don't have /etc/sysconfig/httpd
directory (it is supposed to be */etc/default/apache*, but it doesn't
work there...), so I had to set the environmental variable in the init
script (*/etc/init.d/apache2*).
So now, my test virtualhost looks like this
/
ServerName amsterdam
LogLevel debug
ErrorLog /var/log/apache2/testmodnss/error.log
CustomLog /var/log/apache2/testmodnss/access.log combined
DocumentRoot /var/www/testmodnss
# ssl
NSSEngine on
RewriteEngine on
NSSCipherSuite
-des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
NSSProtocol SSLv3,TLSv1
## Certificate database. It contains both public and private key of the
ssl server. It also contains the CA certificate of the allowed client
certificates
NSSCertificateDatabase /etc/apache2/certs/nss/
NSSNickName Server-Cert
# ssl client
NSSRequireSSL
NSSVerifyClient require
NSSPassPhraseHelper /usr/sbin/nss_pcache/
quite simple now.. isn't it?
And, what's more, the certificates that weren't working with mod_ssl
(Luis knows what I'm talking about ;) ) now work.
Thank you very much once more!!!
On 03/09/10 08:33, Tom?s Tormo wrote:
> First of all, thank you very much to both of you for your help.
> Yesterday I had a meeting the whole day, that's why I couldn't answer
> the emails...
>
> Currently, I'm doind all my tests with a Ubuntu Linux 10.04, using
> Apache 2.2.14 with mod_nss 1.0.8. I downloaded the source from
> *http://directory.fedoraproject.org/wiki/Mod_nss* and compiled it. The
> SSL connection is working... but I have the problem I told you with
> SSL client.
>
> After all the emails, I'm trying the last solution, the one whi Luis
> told me. I tried to use the directive
>
> NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> and %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
>
> and it works... but it also asks for the certificate the first time
> you connect... I would like it to ask for the certificate just when
> the user clicks some link (I got it working with mod_ssl). Do you know
> any solution for this?
>
> By the way.. wich language is the one _NSSRequire is using for the
> conditions?
>
> Thank you very much. I'll continue with the research
>
>
> On 02/09/10 12:07, Luis Neves wrote:
>> Hi again! Sorry everybody for so much posts
>>
>> Hola Tomas,
>> What seems the best practices on this case is
>>
>> Putting the NSSverifyclient optional outside location and then
>> playing with the SSLRequire (or NSSRequire in mod_nss case)
>> like for ex:
>>
>>
>> NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
>> and %{SSL_CLIENT_S_DN_O} eq "mycompany" \
>> and %{SSL_CLIENT_S_DN_OU} in {"myrole"})
>>
>>
>> or:
>>
>> NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
>> and %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
>>
>>
>> or using a virtualhost just for the authenticated part of the site
>>
>> Um abra?o
>> Luis
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>> From: luisneves at hotmail.com
>> To: rcritten at redhat.com; ttormo at indenova.com
>> Date: Thu, 2 Sep 2010 08:36:20 +0000
>> CC: mod_nss-list at redhat.com
>> Subject: Re: [Mod_nss-list] Problem configuring Client certificate
>> Authentication
>>
>> Hi Robe, indeed Ive tested by myself and have the same renegotiation
>> error as well
>>
>> Played with the settings Ive told to Tomas but still got the problem
>> Played with the Apache env variables you mentioned but to no avail,
>> same problem.
>>
>> Will read carefully your link but it looks the only solution is
>> avoiding at all costs using verifyclient inside location tags... :(
>>
>> Luis
>>
>>
>> > Date: Wed, 1 Sep 2010 08:59:01 -0400
>> > From: rcritten at redhat.com
>> > To: ttormo at indenova.com
>> > CC: mod_nss-list at redhat.com
>> > Subject: Re: [Mod_nss-list] Problem configuring Client certificate
>> Authentication
>> >
>> > Tom?s Tormo wrote:
>> > > Greetings
>> > >
>> > > I'm trying to configure mod_nss in Apache in order to use it as my
>> > > client certificate authentication mechanism, but I'm having problems
>> > > with it..
>> > >
>> > > I'd like to use client authentication in some parts of a
>> website... so I
>> > > tried to do it as with mod_ssl, using the Location directive with the
>> > > NSSVerifyClient require directive inside, but I never works... I
>> always
>> > > get this error...
>> > >
>> > > Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation
>> > > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404):
>> Performing
>> > > full renegotiation: complete handshake protocol
>> > > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting
>> > > re-negotiation handshake
>> > > *[Mon Aug 30 14:17:34 2010] [info] Read error -12176
>> > > [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake
>> failed: Not
>> > > accepted by client!?*
>> > > [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client
>> > > 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer:
>> > > https://amsterdam/
>> > > [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input
>> > > filter read failed.
>> > > [Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed
>> (server
>> > > amsterdam:443, client 192.168.125.53)
>> > >
>> > > After this, I checked the documentation and it says I can work
>> > > per-server or per-directory context... So I tried to do it per-server
>> > > and It works perfectly.. but, as I told you, this is not the solution
>> > > I'm looking for.. so I tried to configure it per-directory... but it
>> > > doesn't work neither...
>> > >
>> > > Here I attach my per-directory configuration... Is just a test
>> but this
>> > > is more or less how it should look at the end:
>> > >
>> > >
>> > >
>> > > /
>> > >
>> > > ServerName amsterdam
>> > >
>> > > LogLevel debug
>> > > ErrorLog /var/log/apache2/testmodnss/error.log
>> > > CustomLog /var/log/apache2/testmodnss/access.log combined
>> > > DocumentRoot /var/www/testmodnss
>> > >
>> > > # ssl
>> > > NSSEngine on
>> > > RewriteEngine on
>> > > NSSCipherSuite
>> > >
>> -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
>> > >
>> > > NSSProtocol All
>> > >
>> > > ## Certificate database. It contains both public and private key
>> of the
>> > > ssl server. It also contains the CA certificate of the allowed client
>> > > certificates
>> > > NSSCertificateDatabase /etc/apache2/certs/nss/
>> > >
>> > > NSSNickName Server-Cert
>> > >
>> > >
>> > > # ssl client
>> > >
>> > >
>> > >
>> > > AllowOverride all
>> > > NSSVerifyClient require
>> > > NSSOptions +ExportCertData
>> > > NSSOptions +StdEnvVars
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > NSSPassPhraseHelper /usr/sbin/nss_pcache
>> > >
>> > > /
>> > >
>> > > Could you please help me?
>> > >
>> > > Thank you very much
>> >
>> > Sorry for the delayed response.
>> >
>> > What version of mod_nss and which browser (and version) are you
>> using? I
>> > wonder if you have a newer browser and an older mod_nss and are
>> bumping
>> > into the SSL renegotiation changes that went into the NSS crypto
>> system
>> > to handle http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555.
>> > This KB article includes some tuning information for NSS in general:
>> > https://access.redhat.com/kb/docs/DOC-20491
>> >
>> > The latest mod_nss provides some tuning knobs for this as mentioned by
>> > Luid (NSSRenegotiation and NSSRequireSafeNegotiation) that are
>> > equivalent to the environment variables in the KB article, just more
>> > convenient. mod_nss defaults to SSL_RENEGOTIATE_NEVER and setting
>> > NSSRenegotiation is the equivalent of SSL_RENEGOTIATE_REQUIRES_XTN.
>> >
>> > So this is a long way of saying, try adding export
>> > NSS_SSL_ENABLE_RENEGOTIATION=u or NSS_SSL_ENABLE_RENEGOTIATION=r to
>> your
>> > Apache environment (/etc/sysconfig/httpd on Red Hat and Fedora
>> systems).
>> >
>> > I'll be away again until next week in case you have any follow-up
>> questions.
>> >
>> > rob
>> >
>> > _______________________________________________
>> > Mod_nss-list mailing list
>> > Mod_nss-list at redhat.com
>> > https://www.redhat.com/mailman/listinfo/mod_nss-list
>>
>> _______________________________________________ Mod_nss-list mailing
>> list Mod_nss-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/mod_nss-list
>
>
> --
> Un saludo,
>
> Tom?s Tormo Franco
> Area de sistemas
>
> INDENOVA S.L.
> C/ Dels Traginers 14, 2? B
> Pol?gono Vara de Quart
> 46014 Valencia
> Tel. (34) 96 381 99 47
> Fax. (34) 96 381 99 48
>
> ttormo at indenova.com
> http://www.indenova.com
>
> Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente:http://www.indenova.com/eSignaViewer.php
>
--
Un saludo,
Tom?s Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2? B
Pol?gono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From luisneves at hotmail.com Fri Sep 3 08:00:04 2010
From: luisneves at hotmail.com (Luis Neves)
Date: Fri, 3 Sep 2010 08:00:04 +0000
Subject: [Mod_nss-list] Problem configuring Client certificate
Authentication
In-Reply-To: <4C80A4E5.9070305@indenova.com>
References: <4C7BA2E0.8000209@indenova.com>, <4C7E4E15.10406@redhat.com>,
<4C8096CC.6060203@indenova.com>,<4C80A4E5.9070305@indenova.com>
Message-ID:
Nice!
But tell me, what fixed the problem, the mod_nss compilation or the apache variables in the init script??
Luis
Date: Fri, 3 Sep 2010 09:33:57 +0200
From: ttormo at indenova.com
To: ttormo at indenova.com
CC: luisneves at hotmail.com; rcritten at redhat.com; mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication
Well... I made it work!!!
I didn't try Robe solution yet... but when I tried it it worked like a
charm.
The problem is that in Ubuntu you don't have /etc/sysconfig/httpd
directory (it is supposed to be /etc/default/apache, but it
doesn't work there...), so I had to set the environmental variable in
the init script (/etc/init.d/apache2).
So now, my test virtualhost looks like this
ServerName amsterdam
LogLevel debug
ErrorLog /var/log/apache2/testmodnss/error.log
CustomLog /var/log/apache2/testmodnss/access.log combined
DocumentRoot /var/www/testmodnss
# ssl
NSSEngine on
RewriteEngine on
NSSCipherSuite
-des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
NSSProtocol SSLv3,TLSv1
## Certificate database. It contains both public and private key of the
ssl server. It also contains the CA certificate of the allowed client
certificates
NSSCertificateDatabase /etc/apache2/certs/nss/
NSSNickName Server-Cert
# ssl client
NSSRequireSSL
NSSVerifyClient require
NSSPassPhraseHelper /usr/sbin/nss_pcache
quite simple now.. isn't it?
And, what's more, the certificates that weren't working with mod_ssl
(Luis knows what I'm talking about ;) ) now work.
Thank you very much once more!!!
On 03/09/10 08:33, Tom?s Tormo wrote:
Message body
First of all, thank you very much to both of you for your help.
Yesterday I had a meeting the whole day, that's why I couldn't answer
the emails...
Currently, I'm doind all my tests with a Ubuntu Linux 10.04, using
Apache 2.2.14 with mod_nss 1.0.8. I downloaded the source from http://directory.fedoraproject.org/wiki/Mod_nss
and compiled it. The SSL connection is working... but I have the
problem I told you with SSL client.
After all the emails, I'm trying the last solution, the one whi Luis
told me. I tried to use the directive
NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
and %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
and it works... but it also asks for the certificate the first time you
connect... I would like it to ask for the certificate just when the
user clicks some link (I got it working with mod_ssl). Do you know any
solution for this?
By the way.. wich language is the one _NSSRequire is using for the
conditions?
Thank you very much. I'll continue with the research
On 02/09/10 12:07, Luis Neves wrote:
Hi
again!
Sorry everybody for so much posts
Hola Tomas,
What seems the best practices on this case is
Putting the NSSverifyclient optional outside location and then playing
with the SSLRequire (or NSSRequire in mod_nss case)
like for ex:
NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
and %{SSL_CLIENT_S_DN_O} eq "mycompany" \
and %{SSL_CLIENT_S_DN_OU} in {"myrole"})
or:
NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
and %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
or using a virtualhost just for the authenticated part of the site
Um abra?o
Luis
From: luisneves at hotmail.com
To: rcritten at redhat.com; ttormo at indenova.com
Date: Thu, 2 Sep 2010 08:36:20 +0000
CC: mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication
Hi
Robe, indeed Ive tested by myself and have the same renegotiation
error as well
Played with the settings Ive told to Tomas but still got the problem
Played with the Apache env variables you mentioned but to no avail,
same problem.
Will read carefully your link but it looks the only solution is
avoiding at all costs using verifyclient inside location tags... :(
Luis
> Date: Wed, 1 Sep 2010 08:59:01 -0400
> From: rcritten at redhat.com
> To: ttormo at indenova.com
> CC: mod_nss-list at redhat.com
> Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication
>
> Tom?s Tormo wrote:
> > Greetings
> >
> > I'm trying to configure mod_nss in Apache in order to use it
as my
> > client certificate authentication mechanism, but I'm having
problems
> > with it..
> >
> > I'd like to use client authentication in some parts of a
website... so I
> > tried to do it as with mod_ssl, using the Location directive
with the
> > NSSVerifyClient require directive inside, but I never
works... I always
> > get this error...
> >
> > Mon Aug 30 14:17:34 2010] [info] Requesting connection
re-negotiation
> > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404):
Performing
> > full renegotiation: complete handshake protocol
> > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426):
Awaiting
> > re-negotiation handshake
> > *[Mon Aug 30 14:17:34 2010] [info] Read error -12176
> > [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake
failed: Not
> > accepted by client!?*
> > [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client
> > 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files,
referer:
> > https://amsterdam/
> > [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found:
SSL input
> > filter read failed.
> > [Mon Aug 30 14:17:34 2010] [info] Connection to child 69
closed (server
> > amsterdam:443, client 192.168.125.53)
> >
> > After this, I checked the documentation and it says I can work
> > per-server or per-directory context... So I tried to do it
per-server
> > and It works perfectly.. but, as I told you, this is not the
solution
> > I'm looking for.. so I tried to configure it per-directory...
but it
> > doesn't work neither...
> >
> > Here I attach my per-directory configuration... Is just a
test but this
> > is more or less how it should look at the end:
> >
> >
> >
> > /
> >
> > ServerName amsterdam
> >
> > LogLevel debug
> > ErrorLog /var/log/apache2/testmodnss/error.log
> > CustomLog /var/log/apache2/testmodnss/access.log combined
> > DocumentRoot /var/www/testmodnss
> >
> > # ssl
> > NSSEngine on
> > RewriteEngine on
> > NSSCipherSuite
> >
-des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
> >
> > NSSProtocol All
> >
> > ## Certificate database. It contains both public and private
key of the
> > ssl server. It also contains the CA certificate of the
allowed client
> > certificates
> > NSSCertificateDatabase /etc/apache2/certs/nss/
> >
> > NSSNickName Server-Cert
> >
> >
> > # ssl client
> >
> >
> >
> > AllowOverride all
> > NSSVerifyClient require
> > NSSOptions +ExportCertData
> > NSSOptions +StdEnvVars
> >
> >
> >
> >
> >
> > NSSPassPhraseHelper /usr/sbin/nss_pcache
> >
> > /
> >
> > Could you please help me?
> >
> > Thank you very much
>
> Sorry for the delayed response.
>
> What version of mod_nss and which browser (and version) are you
using? I
> wonder if you have a newer browser and an older mod_nss and are
bumping
> into the SSL renegotiation changes that went into the NSS crypto
system
> to handle
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555.
> This KB article includes some tuning information for NSS in
general:
> https://access.redhat.com/kb/docs/DOC-20491
>
> The latest mod_nss provides some tuning knobs for this as
mentioned by
> Luid (NSSRenegotiation and NSSRequireSafeNegotiation) that are
> equivalent to the environment variables in the KB article, just
more
> convenient. mod_nss defaults to SSL_RENEGOTIATE_NEVER and setting
> NSSRenegotiation is the equivalent of SSL_RENEGOTIATE_REQUIRES_XTN.
>
> So this is a long way of saying, try adding export
> NSS_SSL_ENABLE_RENEGOTIATION=u or NSS_SSL_ENABLE_RENEGOTIATION=r
to your
> Apache environment (/etc/sysconfig/httpd on Red Hat and Fedora
systems).
>
> I'll be away again until next week in case you have any follow-up
questions.
>
> rob
>
> _______________________________________________
> Mod_nss-list mailing list
> Mod_nss-list at redhat.com
> https://www.redhat.com/mailman/listinfo/mod_nss-list
_______________________________________________
Mod_nss-list mailing list
Mod_nss-list at redhat.com
https://www.redhat.com/mailman/listinfo/mod_nss-list
--
Un saludo,
Tom?s Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2? B
Pol?gono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php
--
Un saludo,
Tom?s Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2? B
Pol?gono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From ttormo at indenova.com Fri Sep 3 08:03:33 2010
From: ttormo at indenova.com (=?ISO-8859-1?Q?Tom=E1s_Tormo?=)
Date: Fri, 03 Sep 2010 10:03:33 +0200
Subject: [Mod_nss-list] Problem configuring Client certificate
Authentication
In-Reply-To:
References: <4C7BA2E0.8000209@indenova.com>, <4C7E4E15.10406@redhat.com>,
<4C8096CC.6060203@indenova.com>, <4C80A4E5.9070305@indenova.com>
Message-ID: <4C80ABD5.5000208@indenova.com>
I think it was the apache variable, cause I've been using the same
mod_nss compilation the whole time...
On 03/09/10 10:00, Luis Neves wrote:
> Nice!
>
> But tell me, what fixed the problem, the mod_nss compilation or the
> apache variables in the init script??
>
> Luis
>
> ------------------------------------------------------------------------
> Date: Fri, 3 Sep 2010 09:33:57 +0200
> From: ttormo at indenova.com
> To: ttormo at indenova.com
> CC: luisneves at hotmail.com; rcritten at redhat.com; mod_nss-list at redhat.com
> Subject: Re: [Mod_nss-list] Problem configuring Client certificate
> Authentication
>
> Well... I made it work!!!
>
> I didn't try Robe solution yet... but when I tried it it worked like a
> charm.
>
> The problem is that in Ubuntu you don't have /etc/sysconfig/httpd
> directory (it is supposed to be */etc/default/apache*, but it doesn't
> work there...), so I had to set the environmental variable in the init
> script (*/etc/init.d/apache2*).
>
> So now, my test virtualhost looks like this
>
>
>
> /
>
> ServerName amsterdam
>
> LogLevel debug
> ErrorLog /var/log/apache2/testmodnss/error.log
> CustomLog /var/log/apache2/testmodnss/access.log combined
> DocumentRoot /var/www/testmodnss
>
>
> # ssl
> NSSEngine on
> RewriteEngine on
> NSSCipherSuite
> -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
>
> NSSProtocol SSLv3,TLSv1
>
> ## Certificate database. It contains both public and private key of
> the ssl server. It also contains the CA certificate of the allowed
> client certificates
> NSSCertificateDatabase /etc/apache2/certs/nss/
>
> NSSNickName Server-Cert
>
>
> # ssl client
>
>
>
> NSSRequireSSL
> NSSVerifyClient require
>
>
>
>
>
> NSSPassPhraseHelper /usr/sbin/nss_pcache/
>
>
>
>
> quite simple now.. isn't it?
>
> And, what's more, the certificates that weren't working with mod_ssl
> (Luis knows what I'm talking about ;) ) now work.
>
> Thank you very much once more!!!
>
>
>
>
>
> On 03/09/10 08:33, Tom?s Tormo wrote:
>
> First of all, thank you very much to both of you for your help.
> Yesterday I had a meeting the whole day, that's why I couldn't
> answer the emails...
>
> Currently, I'm doind all my tests with a Ubuntu Linux 10.04, using
> Apache 2.2.14 with mod_nss 1.0.8. I downloaded the source from
> *http://directory.fedoraproject.org/wiki/Mod_nss* and compiled it.
> The SSL connection is working... but I have the problem I told you
> with SSL client.
>
> After all the emails, I'm trying the last solution, the one whi
> Luis told me. I tried to use the directive
>
> NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> and %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
>
> and it works... but it also asks for the certificate the first
> time you connect... I would like it to ask for the certificate
> just when the user clicks some link (I got it working with
> mod_ssl). Do you know any solution for this?
>
> By the way.. wich language is the one _NSSRequire is using for the
> conditions?
>
> Thank you very much. I'll continue with the research
>
>
> On 02/09/10 12:07, Luis Neves wrote:
>
> Hi again! Sorry everybody for so much posts
>
> Hola Tomas,
> What seems the best practices on this case is
>
> Putting the NSSverifyclient optional outside location and then
> playing with the SSLRequire (or NSSRequire in mod_nss case)
> like for ex:
>
>
> NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> and %{SSL_CLIENT_S_DN_O} eq "mycompany" \
> and %{SSL_CLIENT_S_DN_OU} in {"myrole"})
>
>
> or:
>
> NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> and %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
>
>
> or using a virtualhost just for the authenticated part of the site
>
> Um abra?o
> Luis
>
>
>
>
>
>
> ------------------------------------------------------------------------
> From: luisneves at hotmail.com
> To: rcritten at redhat.com ;
> ttormo at indenova.com
> Date: Thu, 2 Sep 2010 08:36:20 +0000
> CC: mod_nss-list at redhat.com
> Subject: Re: [Mod_nss-list] Problem configuring Client
> certificate Authentication
>
> Hi Robe, indeed Ive tested by myself and have the same
> renegotiation error as well
>
> Played with the settings Ive told to Tomas but still got the
> problem
> Played with the Apache env variables you mentioned but to no
> avail, same problem.
>
> Will read carefully your link but it looks the only solution
> is avoiding at all costs using verifyclient inside location
> tags... :(
>
> Luis
>
>
> > Date: Wed, 1 Sep 2010 08:59:01 -0400
> > From: rcritten at redhat.com
> > To: ttormo at indenova.com
> > CC: mod_nss-list at redhat.com
> > Subject: Re: [Mod_nss-list] Problem configuring Client
> certificate Authentication
> >
> > Tom?s Tormo wrote:
> > > Greetings
> > >
> > > I'm trying to configure mod_nss in Apache in order to use
> it as my
> > > client certificate authentication mechanism, but I'm
> having problems
> > > with it..
> > >
> > > I'd like to use client authentication in some parts of a
> website... so I
> > > tried to do it as with mod_ssl, using the Location
> directive with the
> > > NSSVerifyClient require directive inside, but I never
> works... I always
> > > get this error...
> > >
> > > Mon Aug 30 14:17:34 2010] [info] Requesting connection
> re-negotiation
> > > [Mon Aug 30 14:17:34 2010] [debug]
> nss_engine_kernel.c(404): Performing
> > > full renegotiation: complete handshake protocol
> > > [Mon Aug 30 14:17:34 2010] [debug]
> nss_engine_kernel.c(426): Awaiting
> > > re-negotiation handshake
> > > *[Mon Aug 30 14:17:34 2010] [info] Read error -12176
> > > [Mon Aug 30 14:17:34 2010] [error] Re-negotiation
> handshake failed: Not
> > > accepted by client!?*
> > > [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client
> > > 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files,
> referer:
> > > https://amsterdam/
> > > [Mon Aug 30 14:17:34 2010] [info] (70014)End of file
> found: SSL input
> > > filter read failed.
> > > [Mon Aug 30 14:17:34 2010] [info] Connection to child 69
> closed (server
> > > amsterdam:443, client 192.168.125.53)
> > >
> > > After this, I checked the documentation and it says I can work
> > > per-server or per-directory context... So I tried to do it
> per-server
> > > and It works perfectly.. but, as I told you, this is not
> the solution
> > > I'm looking for.. so I tried to configure it
> per-directory... but it
> > > doesn't work neither...
> > >
> > > Here I attach my per-directory configuration... Is just a
> test but this
> > > is more or less how it should look at the end:
> > >
> > >
> > >
> > > /
> > >
> > > ServerName amsterdam
> > >
> > > LogLevel debug
> > > ErrorLog /var/log/apache2/testmodnss/error.log
> > > CustomLog /var/log/apache2/testmodnss/access.log combined
> > > DocumentRoot /var/www/testmodnss
> > >
> > > # ssl
> > > NSSEngine on
> > > RewriteEngine on
> > > NSSCipherSuite
> > >
> -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
> > >
> > > NSSProtocol All
> > >
> > > ## Certificate database. It contains both public and
> private key of the
> > > ssl server. It also contains the CA certificate of the
> allowed client
> > > certificates
> > > NSSCertificateDatabase /etc/apache2/certs/nss/
> > >
> > > NSSNickName Server-Cert
> > >
> > >
> > > # ssl client
> > >
> > >
> > >
> > > AllowOverride all
> > > NSSVerifyClient require
> > > NSSOptions +ExportCertData
> > > NSSOptions +StdEnvVars
> > >
> > >
> > >
> > >
> > >
> > > NSSPassPhraseHelper /usr/sbin/nss_pcache
> > >
> > > /
> > >
> > > Could you please help me?
> > >
> > > Thank you very much
> >
> > Sorry for the delayed response.
> >
> > What version of mod_nss and which browser (and version) are
> you using? I
> > wonder if you have a newer browser and an older mod_nss and
> are bumping
> > into the SSL renegotiation changes that went into the NSS
> crypto system
> > to handle
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555.
> > This KB article includes some tuning information for NSS in
> general:
> > https://access.redhat.com/kb/docs/DOC-20491
> >
> > The latest mod_nss provides some tuning knobs for this as
> mentioned by
> > Luid (NSSRenegotiation and NSSRequireSafeNegotiation) that are
> > equivalent to the environment variables in the KB article,
> just more
> > convenient. mod_nss defaults to SSL_RENEGOTIATE_NEVER and
> setting
> > NSSRenegotiation is the equivalent of
> SSL_RENEGOTIATE_REQUIRES_XTN.
> >
> > So this is a long way of saying, try adding export
> > NSS_SSL_ENABLE_RENEGOTIATION=u or
> NSS_SSL_ENABLE_RENEGOTIATION=r to your
> > Apache environment (/etc/sysconfig/httpd on Red Hat and
> Fedora systems).
> >
> > I'll be away again until next week in case you have any
> follow-up questions.
> >
> > rob
> >
> > _______________________________________________
> > Mod_nss-list mailing list
> > Mod_nss-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/mod_nss-list
>
> _______________________________________________ Mod_nss-list
> mailing list Mod_nss-list at redhat.com
>
> https://www.redhat.com/mailman/listinfo/mod_nss-list
>
>
>
> --
> Un saludo,
>
> Tom?s Tormo Franco
> Area de sistemas
>
> INDENOVA S.L.
> C/ Dels Traginers 14, 2? B
> Pol?gono Vara de Quart
> 46014 Valencia
> Tel. (34) 96 381 99 47
> Fax. (34) 96 381 99 48
>
> ttormo at indenova.com
> http://www.indenova.com
>
> Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente:http://www.indenova.com/eSignaViewer.php
>
>
>
>
> --
> Un saludo,
>
> Tom?s Tormo Franco
> Area de sistemas
>
> INDENOVA S.L.
> C/ Dels Traginers 14, 2? B
> Pol?gono Vara de Quart
> 46014 Valencia
> Tel. (34) 96 381 99 47
> Fax. (34) 96 381 99 48
>
> ttormo at indenova.com
> http://www.indenova.com
>
> Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente:http://www.indenova.com/eSignaViewer.php
>
--
Un saludo,
Tom?s Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2? B
Pol?gono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From luisneves at hotmail.com Fri Sep 3 08:28:08 2010
From: luisneves at hotmail.com (Luis Neves)
Date: Fri, 3 Sep 2010 08:28:08 +0000
Subject: [Mod_nss-list] Problem configuring Client certificate
Authentication
In-Reply-To: <4C80ABD5.5000208@indenova.com>
References: <4C7BA2E0.8000209@indenova.com>, <4C7E4E15.10406@redhat.com>,
<4C8096CC.6060203@indenova.com>,<4C80A4E5.9070305@indenova.com>
,
<4C80ABD5.5000208@indenova.com>
Message-ID:
Is too much to ask you to test once more with and without that variable (and which value did you used)?
Is just because I've tried to use the variables and they didn't worked for me!
Date: Fri, 3 Sep 2010 10:03:33 +0200
From: ttormo at indenova.com
To: luisneves at hotmail.com
CC: rcritten at redhat.com; mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication
I think it was the apache variable, cause I've been using the same
mod_nss compilation the whole time...
On 03/09/10 10:00, Luis Neves wrote:
Nice!
But tell me, what fixed the problem, the mod_nss compilation or the
apache variables in the init script??
Luis
Date: Fri, 3 Sep 2010 09:33:57 +0200
From: ttormo at indenova.com
To: ttormo at indenova.com
CC: luisneves at hotmail.com; rcritten at redhat.com; mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication
Well... I made it work!!!
I didn't try Robe solution yet... but when I tried it it worked like a
charm.
The problem is that in Ubuntu you don't have /etc/sysconfig/httpd
directory (it is supposed to be /etc/default/apache, but it
doesn't work there...), so I had to set the environmental variable in
the init script (/etc/init.d/apache2).
So now, my test virtualhost looks like this
ServerName amsterdam
LogLevel debug
ErrorLog /var/log/apache2/testmodnss/error.log
CustomLog /var/log/apache2/testmodnss/access.log combined
DocumentRoot /var/www/testmodnss
# ssl
NSSEngine on
RewriteEngine on
NSSCipherSuite
-des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
NSSProtocol SSLv3,TLSv1
## Certificate database. It contains both public and private key of the
ssl server. It also contains the CA certificate of the allowed client
certificates
NSSCertificateDatabase /etc/apache2/certs/nss/
NSSNickName Server-Cert
# ssl client
NSSRequireSSL
NSSVerifyClient require
NSSPassPhraseHelper /usr/sbin/nss_pcache
quite simple now.. isn't it?
And, what's more, the certificates that weren't working with mod_ssl
(Luis knows what I'm talking about ;) ) now work.
Thank you very much once more!!!
On 03/09/10 08:33, Tom?s Tormo wrote:
Message body
First of all, thank you very much to both of you for your help.
Yesterday I had a meeting the whole day, that's why I couldn't answer
the emails...
Currently, I'm doind all my tests with a Ubuntu Linux 10.04, using
Apache 2.2.14 with mod_nss 1.0.8. I downloaded the source from http://directory.fedoraproject.org/wiki/Mod_nss
and compiled it. The SSL connection is working... but I have the
problem I told you with SSL client.
After all the emails, I'm trying the last solution, the one whi Luis
told me. I tried to use the directive
NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
and %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
and it works... but it also asks for the certificate the first time you
connect... I would like it to ask for the certificate just when the
user clicks some link (I got it working with mod_ssl). Do you know any
solution for this?
By the way.. wich language is the one _NSSRequire is using for the
conditions?
Thank you very much. I'll continue with the research
On 02/09/10 12:07, Luis Neves wrote:
Hi
again!
Sorry everybody for so much posts
Hola Tomas,
What seems the best practices on this case is
Putting the NSSverifyclient optional outside location and then playing
with the SSLRequire (or NSSRequire in mod_nss case)
like for ex:
NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
and %{SSL_CLIENT_S_DN_O} eq "mycompany" \
and %{SSL_CLIENT_S_DN_OU} in {"myrole"})
or:
NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
and %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
or using a virtualhost just for the authenticated part of the site
Um abra?o
Luis
From: luisneves at hotmail.com
To: rcritten at redhat.com; ttormo at indenova.com
Date: Thu, 2 Sep 2010 08:36:20 +0000
CC: mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication
Hi
Robe, indeed Ive tested by myself and have the same renegotiation
error as well
Played with the settings Ive told to Tomas but still got the problem
Played with the Apache env variables you mentioned but to no avail,
same problem.
Will read carefully your link but it looks the only solution is
avoiding at all costs using verifyclient inside location tags... :(
Luis
> Date: Wed, 1 Sep 2010 08:59:01 -0400
> From: rcritten at redhat.com
> To: ttormo at indenova.com
> CC: mod_nss-list at redhat.com
> Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication
>
> Tom?s Tormo wrote:
> > Greetings
> >
> > I'm trying to configure mod_nss in Apache in order to use it
as my
> > client certificate authentication mechanism, but I'm having
problems
> > with it..
> >
> > I'd like to use client authentication in some parts of a
website... so I
> > tried to do it as with mod_ssl, using the Location directive
with the
> > NSSVerifyClient require directive inside, but I never
works... I always
> > get this error...
> >
> > Mon Aug 30 14:17:34 2010] [info] Requesting connection
re-negotiation
> > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404):
Performing
> > full renegotiation: complete handshake protocol
> > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426):
Awaiting
> > re-negotiation handshake
> > *[Mon Aug 30 14:17:34 2010] [info] Read error -12176
> > [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake
failed: Not
> > accepted by client!?*
> > [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client
> > 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files,
referer:
> > https://amsterdam/
> > [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found:
SSL input
> > filter read failed.
> > [Mon Aug 30 14:17:34 2010] [info] Connection to child 69
closed (server
> > amsterdam:443, client 192.168.125.53)
> >
> > After this, I checked the documentation and it says I can work
> > per-server or per-directory context... So I tried to do it
per-server
> > and It works perfectly.. but, as I told you, this is not the
solution
> > I'm looking for.. so I tried to configure it per-directory...
but it
> > doesn't work neither...
> >
> > Here I attach my per-directory configuration... Is just a
test but this
> > is more or less how it should look at the end:
> >
> >
> >
> > /
> >
> > ServerName amsterdam
> >
> > LogLevel debug
> > ErrorLog /var/log/apache2/testmodnss/error.log
> > CustomLog /var/log/apache2/testmodnss/access.log combined
> > DocumentRoot /var/www/testmodnss
> >
> > # ssl
> > NSSEngine on
> > RewriteEngine on
> > NSSCipherSuite
> >
-des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
> >
> > NSSProtocol All
> >
> > ## Certificate database. It contains both public and private
key of the
> > ssl server. It also contains the CA certificate of the
allowed client
> > certificates
> > NSSCertificateDatabase /etc/apache2/certs/nss/
> >
> > NSSNickName Server-Cert
> >
> >
> > # ssl client
> >
> >
> >
> > AllowOverride all
> > NSSVerifyClient require
> > NSSOptions +ExportCertData
> > NSSOptions +StdEnvVars
> >
> >
> >
> >
> >
> > NSSPassPhraseHelper /usr/sbin/nss_pcache
> >
> > /
> >
> > Could you please help me?
> >
> > Thank you very much
>
> Sorry for the delayed response.
>
> What version of mod_nss and which browser (and version) are you
using? I
> wonder if you have a newer browser and an older mod_nss and are
bumping
> into the SSL renegotiation changes that went into the NSS crypto
system
> to handle http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555.
> This KB article includes some tuning information for NSS in
general:
> https://access.redhat.com/kb/docs/DOC-20491
>
> The latest mod_nss provides some tuning knobs for this as
mentioned by
> Luid (NSSRenegotiation and NSSRequireSafeNegotiation) that are
> equivalent to the environment variables in the KB article, just
more
> convenient. mod_nss defaults to SSL_RENEGOTIATE_NEVER and setting
> NSSRenegotiation is the equivalent of SSL_RENEGOTIATE_REQUIRES_XTN.
>
> So this is a long way of saying, try adding export
> NSS_SSL_ENABLE_RENEGOTIATION=u or NSS_SSL_ENABLE_RENEGOTIATION=r
to your
> Apache environment (/etc/sysconfig/httpd on Red Hat and Fedora
systems).
>
> I'll be away again until next week in case you have any follow-up
questions.
>
> rob
>
> _______________________________________________
> Mod_nss-list mailing list
> Mod_nss-list at redhat.com
> https://www.redhat.com/mailman/listinfo/mod_nss-list
_______________________________________________
Mod_nss-list mailing list Mod_nss-list at redhat.com https://www.redhat.com/mailman/listinfo/mod_nss-list
--
Un saludo,
Tom?s Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2? B
Pol?gono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php
--
Un saludo,
Tom?s Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2? B
Pol?gono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php
--
Un saludo,
Tom?s Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2? B
Pol?gono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From ttormo at indenova.com Fri Sep 3 09:16:17 2010
From: ttormo at indenova.com (=?ISO-8859-1?Q?Tom=E1s_Tormo?=)
Date: Fri, 03 Sep 2010 11:16:17 +0200
Subject: [Mod_nss-list] Problem configuring Client certificate
Authentication
In-Reply-To:
References: <4C7BA2E0.8000209@indenova.com>, <4C7E4E15.10406@redhat.com>,
<4C8096CC.6060203@indenova.com>, <4C80A4E5.9070305@indenova.com>
,
<4C80ABD5.5000208@indenova.com>
Message-ID: <4C80BCE1.80400@indenova.com>
No problem!!
I removed the variable and it stopped working... then I put it again and
it worked. I'm using *NSS_SSL_ENABLE_RENEGOTIATION=u*
If you are using Ubuntu, you should modify */etc/init.d/apache2* script,
cause I tried in other scripts and it didn't work...
If you are using this distro (and you installed apache2 from
repository), what you have to do is to put
/ENV="$ENV NSS_SSL_ENABLE_RENEGOTIATION=u"/
just below
/ENV="env -i LANG=C PATH=/usr/local/bin:/usr/bin:/bin"/
so it should look like this (it's just at the beginning of the script)
/ENV="env -i LANG=C PATH=/usr/local/bin:/usr/bin:/bin"
ENV="$ENV NSS_SSL_ENABLE_RENEGOTIATION=u"/
I did it like this cause if I want to disable it I just have to comment
that line
Which distro are you using?
On 03/09/10 10:28, Luis Neves wrote:
> Is too much to ask you to test once more with and without that
> variable (and which value did you used)?
>
> Is just because I've tried to use the variables and they didn't worked
> for me!
>
> ------------------------------------------------------------------------
> Date: Fri, 3 Sep 2010 10:03:33 +0200
> From: ttormo at indenova.com
> To: luisneves at hotmail.com
> CC: rcritten at redhat.com; mod_nss-list at redhat.com
> Subject: Re: [Mod_nss-list] Problem configuring Client certificate
> Authentication
>
> I think it was the apache variable, cause I've been using the same
> mod_nss compilation the whole time...
>
>
> On 03/09/10 10:00, Luis Neves wrote:
>
> Nice!
>
> But tell me, what fixed the problem, the mod_nss compilation or
> the apache variables in the init script??
>
> Luis
>
> ------------------------------------------------------------------------
> Date: Fri, 3 Sep 2010 09:33:57 +0200
> From: ttormo at indenova.com
> To: ttormo at indenova.com
> CC: luisneves at hotmail.com ;
> rcritten at redhat.com ;
> mod_nss-list at redhat.com
> Subject: Re: [Mod_nss-list] Problem configuring Client certificate
> Authentication
>
> Well... I made it work!!!
>
> I didn't try Robe solution yet... but when I tried it it worked
> like a charm.
>
> The problem is that in Ubuntu you don't have /etc/sysconfig/httpd
> directory (it is supposed to be */etc/default/apache*, but it
> doesn't work there...), so I had to set the environmental variable
> in the init script (*/etc/init.d/apache2*).
>
> So now, my test virtualhost looks like this
>
>
>
> /
>
> ServerName amsterdam
>
> LogLevel debug
> ErrorLog /var/log/apache2/testmodnss/error.log
> CustomLog /var/log/apache2/testmodnss/access.log combined
> DocumentRoot /var/www/testmodnss
>
>
> # ssl
> NSSEngine on
> RewriteEngine on
> NSSCipherSuite
> -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
>
> NSSProtocol SSLv3,TLSv1
>
> ## Certificate database. It contains both public and private key
> of the ssl server. It also contains the CA certificate of the
> allowed client certificates
> NSSCertificateDatabase /etc/apache2/certs/nss/
>
> NSSNickName Server-Cert
>
>
> # ssl client
>
>
>
> NSSRequireSSL
> NSSVerifyClient require
>
>
>
>
>
> NSSPassPhraseHelper /usr/sbin/nss_pcache/
>
>
>
>
> quite simple now.. isn't it?
>
> And, what's more, the certificates that weren't working with
> mod_ssl (Luis knows what I'm talking about ;) ) now work.
>
> Thank you very much once more!!!
>
>
>
>
>
> On 03/09/10 08:33, Tom?s Tormo wrote:
>
> First of all, thank you very much to both of you for your
> help. Yesterday I had a meeting the whole day, that's why I
> couldn't answer the emails...
>
> Currently, I'm doind all my tests with a Ubuntu Linux 10.04,
> using Apache 2.2.14 with mod_nss 1.0.8. I downloaded the
> source from *http://directory.fedoraproject.org/wiki/Mod_nss*
> and compiled it. The SSL connection is working... but I have
> the problem I told you with SSL client.
>
> After all the emails, I'm trying the last solution, the one
> whi Luis told me. I tried to use the directive
>
> NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> and %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
>
> and it works... but it also asks for the certificate the first
> time you connect... I would like it to ask for the certificate
> just when the user clicks some link (I got it working with
> mod_ssl). Do you know any solution for this?
>
> By the way.. wich language is the one _NSSRequire is using for
> the conditions?
>
> Thank you very much. I'll continue with the research
>
>
> On 02/09/10 12:07, Luis Neves wrote:
>
> Hi again! Sorry everybody for so much posts
>
> Hola Tomas,
> What seems the best practices on this case is
>
> Putting the NSSverifyclient optional outside location and
> then playing with the SSLRequire (or NSSRequire in mod_nss
> case)
> like for ex:
>
>
> NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> and %{SSL_CLIENT_S_DN_O} eq "mycompany" \
> and %{SSL_CLIENT_S_DN_OU} in {"myrole"})
>
>
> or:
>
> NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> and %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
>
>
> or using a virtualhost just for the authenticated part of
> the site
>
> Um abra?o
> Luis
>
>
>
>
>
>
> ------------------------------------------------------------------------
> From: luisneves at hotmail.com
> To: rcritten at redhat.com ;
> ttormo at indenova.com
> Date: Thu, 2 Sep 2010 08:36:20 +0000
> CC: mod_nss-list at redhat.com
> Subject: Re: [Mod_nss-list] Problem configuring Client
> certificate Authentication
>
> Hi Robe, indeed Ive tested by myself and have the same
> renegotiation error as well
>
> Played with the settings Ive told to Tomas but still got
> the problem
> Played with the Apache env variables you mentioned but to
> no avail, same problem.
>
> Will read carefully your link but it looks the only
> solution is avoiding at all costs using verifyclient
> inside location tags... :(
>
> Luis
>
>
> > Date: Wed, 1 Sep 2010 08:59:01 -0400
> > From: rcritten at redhat.com
> > To: ttormo at indenova.com
> > CC: mod_nss-list at redhat.com
> > Subject: Re: [Mod_nss-list] Problem configuring Client
> certificate Authentication
> >
> > Tom?s Tormo wrote:
> > > Greetings
> > >
> > > I'm trying to configure mod_nss in Apache in order to
> use it as my
> > > client certificate authentication mechanism, but I'm
> having problems
> > > with it..
> > >
> > > I'd like to use client authentication in some parts of
> a website... so I
> > > tried to do it as with mod_ssl, using the Location
> directive with the
> > > NSSVerifyClient require directive inside, but I never
> works... I always
> > > get this error...
> > >
> > > Mon Aug 30 14:17:34 2010] [info] Requesting connection
> re-negotiation
> > > [Mon Aug 30 14:17:34 2010] [debug]
> nss_engine_kernel.c(404): Performing
> > > full renegotiation: complete handshake protocol
> > > [Mon Aug 30 14:17:34 2010] [debug]
> nss_engine_kernel.c(426): Awaiting
> > > re-negotiation handshake
> > > *[Mon Aug 30 14:17:34 2010] [info] Read error -12176
> > > [Mon Aug 30 14:17:34 2010] [error] Re-negotiation
> handshake failed: Not
> > > accepted by client!?*
> > > [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615):
> [client
> > > 192.168.125.53] Zlib: Compressed 283 to 216 : URL
> /files, referer:
> > > https://amsterdam/
> > > [Mon Aug 30 14:17:34 2010] [info] (70014)End of file
> found: SSL input
> > > filter read failed.
> > > [Mon Aug 30 14:17:34 2010] [info] Connection to child
> 69 closed (server
> > > amsterdam:443, client 192.168.125.53)
> > >
> > > After this, I checked the documentation and it says I
> can work
> > > per-server or per-directory context... So I tried to
> do it per-server
> > > and It works perfectly.. but, as I told you, this is
> not the solution
> > > I'm looking for.. so I tried to configure it
> per-directory... but it
> > > doesn't work neither...
> > >
> > > Here I attach my per-directory configuration... Is
> just a test but this
> > > is more or less how it should look at the end:
> > >
> > >
> > >
> > > /
> > >
> > > ServerName amsterdam
> > >
> > > LogLevel debug
> > > ErrorLog /var/log/apache2/testmodnss/error.log
> > > CustomLog /var/log/apache2/testmodnss/access.log combined
> > > DocumentRoot /var/www/testmodnss
> > >
> > > # ssl
> > > NSSEngine on
> > > RewriteEngine on
> > > NSSCipherSuite
> > >
> -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
> > >
> > > NSSProtocol All
> > >
> > > ## Certificate database. It contains both public and
> private key of the
> > > ssl server. It also contains the CA certificate of the
> allowed client
> > > certificates
> > > NSSCertificateDatabase /etc/apache2/certs/nss/
> > >
> > > NSSNickName Server-Cert
> > >
> > >
> > > # ssl client
> > >
> > >
> > >
> > > AllowOverride all
> > > NSSVerifyClient require
> > > NSSOptions +ExportCertData
> > > NSSOptions +StdEnvVars
> > >
> > >
> > >
> > >
> > >
> > > NSSPassPhraseHelper /usr/sbin/nss_pcache
> > >
> > > /
> > >
> > > Could you please help me?
> > >
> > > Thank you very much
> >
> > Sorry for the delayed response.
> >
> > What version of mod_nss and which browser (and version)
> are you using? I
> > wonder if you have a newer browser and an older mod_nss
> and are bumping
> > into the SSL renegotiation changes that went into the
> NSS crypto system
> > to handle
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555.
> > This KB article includes some tuning information for NSS
> in general:
> > https://access.redhat.com/kb/docs/DOC-20491
> >
> > The latest mod_nss provides some tuning knobs for this
> as mentioned by
> > Luid (NSSRenegotiation and NSSRequireSafeNegotiation)
> that are
> > equivalent to the environment variables in the KB
> article, just more
> > convenient. mod_nss defaults to SSL_RENEGOTIATE_NEVER
> and setting
> > NSSRenegotiation is the equivalent of
> SSL_RENEGOTIATE_REQUIRES_XTN.
> >
> > So this is a long way of saying, try adding export
> > NSS_SSL_ENABLE_RENEGOTIATION=u or
> NSS_SSL_ENABLE_RENEGOTIATION=r to your
> > Apache environment (/etc/sysconfig/httpd on Red Hat and
> Fedora systems).
> >
> > I'll be away again until next week in case you have any
> follow-up questions.
> >
> > rob
> >
> > _______________________________________________
> > Mod_nss-list mailing list
> > Mod_nss-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/mod_nss-list
>
> _______________________________________________
> Mod_nss-list mailing list Mod_nss-list at redhat.com
>
> https://www.redhat.com/mailman/listinfo/mod_nss-list
>
>
>
> --
> Un saludo,
>
> Tom?s Tormo Franco
> Area de sistemas
>
> INDENOVA S.L.
> C/ Dels Traginers 14, 2? B
> Pol?gono Vara de Quart
> 46014 Valencia
> Tel. (34) 96 381 99 47
> Fax. (34) 96 381 99 48
>
> ttormo at indenova.com
> http://www.indenova.com
>
> Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente:http://www.indenova.com/eSignaViewer.php
>
>
>
>
> --
> Un saludo,
>
> Tom?s Tormo Franco
> Area de sistemas
>
> INDENOVA S.L.
> C/ Dels Traginers 14, 2? B
> Pol?gono Vara de Quart
> 46014 Valencia
> Tel. (34) 96 381 99 47
> Fax. (34) 96 381 99 48
>
> ttormo at indenova.com
> http://www.indenova.com
>
> Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente:http://www.indenova.com/eSignaViewer.php
>
>
>
>
> --
> Un saludo,
>
> Tom?s Tormo Franco
> Area de sistemas
>
> INDENOVA S.L.
> C/ Dels Traginers 14, 2? B
> Pol?gono Vara de Quart
> 46014 Valencia
> Tel. (34) 96 381 99 47
> Fax. (34) 96 381 99 48
>
> ttormo at indenova.com
> http://www.indenova.com
>
> Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente:http://www.indenova.com/eSignaViewer.php
>
--
Un saludo,
Tom?s Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2? B
Pol?gono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From luisneves at hotmail.com Fri Sep 3 09:40:00 2010
From: luisneves at hotmail.com (Luis Neves)
Date: Fri, 3 Sep 2010 09:40:00 +0000
Subject: [Mod_nss-list] Problem configuring Client certificate
Authentication
In-Reply-To: <4C80BCE1.80400@indenova.com>
References: <4C7BA2E0.8000209@indenova.com>, <4C7E4E15.10406@redhat.com>,
<4C8096CC.6060203@indenova.com>,<4C80A4E5.9070305@indenova.com>
,
<4C80ABD5.5000208@indenova.com>
,
<4C80BCE1.80400@indenova.com>
Message-ID:
Thanks!
Im testing in Fedora 11. Great to know the variable work, maybe Ive used them in the wrong place. I will test it again only in about 2 weeks as Im going to holidays :)
Just another tricky question, how do you will check that your users certificates didnt got revogated? (became invalid) You will be using certificates issued by an external Certification Authority (CA)?
Luis
Date: Fri, 3 Sep 2010 11:16:17 +0200
From: ttormo at indenova.com
To: luisneves at hotmail.com
CC: rcritten at redhat.com; mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication
No problem!!
I removed the variable and it stopped working... then I put it again
and it worked. I'm using NSS_SSL_ENABLE_RENEGOTIATION=u
If you are using Ubuntu, you should modify /etc/init.d/apache2
script, cause I tried in other scripts and it didn't work...
If you are using this distro (and you installed apache2 from
repository), what you have to do is to put
ENV="$ENV NSS_SSL_ENABLE_RENEGOTIATION=u"
just below
ENV="env -i LANG=C PATH=/usr/local/bin:/usr/bin:/bin"
so it should look like this (it's just at the beginning of the script)
ENV="env -i LANG=C PATH=/usr/local/bin:/usr/bin:/bin"
ENV="$ENV NSS_SSL_ENABLE_RENEGOTIATION=u"
I did it like this cause if I want to disable it I just have to comment
that line
Which distro are you using?
On 03/09/10 10:28, Luis Neves wrote:
Is
too much to ask you to test once more with and without that variable
(and which value did you used)?
Is just because I've tried to use the variables and they didn't worked
for me!
Date: Fri, 3 Sep 2010 10:03:33 +0200
From: ttormo at indenova.com
To: luisneves at hotmail.com
CC: rcritten at redhat.com; mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication
I think it was the apache variable, cause I've been using the same
mod_nss compilation the whole time...
On 03/09/10 10:00, Luis Neves wrote:
Nice!
But tell me, what fixed the problem, the mod_nss compilation or the
apache variables in the init script??
Luis
Date: Fri, 3 Sep 2010 09:33:57 +0200
From: ttormo at indenova.com
To: ttormo at indenova.com
CC: luisneves at hotmail.com; rcritten at redhat.com; mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication
Well... I made it work!!!
I didn't try Robe solution yet... but when I tried it it worked like a
charm.
The problem is that in Ubuntu you don't have /etc/sysconfig/httpd
directory (it is supposed to be /etc/default/apache, but it
doesn't work there...), so I had to set the environmental variable in
the init script (/etc/init.d/apache2).
So now, my test virtualhost looks like this
ServerName amsterdam
LogLevel debug
ErrorLog /var/log/apache2/testmodnss/error.log
CustomLog /var/log/apache2/testmodnss/access.log combined
DocumentRoot /var/www/testmodnss
# ssl
NSSEngine on
RewriteEngine on
NSSCipherSuite
-des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
NSSProtocol SSLv3,TLSv1
## Certificate database. It contains both public and private key of the
ssl server. It also contains the CA certificate of the allowed client
certificates
NSSCertificateDatabase /etc/apache2/certs/nss/
NSSNickName Server-Cert
# ssl client
NSSRequireSSL
NSSVerifyClient require
NSSPassPhraseHelper /usr/sbin/nss_pcache
quite simple now.. isn't it?
And, what's more, the certificates that weren't working with mod_ssl
(Luis knows what I'm talking about ;) ) now work.
Thank you very much once more!!!
On 03/09/10 08:33, Tom?s Tormo wrote:
Message body
First of all, thank you very much to both of you for your help.
Yesterday I had a meeting the whole day, that's why I couldn't answer
the emails...
Currently, I'm doind all my tests with a Ubuntu Linux 10.04, using
Apache 2.2.14 with mod_nss 1.0.8. I downloaded the source from http://directory.fedoraproject.org/wiki/Mod_nss
and compiled it. The SSL connection is working... but I have the
problem I told you with SSL client.
After all the emails, I'm trying the last solution, the one whi Luis
told me. I tried to use the directive
NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
and %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
and it works... but it also asks for the certificate the first time you
connect... I would like it to ask for the certificate just when the
user clicks some link (I got it working with mod_ssl). Do you know any
solution for this?
By the way.. wich language is the one _NSSRequire is using for the
conditions?
Thank you very much. I'll continue with the research
On 02/09/10 12:07, Luis Neves wrote:
Hi
again!
Sorry everybody for so much posts
Hola Tomas,
What seems the best practices on this case is
Putting the NSSverifyclient optional outside location and then playing
with the SSLRequire (or NSSRequire in mod_nss case)
like for ex:
NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
and %{SSL_CLIENT_S_DN_O} eq "mycompany" \
and %{SSL_CLIENT_S_DN_OU} in {"myrole"})
or:
NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
and %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
or using a virtualhost just for the authenticated part of the site
Um abra?o
Luis
From: luisneves at hotmail.com
To: rcritten at redhat.com; ttormo at indenova.com
Date: Thu, 2 Sep 2010 08:36:20 +0000
CC: mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication
Hi
Robe, indeed Ive tested by myself and have the same renegotiation
error as well
Played with the settings Ive told to Tomas but still got the problem
Played with the Apache env variables you mentioned but to no avail,
same problem.
Will read carefully your link but it looks the only solution is
avoiding at all costs using verifyclient inside location tags... :(
Luis
> Date: Wed, 1 Sep 2010 08:59:01 -0400
> From: rcritten at redhat.com
> To: ttormo at indenova.com
> CC: mod_nss-list at redhat.com
> Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication
>
> Tom?s Tormo wrote:
> > Greetings
> >
> > I'm trying to configure mod_nss in Apache in order to use it
as my
> > client certificate authentication mechanism, but I'm having
problems
> > with it..
> >
> > I'd like to use client authentication in some parts of a
website... so I
> > tried to do it as with mod_ssl, using the Location directive
with the
> > NSSVerifyClient require directive inside, but I never
works... I always
> > get this error...
> >
> > Mon Aug 30 14:17:34 2010] [info] Requesting connection
re-negotiation
> > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404):
Performing
> > full renegotiation: complete handshake protocol
> > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426):
Awaiting
> > re-negotiation handshake
> > *[Mon Aug 30 14:17:34 2010] [info] Read error -12176
> > [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake
failed: Not
> > accepted by client!?*
> > [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client
> > 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files,
referer:
> > https://amsterdam/
> > [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found:
SSL input
> > filter read failed.
> > [Mon Aug 30 14:17:34 2010] [info] Connection to child 69
closed (server
> > amsterdam:443, client 192.168.125.53)
> >
> > After this, I checked the documentation and it says I can work
> > per-server or per-directory context... So I tried to do it
per-server
> > and It works perfectly.. but, as I told you, this is not the
solution
> > I'm looking for.. so I tried to configure it per-directory...
but it
> > doesn't work neither...
> >
> > Here I attach my per-directory configuration... Is just a
test but this
> > is more or less how it should look at the end:
> >
> >
> >
> > /
> >
> > ServerName amsterdam
> >
> > LogLevel debug
> > ErrorLog /var/log/apache2/testmodnss/error.log
> > CustomLog /var/log/apache2/testmodnss/access.log combined
> > DocumentRoot /var/www/testmodnss
> >
> > # ssl
> > NSSEngine on
> > RewriteEngine on
> > NSSCipherSuite
> >
-des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
> >
> > NSSProtocol All
> >
> > ## Certificate database. It contains both public and private
key of the
> > ssl server. It also contains the CA certificate of the
allowed client
> > certificates
> > NSSCertificateDatabase /etc/apache2/certs/nss/
> >
> > NSSNickName Server-Cert
> >
> >
> > # ssl client
> >
> >
> >
> > AllowOverride all
> > NSSVerifyClient require
> > NSSOptions +ExportCertData
> > NSSOptions +StdEnvVars
> >
> >
> >
> >
> >
> > NSSPassPhraseHelper /usr/sbin/nss_pcache
> >
> > /
> >
> > Could you please help me?
> >
> > Thank you very much
>
> Sorry for the delayed response.
>
> What version of mod_nss and which browser (and version) are you
using? I
> wonder if you have a newer browser and an older mod_nss and are
bumping
> into the SSL renegotiation changes that went into the NSS crypto
system
> to handle http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555.
> This KB article includes some tuning information for NSS in
general:
> https://access.redhat.com/kb/docs/DOC-20491
>
> The latest mod_nss provides some tuning knobs for this as
mentioned by
> Luid (NSSRenegotiation and NSSRequireSafeNegotiation) that are
> equivalent to the environment variables in the KB article, just
more
> convenient. mod_nss defaults to SSL_RENEGOTIATE_NEVER and setting
> NSSRenegotiation is the equivalent of SSL_RENEGOTIATE_REQUIRES_XTN.
>
> So this is a long way of saying, try adding export
> NSS_SSL_ENABLE_RENEGOTIATION=u or NSS_SSL_ENABLE_RENEGOTIATION=r
to your
> Apache environment (/etc/sysconfig/httpd on Red Hat and Fedora
systems).
>
> I'll be away again until next week in case you have any follow-up
questions.
>
> rob
>
> _______________________________________________
> Mod_nss-list mailing list
> Mod_nss-list at redhat.com
> https://www.redhat.com/mailman/listinfo/mod_nss-list
_______________________________________________
Mod_nss-list mailing list Mod_nss-list at redhat.com https://www.redhat.com/mailman/listinfo/mod_nss-list
--
Un saludo,
Tom?s Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2? B
Pol?gono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php
--
Un saludo,
Tom?s Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2? B
Pol?gono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php
--
Un saludo,
Tom?s Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2? B
Pol?gono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php
--
Un saludo,
Tom?s Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2? B
Pol?gono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Desc?rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr?nicamente: http://www.indenova.com/eSignaViewer.php
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From rcritten at redhat.com Tue Sep 7 19:20:31 2010
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 07 Sep 2010 15:20:31 -0400
Subject: [Mod_nss-list] Problem configuring Client certificate
Authentication
In-Reply-To:
References: <4C7BA2E0.8000209@indenova.com>, <4C7E4E15.10406@redhat.com>,
<4C8096CC.6060203@indenova.com>,
<4C80A4E5.9070305@indenova.com> ,
<4C80ABD5.5000208@indenova.com> ,
<4C80BCE1.80400@indenova.com>
Message-ID: <4C86907F.3090604@redhat.com>
Luis Neves wrote:
> Thanks!
>
> Im testing in Fedora 11. Great to know the variable work, maybe Ive used
> them in the wrong place. I will test it again only in about 2 weeks as
> Im going to holidays :)
>
> Just another tricky question, how do you will check that your users
> certificates didnt got revogated? (became invalid) You will be using
> certificates issued by an external Certification Authority (CA)?
There are two ways: OCSP or a CRL. Or three ways I suppose, you can use
both.
OCSP is an online lookup of the certificate validity. If the client has
an OCSP provider encoded in it then that can be used and you can define
a default OCSP provider in the mod_nss configuration (1.0.6+ IIRC).
A CRL must be loaded into the mod_nss certificate database (default is
in /etc/httpd/alias). Apache needs to be restarted for the CRL to be
seen. The NSS utility crlutil can be used to update a CRL.
If you have both enabled and loaded then NSS will first look in the CRL
to see if the certificate is revoked. If not it checks OCSP. This saves
a round-trip.
An alternative to loading a CRL and restarting Apache is to use another
module, mod_revocator. In this you can define a list of URLs where CRLs
can be found and they are automatically fetched and made available to
NSS without requiring a restart.
rob
From luisneves at hotmail.com Mon Sep 13 14:32:41 2010
From: luisneves at hotmail.com (Luis Neves)
Date: Mon, 13 Sep 2010 14:32:41 +0000
Subject: [Mod_nss-list] Problem configuring Client certificate
Authentication
In-Reply-To: <4C86907F.3090604@redhat.com>
References: <4C7BA2E0.8000209@indenova.com>, <4C7E4E15.10406@redhat.com>,
<4C8096CC.6060203@indenova.com>,<4C80A4E5.9070305@indenova.com>
,
<4C80ABD5.5000208@indenova.com>
,
<4C80BCE1.80400@indenova.com>
,
<4C86907F.3090604@redhat.com>
Message-ID:
Thanks Rob, OCSP and mod_revocator is working now fine in my tests!
Great to see the mod_nss code base is more bug free and with more features than current mod_ssl implementation
Luis
> Date: Tue, 7 Sep 2010 15:20:31 -0400
> From: rcritten at redhat.com
> To: luisneves at hotmail.com
> CC: ttormo at indenova.com; mod_nss-list at redhat.com
> Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication
>
> Luis Neves wrote:
> > Thanks!
> >
> > Im testing in Fedora 11. Great to know the variable work, maybe Ive used
> > them in the wrong place. I will test it again only in about 2 weeks as
> > Im going to holidays :)
> >
> > Just another tricky question, how do you will check that your users
> > certificates didnt got revogated? (became invalid) You will be using
> > certificates issued by an external Certification Authority (CA)?
>
> There are two ways: OCSP or a CRL. Or three ways I suppose, you can use
> both.
>
> OCSP is an online lookup of the certificate validity. If the client has
> an OCSP provider encoded in it then that can be used and you can define
> a default OCSP provider in the mod_nss configuration (1.0.6+ IIRC).
>
> A CRL must be loaded into the mod_nss certificate database (default is
> in /etc/httpd/alias). Apache needs to be restarted for the CRL to be
> seen. The NSS utility crlutil can be used to update a CRL.
>
> If you have both enabled and loaded then NSS will first look in the CRL
> to see if the certificate is revoked. If not it checks OCSP. This saves
> a round-trip.
>
> An alternative to loading a CRL and restarting Apache is to use another
> module, mod_revocator. In this you can define a list of URLs where CRLs
> can be found and they are automatically fetched and made available to
> NSS without requiring a restart.
>
> rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: