[Mod_nss-list] Problem configuring Client certificate Authentication
Rob Crittenden
rcritten at redhat.com
Wed Sep 1 12:59:01 UTC 2010
Tomás Tormo wrote:
> Greetings
>
> I'm trying to configure mod_nss in Apache in order to use it as my
> client certificate authentication mechanism, but I'm having problems
> with it..
>
> I'd like to use client authentication in some parts of a website... so I
> tried to do it as with mod_ssl, using the Location directive with the
> NSSVerifyClient require directive inside, but I never works... I always
> get this error...
>
> Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation
> [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): Performing
> full renegotiation: complete handshake protocol
> [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting
> re-negotiation handshake
> *[Mon Aug 30 14:17:34 2010] [info] Read error -12176
> [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake failed: Not
> accepted by client!?*
> [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client
> 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer:
> https://amsterdam/
> [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input
> filter read failed.
> [Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed (server
> amsterdam:443, client 192.168.125.53)
>
> After this, I checked the documentation and it says I can work
> per-server or per-directory context... So I tried to do it per-server
> and It works perfectly.. but, as I told you, this is not the solution
> I'm looking for.. so I tried to configure it per-directory... but it
> doesn't work neither...
>
> Here I attach my per-directory configuration... Is just a test but this
> is more or less how it should look at the end:
>
>
>
> /<VirtualHost *:443>
>
> ServerName amsterdam
>
> LogLevel debug
> ErrorLog /var/log/apache2/testmodnss/error.log
> CustomLog /var/log/apache2/testmodnss/access.log combined
> DocumentRoot /var/www/testmodnss
>
> # ssl
> NSSEngine on
> RewriteEngine on
> NSSCipherSuite
> -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
>
> NSSProtocol All
>
> ## Certificate database. It contains both public and private key of the
> ssl server. It also contains the CA certificate of the allowed client
> certificates
> NSSCertificateDatabase /etc/apache2/certs/nss/
>
> NSSNickName Server-Cert
>
>
> # ssl client
>
> <Directive "/var/www/testmodnss/files/">
>
> AllowOverride all
> NSSVerifyClient require
> NSSOptions +ExportCertData
> NSSOptions +StdEnvVars
>
> </Location>
>
> </VirtualHost>
>
> NSSPassPhraseHelper /usr/sbin/nss_pcache
>
> /
>
> Could you please help me?
>
> Thank you very much
Sorry for the delayed response.
What version of mod_nss and which browser (and version) are you using? I
wonder if you have a newer browser and an older mod_nss and are bumping
into the SSL renegotiation changes that went into the NSS crypto system
to handle http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555.
This KB article includes some tuning information for NSS in general:
https://access.redhat.com/kb/docs/DOC-20491
The latest mod_nss provides some tuning knobs for this as mentioned by
Luid (NSSRenegotiation and NSSRequireSafeNegotiation) that are
equivalent to the environment variables in the KB article, just more
convenient. mod_nss defaults to SSL_RENEGOTIATE_NEVER and setting
NSSRenegotiation is the equivalent of SSL_RENEGOTIATE_REQUIRES_XTN.
So this is a long way of saying, try adding export
NSS_SSL_ENABLE_RENEGOTIATION=u or NSS_SSL_ENABLE_RENEGOTIATION=r to your
Apache environment (/etc/sysconfig/httpd on Red Hat and Fedora systems).
I'll be away again until next week in case you have any follow-up questions.
rob
More information about the Mod_nss-list
mailing list