[Mod_nss-list] Problem configuring Client certificate Authentication
Luis Neves
luisneves at hotmail.com
Thu Sep 2 08:36:20 UTC 2010
Hi Robe, indeed Ive tested by myself and have the same renegotiation error as well
Played with the settings Ive told to Tomas but still got the problem
Played with the Apache env variables you mentioned but to no avail, same problem.
Will read carefully your link but it looks the only solution is avoiding at all costs using verifyclient inside location tags... :(
Luis
> Date: Wed, 1 Sep 2010 08:59:01 -0400
> From: rcritten at redhat.com
> To: ttormo at indenova.com
> CC: mod_nss-list at redhat.com
> Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication
>
> Tomás Tormo wrote:
> > Greetings
> >
> > I'm trying to configure mod_nss in Apache in order to use it as my
> > client certificate authentication mechanism, but I'm having problems
> > with it..
> >
> > I'd like to use client authentication in some parts of a website... so I
> > tried to do it as with mod_ssl, using the Location directive with the
> > NSSVerifyClient require directive inside, but I never works... I always
> > get this error...
> >
> > Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation
> > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): Performing
> > full renegotiation: complete handshake protocol
> > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting
> > re-negotiation handshake
> > *[Mon Aug 30 14:17:34 2010] [info] Read error -12176
> > [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake failed: Not
> > accepted by client!?*
> > [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client
> > 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer:
> > https://amsterdam/
> > [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input
> > filter read failed.
> > [Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed (server
> > amsterdam:443, client 192.168.125.53)
> >
> > After this, I checked the documentation and it says I can work
> > per-server or per-directory context... So I tried to do it per-server
> > and It works perfectly.. but, as I told you, this is not the solution
> > I'm looking for.. so I tried to configure it per-directory... but it
> > doesn't work neither...
> >
> > Here I attach my per-directory configuration... Is just a test but this
> > is more or less how it should look at the end:
> >
> >
> >
> > /<VirtualHost *:443>
> >
> > ServerName amsterdam
> >
> > LogLevel debug
> > ErrorLog /var/log/apache2/testmodnss/error.log
> > CustomLog /var/log/apache2/testmodnss/access.log combined
> > DocumentRoot /var/www/testmodnss
> >
> > # ssl
> > NSSEngine on
> > RewriteEngine on
> > NSSCipherSuite
> > -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
> >
> > NSSProtocol All
> >
> > ## Certificate database. It contains both public and private key of the
> > ssl server. It also contains the CA certificate of the allowed client
> > certificates
> > NSSCertificateDatabase /etc/apache2/certs/nss/
> >
> > NSSNickName Server-Cert
> >
> >
> > # ssl client
> >
> > <Directive "/var/www/testmodnss/files/">
> >
> > AllowOverride all
> > NSSVerifyClient require
> > NSSOptions +ExportCertData
> > NSSOptions +StdEnvVars
> >
> > </Location>
> >
> > </VirtualHost>
> >
> > NSSPassPhraseHelper /usr/sbin/nss_pcache
> >
> > /
> >
> > Could you please help me?
> >
> > Thank you very much
>
> Sorry for the delayed response.
>
> What version of mod_nss and which browser (and version) are you using? I
> wonder if you have a newer browser and an older mod_nss and are bumping
> into the SSL renegotiation changes that went into the NSS crypto system
> to handle http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555.
> This KB article includes some tuning information for NSS in general:
> https://access.redhat.com/kb/docs/DOC-20491
>
> The latest mod_nss provides some tuning knobs for this as mentioned by
> Luid (NSSRenegotiation and NSSRequireSafeNegotiation) that are
> equivalent to the environment variables in the KB article, just more
> convenient. mod_nss defaults to SSL_RENEGOTIATE_NEVER and setting
> NSSRenegotiation is the equivalent of SSL_RENEGOTIATE_REQUIRES_XTN.
>
> So this is a long way of saying, try adding export
> NSS_SSL_ENABLE_RENEGOTIATION=u or NSS_SSL_ENABLE_RENEGOTIATION=r to your
> Apache environment (/etc/sysconfig/httpd on Red Hat and Fedora systems).
>
> I'll be away again until next week in case you have any follow-up questions.
>
> rob
>
> _______________________________________________
> Mod_nss-list mailing list
> Mod_nss-list at redhat.com
> https://www.redhat.com/mailman/listinfo/mod_nss-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20100902/7636dc28/attachment.htm>
More information about the Mod_nss-list
mailing list