From reactor.leet at gmail.com Thu Feb 3 09:50:17 2011 From: reactor.leet at gmail.com (Liran ...) Date: Thu, 3 Feb 2011 11:50:17 +0200 Subject: [Mod_nss-list] Problem with Apache reverse proxy and mod_nss Message-ID: Hi attached 2 configuration files, 1 for httpd.conf and nss.conf I have a webserver that running on port 9090 that can accept SSL traffic When I try to reach to this webserver through HTTPS, I see in nss_error.log file this errors: [Thu Feb 03 11:48:26 2011] [debug] mod_proxy_http.c(56): proxy: HTTP: canonicalising URL //192.168.2.100:9090/basics.html [Thu Feb 03 11:48:26 2011] [debug] proxy_util.c(1513): [client 192.168.1.81] proxy: *: found reverse proxy worker for https://192.168.2.100:9090/basics.html [Thu Feb 03 11:48:26 2011] [debug] mod_proxy.c(993): Running scheme https handler (attempt 0) [Thu Feb 03 11:48:26 2011] [debug] mod_proxy_http.c(1940): proxy: HTTP: serving URL https://192.168.2.100:9090/basics.html [Thu Feb 03 11:48:26 2011] [debug] proxy_util.c(1999): proxy: HTTPS: has acquired connection for (*) [Thu Feb 03 11:48:26 2011] [debug] proxy_util.c(2055): proxy: connecting https://192.168.2.100:9090/basics.html to 192.168.2.100:9090 [Thu Feb 03 11:48:26 2011] [debug] proxy_util.c(2153): proxy: connected /basics.html to 192.168.2.100:9090 [Thu Feb 03 11:48:26 2011] [debug] proxy_util.c(2308): proxy: HTTPS: fam 2 socket created to connect to * [Thu Feb 03 11:48:26 2011] [debug] proxy_util.c(2414): proxy: HTTPS: connection complete to 192.168.2.100:9090 (192.168.2.100) [Thu Feb 03 11:48:26 2011] [info] Connection to child 0 established (server sssss:443, client 192.168.2.100) [*Thu Feb 03 11:48:26 2011] [info] SSL library error -8181 writing data* *[Thu Feb 03 11:48:26 2011] [info] SSL Library Error: -8181 Certificate has expired* [Thu Feb 03 11:48:26 2011] [error] (20014)Internal error: proxy: pass request body failed to 192.168.2.100:9090 (192.168.2.100) [Thu Feb 03 11:48:26 2011] [error] proxy: pass request body failed to 192.168.2.100:9090 (192.168.2.100) from 192.168.1.81 () [Thu Feb 03 11:48:26 2011] [debug] proxy_util.c(2017): proxy: HTTPS: has released connection for (*) [Thu Feb 03 11:48:26 2011] [debug] nss_engine_io.c(655): SSL connection destroyed without being closed [Thu Feb 03 11:48:26 2011] [info] Connection to child 0 closed (server sssss:443, client 192.168.1.81) I don't know why the APR thinks that the certificate has expired, it's issued @ 2010 and the expiration date is 2016 Your help is needed, Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: httpd.conf Type: application/octet-stream Size: 34074 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: nss.conf Type: application/octet-stream Size: 9818 bytes Desc: not available URL: From rcritten at redhat.com Thu Feb 3 14:09:48 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 03 Feb 2011 09:09:48 -0500 Subject: [Mod_nss-list] Problem with Apache reverse proxy and mod_nss In-Reply-To: References: Message-ID: <4D4AB72C.8050805@redhat.com> Liran ... wrote: > Hi > attached 2 configuration files, 1 for httpd.conf and nss.conf > > I have a webserver that running on port 9090 that can accept SSL traffic > > When I try to reach to this webserver through HTTPS, I see in > nss_error.log file this errors: > [Thu Feb 03 11:48:26 2011] [debug] mod_proxy_http.c(56): proxy: HTTP: > canonicalising URL //192.168.2.100:9090/basics.html > > [Thu Feb 03 11:48:26 2011] [debug] proxy_util.c(1513): [client > 192.168.1.81] proxy: *: found reverse proxy worker for > https://192.168.2.100:9090/basics.html > [Thu Feb 03 11:48:26 2011] [debug] mod_proxy.c(993): Running scheme > https handler (attempt 0) > [Thu Feb 03 11:48:26 2011] [debug] mod_proxy_http.c(1940): proxy: HTTP: > serving URL https://192.168.2.100:9090/basics.html > [Thu Feb 03 11:48:26 2011] [debug] proxy_util.c(1999): proxy: HTTPS: has > acquired connection for (*) > [Thu Feb 03 11:48:26 2011] [debug] proxy_util.c(2055): proxy: connecting > https://192.168.2.100:9090/basics.html to 192.168.2.100:9090 > > [Thu Feb 03 11:48:26 2011] [debug] proxy_util.c(2153): proxy: connected > /basics.html to 192.168.2.100:9090 > [Thu Feb 03 11:48:26 2011] [debug] proxy_util.c(2308): proxy: HTTPS: fam > 2 socket created to connect to * > [Thu Feb 03 11:48:26 2011] [debug] proxy_util.c(2414): proxy: HTTPS: > connection complete to 192.168.2.100:9090 > (192.168.2.100) > [Thu Feb 03 11:48:26 2011] [info] Connection to child 0 established > (server sssss:443, client 192.168.2.100) > [*_Thu Feb 03 11:48:26 2011] [info] SSL library error -8181 writing data_* > *_[Thu Feb 03 11:48:26 2011] [info] SSL Library Error: -8181 Certificate > has expired_* > [Thu Feb 03 11:48:26 2011] [error] (20014)Internal error: proxy: pass > request body failed to 192.168.2.100:9090 > (192.168.2.100) > [Thu Feb 03 11:48:26 2011] [error] proxy: pass request body failed to > 192.168.2.100:9090 (192.168.2.100) from > 192.168.1.81 () > [Thu Feb 03 11:48:26 2011] [debug] proxy_util.c(2017): proxy: HTTPS: has > released connection for (*) > [Thu Feb 03 11:48:26 2011] [debug] nss_engine_io.c(655): SSL connection > destroyed without being closed > [Thu Feb 03 11:48:26 2011] [info] Connection to child 0 closed (server > sssss:443, client 192.168.1.81) > > I don't know why the APR thinks that the certificate has expired, it's > issued @ 2010 and the expiration date is 2016 > > Your help is needed, Thanks The Certificate expired error comes from deep with the NSS library. Is there a reason you have NSSEnforceValidCerts off in nss.conf? What distro are you running and what version of mod_nss? thanks rob From elj at elj.us Fri Feb 25 16:10:03 2011 From: elj at elj.us (Erica Johansson) Date: Fri, 25 Feb 2011 11:10:03 -0500 Subject: [Mod_nss-list] mod_nss issue after patching.... Message-ID: Hello, I recently updated mod_nss from mod_nss-1.0.3-8.el5.i386 to mod_nss-1.0.8-3.el5.i386. I initially had the issues related to permissions and the post install script. However, I changed the permissions and ensured that the group apache runs as could read the various dbs it needed to. However, now, I'm getting this on any vhosts that are configured to use NSS: [Thu Feb 24 21:05:47 2011] [error] SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who w e think we should be. Giving up. [Thu Feb 24 21:05:47 2011] [error] (20014)Internal error: proxy: pass request body failed to 10.68.176.1:443 (hostname.domain.net) [Thu Feb 24 21:05:47 2011] [error] proxy: pass request body failed to 10.68.176.1:443 (hostname.domain.com) from 10.69.140.61 () [Thu Feb 24 21:06:00 2011] [error] SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who w e think we should be. Giving up. [Thu Feb 24 21:06:00 2011] [error] (20014)Internal error: proxy: pass request body failed to 10.68.176.1:443 (hostname.domain.net) [Thu Feb 24 21:06:00 2011] [error] proxy: pass request body failed to 10.68.176.1:443 (hostname.domain.net) from 10.69.140.61 () (Please note that "hostname.domain.net" in there was the FQDN of the host related to the IP address before it...which was correct in where it is being proxy passed to. Here is a sample configuration for each vhost: DocumentRoot "/var/www/html" ServerName server.domain.com AllowConnect 10480 NSSProxyEngine on NSSEnforceValidCerts on NSSProxyCipherSuite -rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-f ips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSFIPS on Order Deny,Allow Deny from all Allow from all ProxyPass https://hostname.domain.com:443/service/ ProxyPassReverse https://hostname.domain.com:443/service/ And the hostname in the ProxyPass/ProxyPassReverse does translate to the IP listed in the logs. Rolling back to the old version resolves the issue. I'm admittedly learning mod_nss as I go about this, but haven't been able to figure this issue out. LogLevel is debug, but I have no other errors or info to go on. From searches, I've seen suggested that there may be an issue with shared libraries if mod_ssl is loaded as well...so I've verified that mod_ssl is not being loaded. Any info that can be provided would be greatly appreciated. Thanks! Erica -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Feb 25 19:48:10 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 25 Feb 2011 14:48:10 -0500 Subject: [Mod_nss-list] mod_nss issue after patching.... In-Reply-To: References: Message-ID: <4D68077A.3040300@redhat.com> Erica Johansson wrote: > Hello, > I recently updated mod_nss from mod_nss-1.0.3-8.el5.i386 to > mod_nss-1.0.8-3.el5.i386. I initially had the issues related to > permissions and the post install script. However, I changed the > permissions and ensured that the group apache runs as could read the > various dbs it needed to. > > However, now, I'm getting this on any vhosts that are configured to use NSS: > [Thu Feb 24 21:05:47 2011] [error] SSL Proxy: I don't have the name of > the host we're supposed to connect to so I can't verify that we are > connecting to who w > e think we should be. Giving up. > [Thu Feb 24 21:05:47 2011] [error] (20014)Internal error: proxy: pass > request body failed to 10.68.176.1:443 > (hostname.domain.net ) > [Thu Feb 24 21:05:47 2011] [error] proxy: pass request body failed to > 10.68.176.1:443 (hostname.domain.com > ) from 10.69.140.61 () > [Thu Feb 24 21:06:00 2011] [error] SSL Proxy: I don't have the name of > the host we're supposed to connect to so I can't verify that we are > connecting to who w > e think we should be. Giving up. > [Thu Feb 24 21:06:00 2011] [error] (20014)Internal error: proxy: pass > request body failed to 10.68.176.1:443 > (hostname.domain.net ) > [Thu Feb 24 21:06:00 2011] [error] proxy: pass request body failed to > 10.68.176.1:443 (hostname.domain.net > ) from 10.69.140.61 () > > (Please note that "hostname.domain.net " in > there was the FQDN of the host related to the IP address before > it...which was correct in where it is being proxy passed to. > > Here is a sample configuration for each vhost: > > DocumentRoot "/var/www/html" > ServerName server.domain.com > AllowConnect 10480 > > NSSProxyEngine on > NSSEnforceValidCerts on > NSSProxyCipherSuite > -rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-f > ips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha > NSSFIPS on > > > Order Deny,Allow > Deny from all > Allow from all > ProxyPass https://hostname.domain.com:443/service/ > ProxyPassReverse https://hostname.domain.com:443/service/ > > > And the hostname in the ProxyPass/ProxyPassReverse does translate to the > IP listed in the logs. > > Rolling back to the old version resolves the issue. I'm admittedly > learning mod_nss as I go about this, but haven't been able to figure > this issue out. LogLevel is debug, but I have no other errors or info to > go on. From searches, I've seen suggested that there may be an issue > with shared libraries if mod_ssl is loaded as well...so I've verified > that mod_ssl is not being loaded. > > Any info that can be provided would be greatly appreciated. > Thanks! > Erica The only protection from a man-in-the-middle attack is to verify that the hostname you are requesting is the CN of the remote SSL server. If that isn't the case then you can't be sure you're talking to the right party. mod_proxy wasn't setting the reverse hostname for quite some time so there was no way to do this check (so yes, it was rather unsafe). You can try adding the option NSSProxyCheckPeerCN off. This disables the cn checking code. It could be that your version of mod_proxy isn't setting this value which is why mod_nss can't find it. rob