From vcizek at suse.com Fri Oct 2 13:10:48 2015 From: vcizek at suse.com (Vitezslav Cizek) Date: Fri, 2 Oct 2015 15:10:48 +0200 Subject: [Mod_nss-list] [PATCH 0/3] mod_nss SNI patch Message-ID: <1443791451-30432-1-git-send-email-vcizek@suse.com> Hi, As the bug tracker at https://fedorahosted.org/mod_nss/ doesn't seem to be used at all, I'm attaching our patches here. Stanislav Tokos (2): [1/3] Prevent a crash when the cert db isn't accessible to apache * When the apache user can't access the nss certificate store, eg because of too strict permissions, it may continue without proper initialization but it will crash eventually [2/3] Add SNI support. * Adds SNI support to mod_nss Vitezslav Cizek (1): [3/3] Send TLS server name extension on proxy connections. * send the SNI extension when doing proxy backend requests. docs/mod_nss.html | 13 ++++- mod_nss.c | 3 ++ mod_nss.h | 19 +++++++ nss_engine_config.c | 11 ++++ nss_engine_init.c | 145 ++++++++++++++++++++++++++++++++++++++++++++++++---- nss_engine_io.c | 39 ++++++++++++++ nss_engine_kernel.c | 53 +++++++++++++++++++ nss_util.c | 44 ++++++++++++++++ 8 files changed, 315 insertions(+), 12 deletions(-) -- 2.1.4 From vcizek at suse.com Fri Oct 2 13:10:49 2015 From: vcizek at suse.com (Vitezslav Cizek) Date: Fri, 2 Oct 2015 15:10:49 +0200 Subject: [Mod_nss-list] [PATCH 1/3] Prevent a crash when the cert db isn't accessible to apache In-Reply-To: <1443791451-30432-1-git-send-email-vcizek@suse.com> References: <1443791451-30432-1-git-send-email-vcizek@suse.com> Message-ID: <1443791451-30432-2-git-send-email-vcizek@suse.com> From: Stanislav Tokos --- nss_engine_init.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/nss_engine_init.c b/nss_engine_init.c index 23653dd..7a8eae8 100644 --- a/nss_engine_init.c +++ b/nss_engine_init.c @@ -159,11 +159,10 @@ static void nss_init_SSLLibrary(server_rec *base_server) NSS_Shutdown(); ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, "NSS_Initialize failed. Certificate database: %s.", mc->pCertificateDatabase != NULL ? mc->pCertificateDatabase : "not set in configuration"); + ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, + "Please check access rights for user:%s!!!", mc->user); nss_log_nss_error(APLOG_MARK, APLOG_ERR, base_server); - if (mc->nInitCount == 1) - nss_die(); - else - return; + nss_die(); } if (fipsenabled) { -- 2.1.4 From vcizek at suse.com Fri Oct 2 13:10:50 2015 From: vcizek at suse.com (Vitezslav Cizek) Date: Fri, 2 Oct 2015 15:10:50 +0200 Subject: [Mod_nss-list] [PATCH 2/3] Add SNI support. In-Reply-To: <1443791451-30432-1-git-send-email-vcizek@suse.com> References: <1443791451-30432-1-git-send-email-vcizek@suse.com> Message-ID: <1443791451-30432-3-git-send-email-vcizek@suse.com> From: Stanislav Tokos Introduces a new NSSSNI configuration directive. --- docs/mod_nss.html | 13 ++++- mod_nss.c | 3 ++ mod_nss.h | 19 ++++++++ nss_engine_config.c | 11 +++++ nss_engine_init.c | 138 +++++++++++++++++++++++++++++++++++++++++++++++++--- nss_engine_kernel.c | 53 ++++++++++++++++++++ nss_util.c | 44 +++++++++++++++++ 7 files changed, 273 insertions(+), 8 deletions(-) diff --git a/docs/mod_nss.html b/docs/mod_nss.html index 19d8fef..4566875 100644 --- a/docs/mod_nss.html +++ b/docs/mod_nss.html @@ -184,7 +184,8 @@ following line to httpd.conf (location relative to httpd.conf):

This has Apache load the mod_nss configuration file, nss.conf. It is here that you will setup your VirtualServer entries to and -configure your SSL servers.
+configure your SSL servers. If you have a certificate with the Subject +Alternative Names then you will set up these names like ServerAlias for your virtual host.

Certificate Generation

A ksh script, gencert, is included to automatically @@ -1043,6 +1044,16 @@ components of the client certificate, the remote IP address, etc.
NSSRequire


+NSSSNI
+
+Enables or disables Server Name Identification(SNI) extension check for +SSL. This option is turn on by default. SNI vhost_id gets from HTTPS header. +
+
+Example
+
+NSSSNI off
+
NSSRenegBufferSize

Configure the amount of memory that will be used for buffering the diff --git a/mod_nss.c b/mod_nss.c index 5530721..28c9658 100644 --- a/mod_nss.c +++ b/mod_nss.c @@ -85,6 +85,9 @@ static const command_rec nss_config_cmds[] = { SSL_CMD_SRV(FIPS, FLAG, "FIPS 140-1 mode " "(`on', `off')") + SSL_CMD_SRV(SNI, FLAG, + "SNI" + "(`on', `off')") SSL_CMD_ALL(CipherSuite, TAKE1, "Comma-delimited list of permitted SSL Ciphers, + to enable, - to disable " "(`[+-]XXX,...,[+-]XXX' - see manual)") diff --git a/mod_nss.h b/mod_nss.h index ba081cc..790cc81 100644 --- a/mod_nss.h +++ b/mod_nss.h @@ -311,6 +311,7 @@ struct SSLSrvConfigRec { const char *ocsp_name; BOOL ocsp; BOOL enabled; + BOOL sni; BOOL proxy_enabled; const char *vhost_id; int vhost_id_len; @@ -341,6 +342,20 @@ typedef struct { * for cipher definitions see nss_engine_cipher.h */ +typedef struct { + enum { + PW_NONE = 0, + PW_FROMFILE = 1, + PW_PLAINTEXT = 2, + PW_EXTERNAL = 3 + } source; + char *data; +} secuPWData; + +/* pool and hash which will contain ServerName and NSSNickname */ +apr_pool_t *mp; +apr_hash_t *ht; + /* Compatibility between Apache 2.0.x and 2.2.x. The numeric version of * the version first appeared in Apache 2.0.56-dev. I picked 2.0.55 as it * is the last version without this define. This is used for more than just @@ -373,6 +388,7 @@ void *nss_config_perdir_merge(apr_pool_t *p, void *basev, void *addv); void *nss_config_server_create(apr_pool_t *p, server_rec *s); void *nss_config_server_merge(apr_pool_t *p, void *basev, void *addv); const char *nss_cmd_NSSFIPS(cmd_parms *, void *, int); +const char *nss_cmd_NSSSNI(cmd_parms *, void *, int); const char *nss_cmd_NSSEngine(cmd_parms *, void *, int); const char *nss_cmd_NSSOCSP(cmd_parms *, void *, int); const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *, void *, int); @@ -463,6 +479,9 @@ apr_file_t *nss_util_ppopen(server_rec *, apr_pool_t *, const char *, void nss_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *); char *nss_util_readfilter(server_rec *, apr_pool_t *, const char *, const char * const *); +char *searchHashVhostNick(char *vhost_id); +char *searchHashVhostNick_match(char *vhost_id); +void addHashVhostNick(char *vhost_id, char *nickname); /* ssl_io_buffer_fill fills the setaside buffering of the HTTP request * to allow an SSL renegotiation to take place. */ int nss_io_buffer_fill(request_rec *r, apr_size_t maxlen); diff --git a/nss_engine_config.c b/nss_engine_config.c index 8d4421a..3e24148 100644 --- a/nss_engine_config.c +++ b/nss_engine_config.c @@ -134,6 +134,7 @@ static SSLSrvConfigRec *nss_config_server_new(apr_pool_t *p) sc->ocsp_name = NULL; sc->fips = UNSET; sc->enabled = UNSET; + sc->sni = TRUE; sc->proxy_enabled = UNSET; sc->vhost_id = NULL; /* set during module init */ sc->vhost_id_len = 0; /* set during module init */ @@ -214,6 +215,7 @@ void *nss_config_server_merge(apr_pool_t *p, void *basev, void *addv) { cfgMerge(ocsp_name, NULL); cfgMergeBool(fips); cfgMergeBool(enabled); + cfgMergeBool(sni); cfgMergeBool(proxy_enabled); cfgMergeBool(proxy_ssl_check_peer_cn); cfgMergeBool(session_tickets); @@ -343,6 +345,15 @@ const char *nss_cmd_NSSFIPS(cmd_parms *cmd, void *dcfg, int flag) return NULL; } +const char *nss_cmd_NSSSNI(cmd_parms *cmd, void *dcfg, int flag) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + + sc->sni = flag ? TRUE : FALSE; + + return NULL; +} + const char *nss_cmd_NSSOCSP(cmd_parms *cmd, void *dcfg, int flag) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); diff --git a/nss_engine_init.c b/nss_engine_init.c index 7a8eae8..53bd10c 100644 --- a/nss_engine_init.c +++ b/nss_engine_init.c @@ -29,6 +29,8 @@ static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg); static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg); static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist); SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); +PRInt32 ownSSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr, + PRUint32 sniNameArrSize, void *arg); /* * Global variables defined in this file. @@ -261,6 +263,8 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog, int fipsenabled = FALSE; int threaded = 0; struct semid_ds status; + char *split_vhost_id = NULL; + char *last1; mc->nInitCount++; @@ -324,6 +328,12 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog, sc->vhost_id = nss_util_vhostid(p, s); sc->vhost_id_len = strlen(sc->vhost_id); + if (sc->server->nickname != NULL && sc->vhost_id != NULL) { + split_vhost_id = apr_strtok(sc->vhost_id, ":", &last1); + ap_str_tolower(split_vhost_id); + addHashVhostNick(split_vhost_id, (char *)sc->server->nickname); + } + /* Fix up stuff that may not have been set */ if (sc->fips == UNSET) { sc->fips = FALSE; @@ -476,7 +486,7 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog, ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, "Init: Initializing (virtual) servers for SSL"); - CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL); + CERTCertList* clist = PK11_ListCerts(PK11CertListUserUnique, NULL); for (s = base_server; s; s = s->next) { sc = mySrvConfig(s); @@ -1038,6 +1048,12 @@ static void nss_init_certificate(server_rec *s, const char *nickname, SECStatus secstatus; PK11SlotInfo* slot = NULL; + CERTCertNicknames *certNickDNS = NULL; + char **nnptr = NULL; + int nn = 0; + apr_array_header_t *names = NULL; + apr_array_header_t *wild_names = NULL; + int i, j; if (nickname == NULL) { return; @@ -1104,14 +1120,49 @@ static void nss_init_certificate(server_rec *s, const char *nickname, *KEAtype = NSS_FindCertKEAType(*servercert); + /* get ServerAlias entries to hash */ + names = s->names; + if (names) { + char **name = (char **)names->elts; + for (i = 0; i < names->nelts; ++i) { + ap_str_tolower(name[i]); + addHashVhostNick(name[i], (char *)nickname); + } + } + + /* get ServerAlias entries with wildcards */ + wild_names = s->wild_names; + if (wild_names) { + char **wild_name = (char **)wild_names->elts; + for (j = 0; j < wild_names->nelts; ++j) { + ap_str_tolower(wild_name[j]); + addHashVhostNick(wild_name[j], (char *)nickname); + } + } + + /* get valid DNS names from certificate to hash */ + certNickDNS = CERT_GetValidDNSPatternsFromCert(*servercert); + + if (certNickDNS) { + nnptr = certNickDNS->nicknames; + nn = certNickDNS->numnicknames; + + while ( nn > 0 ) { + ap_str_tolower(*nnptr); + addHashVhostNick(*nnptr, (char *)nickname); + nnptr++; + nn--; + } + } + /* Subject/hostname check */ secstatus = CERT_VerifyCertName(*servercert, s->server_hostname); if (secstatus != SECSuccess) { char *cert_dns = CERT_GetCommonName(&(*servercert)->subject); ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "Misconfiguration of certificate's CN and virtual name." - " The certificate CN has %s. We expected %s as virtual" - " name.", cert_dns, s->server_hostname); + "Misconfiguration of certificate's CN and virtual name." + " The certificate CN has %s. We expected %s as virtual" + " name.", cert_dns, s->server_hostname); PORT_Free(cert_dns); } @@ -1146,6 +1197,14 @@ static void nss_init_certificate(server_rec *s, const char *nickname, nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); nss_die(); } + + /* SNI */ + if (SSL_SNISocketConfigHook(model, (SSLSNISocketConfig) ownSSLSNISocketConfig, (void*) s) != SECSuccess) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "SSL_SNISocketConfigHook failed"); + nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); + nss_die(); + } } @@ -1310,11 +1369,12 @@ void nss_init_Child(apr_pool_t *p, server_rec *base_server) nss_init_SSLLibrary(base_server); /* Configure all virtual servers */ - CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL); + CERTCertList* clist = PK11_ListCerts(PK11CertListUserUnique, NULL); for (s = base_server; s; s = s->next) { sc = mySrvConfig(s); - if (sc->server->servercert == NULL && NSS_IsInitialized()) - nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist); + if (sc->server->servercert == NULL && NSS_IsInitialized()) { + nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist); + } } if (clist) { CERT_DestroyCertList(clist); @@ -1596,3 +1656,67 @@ SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg) { return SECSuccess; } + +PRInt32 ownSSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr, + PRUint32 sniNameArrSize, void *arg) +{ + server_rec *s = (server_rec *)arg; + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "start function ownSSLSNISocketConfig for SNI"); + + secuPWData *pwdata; + CERTCertificate * cert = NULL; + SECKEYPrivateKey * privKey = NULL; + char *nickName = NULL; + char *vhost = NULL; + apr_pool_t *str_p; + + PORT_Assert(fd && sniNameArr); + if (!fd || !sniNameArr) { + nss_die(); + } + apr_pool_create(&str_p, NULL); + vhost = apr_pstrndup(str_p, (char *) sniNameArr->data, sniNameArr->len); + + /* rfc6125 - Checking of Traditional Domain Names*/ + ap_str_tolower(vhost); + + nickName = searchHashVhostNick(vhost); + if (nickName == NULL) { + /* search wild_names in serverAlises */ + nickName = searchHashVhostNick_match(vhost); + if (nickName == NULL) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,"Search [val = %s] failed, unrecognized name.", vhost); + nss_die(); + } + } + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,"Search passed [value = %s] for key:%s", nickName, vhost); + + pwdata = SSL_RevealPinArg(fd); + + /* if pwdata is NULL, then we would not get the key and + * return an error status. */ + cert = PK11_FindCertFromNickname(nickName, &pwdata); + if (cert == NULL) { + nss_die(); + } + privKey = PK11_FindKeyByAnyCert(cert, &pwdata); + if (privKey == NULL) { + nss_die(); + } + SSLKEAType certKEA = NSS_FindCertKEAType(cert); + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "start configure vhost:%s", vhost); + if (SSL_ConfigSecureServer(fd, cert, privKey, certKEA) != SECSuccess) { + nss_die(); + } + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "successfull setting vhost with nick:%s", nickName); + SECKEY_DestroyPrivateKey(privKey); + CERT_DestroyCertificate(cert); + apr_pool_destroy(str_p); + return 0; + +} diff --git a/nss_engine_kernel.c b/nss_engine_kernel.c index 721eedb..bbc71fe 100644 --- a/nss_engine_kernel.c +++ b/nss_engine_kernel.c @@ -72,6 +72,59 @@ int nss_hook_ReadReq(request_rec *r) } /* + * SNI check is default on. In same cases you switch of by NSSSNI off + * sc->sni parameter gets vhost from HTTPS header + */ + SSLSrvConfigRec *sc = mySrvConfig(r->server); + + SECItem *hostInfo = NULL; + hostInfo = SSL_GetNegotiatedHostInfo(ssl); + if (hostInfo != NULL && sc->sni) { + if (ap_is_initial_req(r) && (hostInfo->len != 0)) { + char *servername = NULL; + char *host, *scope_id; + apr_port_t port; + apr_status_t rv; + apr_pool_t *s_p; + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, + "SNI hostInfo hostInfo->data:%s and hostInfo->len:%d" + ,(char *) hostInfo->data, hostInfo->len); + + apr_pool_create(&s_p, NULL); + servername = apr_pstrndup(s_p, (char *) hostInfo->data, hostInfo->len); + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, + "SNI hostInfo servername:%s, lenght:%d" + , servername, (unsigned)strlen(servername)); + + if (!r->hostname) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, + "Hostname %s provided via SNI, but no hostname" + " provided in HTTP request", servername); + return HTTP_BAD_REQUEST; + } + + rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool); + if (rv != APR_SUCCESS || scope_id) { + return HTTP_BAD_REQUEST; + } + + if (strcasecmp(host, servername)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, + "Hostname %s provided via SNI and hostname %s provided" + " via HTTP are different", servername, host); + + SECITEM_FreeItem(hostInfo, PR_TRUE); + apr_pool_destroy(s_p); + return HTTP_BAD_REQUEST; + } else { + SECITEM_FreeItem(hostInfo, PR_TRUE); + apr_pool_destroy(s_p); + } + } + } + /* * Log information about incoming HTTPS requests */ if (r->server->log.level >= APLOG_INFO && ap_is_initial_req(r)) { diff --git a/nss_util.c b/nss_util.c index c8dc74f..fef3313 100644 --- a/nss_util.c +++ b/nss_util.c @@ -100,3 +100,47 @@ char *nss_util_readfilter(server_rec *s, apr_pool_t *p, const char *cmd, return buf; } + +static void initializeHashVhostNick() { + apr_pool_create(&mp, NULL); + ht = apr_hash_make(mp); +} + +char *searchHashVhostNick(char *vhost_id) { + char *searchVal = NULL; + + searchVal = apr_hash_get(ht, vhost_id, APR_HASH_KEY_STRING); + + return searchVal; +} + +char *searchHashVhostNick_match(char *vhost_id) +{ + char *searchValReg = NULL; + apr_hash_index_t *hi; + for (hi = apr_hash_first(NULL, ht); hi; hi = apr_hash_next(hi)) { + const char *k = NULL; + const char *v = NULL; + + apr_hash_this(hi, (const void**)&k, NULL, (void**)&v); + if (!ap_strcasecmp_match(vhost_id, k)) { + searchValReg = apr_hash_get(ht, k, APR_HASH_KEY_STRING); + return searchValReg; + } + } + return NULL; +} + +void addHashVhostNick(char *vhost_id, char *nickname) { + + if (ht == NULL) { + initializeHashVhostNick(); + } + + if(searchHashVhostNick(vhost_id) == NULL) { + apr_hash_set(ht, apr_pstrdup(mp, vhost_id), APR_HASH_KEY_STRING, + apr_pstrdup(mp, nickname)); + } + return; +} + -- 2.1.4 From vcizek at suse.com Fri Oct 2 13:10:51 2015 From: vcizek at suse.com (Vitezslav Cizek) Date: Fri, 2 Oct 2015 15:10:51 +0200 Subject: [Mod_nss-list] [PATCH 3/3] Send TLS server name extension on proxy connections. In-Reply-To: <1443791451-30432-1-git-send-email-vcizek@suse.com> References: <1443791451-30432-1-git-send-email-vcizek@suse.com> Message-ID: <1443791451-30432-4-git-send-email-vcizek@suse.com> --- nss_engine_io.c | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/nss_engine_io.c b/nss_engine_io.c index 6e03a11..62863dd 100644 --- a/nss_engine_io.c +++ b/nss_engine_io.c @@ -665,6 +665,37 @@ static apr_status_t nss_io_filter_cleanup(void *data) return APR_SUCCESS; } +static apr_status_t nss_io_filter_handshake(ap_filter_t *f) +{ + conn_rec *c = f->c; + SSLConnRec *sslconn = myConnConfig(c); + + /* + * Enable SNI for backend requests. Make sure we don't do it for + * pure SSLv3 connections + */ + if (sslconn->is_proxy) { + const char *hostname_note = apr_table_get(c->notes, "proxy-request-hostname"); + if (hostname_note) { + if (SSL_SetURL(sslconn->ssl, hostname_note) == -1) { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server, + "Error setting SNI extension for SSL Proxy request: %d", + PR_GetError()); + } else { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, c, + "SNI extension for SSL Proxy request set to '%s'", + hostname_note); + } + } + else { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, c, + "Can't set SNI extension: no hostname available"); + } + } + + return APR_SUCCESS; +} + static apr_status_t nss_io_filter_input(ap_filter_t *f, apr_bucket_brigade *bb, ap_input_mode_t mode, @@ -700,6 +731,10 @@ static apr_status_t nss_io_filter_input(ap_filter_t *f, inctx->mode = mode; inctx->block = block; + if ((status = nss_io_filter_handshake(f)) != APR_SUCCESS) { + return nss_io_filter_error(f, bb, status); + } + if (is_init) { /* protocol module needs to handshake before sending * data to client (e.g. NNTP or FTP) @@ -821,6 +856,10 @@ static apr_status_t nss_io_filter_output(ap_filter_t *f, inctx->mode = AP_MODE_READBYTES; inctx->block = APR_BLOCK_READ; + if ((status = nss_io_filter_handshake(f)) != APR_SUCCESS) { + return nss_io_filter_error(f, bb, status); + } + while (!APR_BRIGADE_EMPTY(bb)) { apr_bucket *bucket = APR_BRIGADE_FIRST(bb); -- 2.1.4 From rcritten at redhat.com Fri Oct 2 14:24:10 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 02 Oct 2015 10:24:10 -0400 Subject: [Mod_nss-list] [PATCH 0/3] mod_nss SNI patch In-Reply-To: <1443791451-30432-1-git-send-email-vcizek@suse.com> References: <1443791451-30432-1-git-send-email-vcizek@suse.com> Message-ID: <560E938A.5060907@redhat.com> Vitezslav Cizek wrote: > Hi, > As the bug tracker at https://fedorahosted.org/mod_nss/ > doesn't seem to be used at all, I'm attaching our patches here. Yeah, the site used to be hosted elsewhere and I never did get around to utilizing all of the fedorahosted features. I'll make a note to do that soonish. I've got these patches, along with a few others that Standa provided, under review now. I'm hoping to do a release soon. thanks rob > > Stanislav Tokos (2): > [1/3] Prevent a crash when the cert db isn't accessible to apache > * When the apache user can't access the nss certificate store, > eg because of too strict permissions, it may continue without > proper initialization but it will crash eventually > [2/3] Add SNI support. > * Adds SNI support to mod_nss > > Vitezslav Cizek (1): > [3/3] Send TLS server name extension on proxy connections. > * send the SNI extension when doing proxy backend requests. > > docs/mod_nss.html | 13 ++++- > mod_nss.c | 3 ++ > mod_nss.h | 19 +++++++ > nss_engine_config.c | 11 ++++ > nss_engine_init.c | 145 ++++++++++++++++++++++++++++++++++++++++++++++++---- > nss_engine_io.c | 39 ++++++++++++++ > nss_engine_kernel.c | 53 +++++++++++++++++++ > nss_util.c | 44 ++++++++++++++++ > 8 files changed, 315 insertions(+), 12 deletions(-) > From rcritten at redhat.com Fri Oct 2 21:32:19 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 02 Oct 2015 17:32:19 -0400 Subject: [Mod_nss-list] mod_nss 1.0.12 released Message-ID: <560EF7E3.9070007@redhat.com> I'm happy to announce that I tagged and released mod_nss 1.0.12 today. The changes include: * Add support for Server Name Indication (SNI) (#1010751) * Add support for SNI for reverse proxy connections * Add RenegBufferSize option * Add support for TLS Session Tickets (RFC 5077) * Fix logical AND support in OpenSSL cipher compatibility * Correctly handle disabled ciphers (CVE-2015-5244) * Implement a slew more OpenSSL cipher macros including kRSA, aRSA, EDH, ECDH, kECDHe, kECDHr, kEECDH, aECDH, aNULL, AESGCM, AES128, AES256, CAMELLIA, CAMELLIA128, CAMELLIA256, ECDH, kECDH, AECDH, ECDSA and aECDSA. * Fix a number of illegal memory accesses and memory leaks * Support for SHA384 ciphers if they are available in the version of NSS mod_nss is built against * Add the SECURE_RENEG environment variable * Add some hints when NSS database cannot be initialized * Fix compatibility with RHEL 6.x (Apache 2.2.x and NSS 3.15.1) * Code cleanup including trailing whitespace and compiler warnings * Modernize autotools configuration slightly, add config.h * Add small test suite for SNI Source can be downloaded from https://fedorahosted.org/released/mod_nss/mod_nss-1.0.12.tar.gz rob From lcohen at novetta.com Wed Oct 14 15:02:05 2015 From: lcohen at novetta.com (Cohen, Laurence) Date: Wed, 14 Oct 2015 11:02:05 -0400 Subject: [Mod_nss-list] TLSSESSIONTICKETS Message-ID: I'm trying to find out what version of mod_nss uses TLSSESSIONTICKETS and has the ability to turn them off. I see that Fedora has a version that has this function, but I need this function for RHEL6. I want to try to avoid doing a custom build since this is for a government customer. Thanks, Larry Cohen -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Oct 14 15:26:25 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 14 Oct 2015 11:26:25 -0400 Subject: [Mod_nss-list] TLSSESSIONTICKETS In-Reply-To: References: Message-ID: <561E7421.2000509@redhat.com> Cohen, Laurence wrote: > I'm trying to find out what version of mod_nss uses TLSSESSIONTICKETS > and has the ability to turn them off. I see that Fedora has a version > that has this function, but I need this function for RHEL6. I want to > try to avoid doing a custom build since this is for a government customer. TLS Session tickets are disabled by default. mod_nss 1.0.12 adds an option to turn them on. rob From lcohen at novetta.com Thu Oct 15 17:17:50 2015 From: lcohen at novetta.com (Cohen, Laurence) Date: Thu, 15 Oct 2015 13:17:50 -0400 Subject: [Mod_nss-list] TLSSESSIONTICKETS In-Reply-To: <561E7421.2000509@redhat.com> References: <561E7421.2000509@redhat.com> Message-ID: Hi Rob, Thanks for your reply yesterday. Here is my problem. We are using mod_nss version 1.0.8 on RHEL6. Here is a session that our F5 admin sent to our production webserver at the command line using openssl. # openssl s_client -connect x.x.x.x:443 < /dev/null CONNECTED(00000003) depth=2 C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 2 verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=us/O=u.s. government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 1 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2 2 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2 i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2 --- Server certificate -----BEGIN CERTIFICATE----- MIIFczCCBFugAwIBAgIDAMDoMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAlVT MRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UE CxMDUEtJMRIwEAYDVQQDEwlET0QgQ0EtMjgwHhcNMTMxMTAxMjExMTM0WhcNMTYx MTAxMjExMTM0WjBtMQswCQYDVQQGEwJ1czEYMBYGA1UEChMPdS5zLiBnb3Zlcm5t ZW50MQwwCgYDVQQLEwNET0QxDDAKBgNVBAsTA3BraTENMAsGA1UECxMEZGlzYTEZ MBcGA1UEAxMQbWV0YWRhdGEuY2VzLm1pbDCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAMuaXfCzffQnuqtQAwwTssjkbHEpQICFsjD5T0BhhLYwf/6MEZIe Dfx97j7CvqthxvVEtVe6j5d99OXW0rrXowgo/bGhnc8pR5sDke2hlUbmjb+XkqZR 03QyKv2+DFhiv8BIlO8EAygQZSYK8lyKxvvEwI19RRht1uZ9Mcn2hUKlm7OD6nnH grCk+qo8idCE2qO52gln46Q12nHIEHIrc8u6+EcgrdbC/Tpj5G+0HTuzOw4aQ0H8 EMLQk8e7EdubfOxdhscS2YQtzNBkvLVEgA8QZr2wMleYG2ZJDRB0W5m6n12/3lpv M+hZMAJO8pDrzzmM1OZ0ZZYTsd2i9pvUNAsCAwEAAaOCAjAwggIsMB8GA1UdIwQY MBaAFCa0rqotjumNim+2tVud6k6usZxpMB0GA1UdDgQWBBRKkMaGpVHBLnDcBRcL SdbKrPieKjBjBggrBgEFBQcBAQRXMFUwMQYIKwYBBQUHMAKGJWh0dHA6Ly9jcmwu ZGlzYS5taWwvc2lnbi9ET0RDQV8yOC5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9v Y3NwLmRpc2EubWlsMA4GA1UdDwEB/wQEAwIFoDCBwwYDVR0fBIG7MIG4MCqgKKAm hiRodHRwOi8vY3JsLmRpc2EubWlsL2NybC9ET0RDQV8yOC5jcmwwgYmggYaggYOG gYBsZGFwOi8vY3JsLmdkcy5kaXNhLm1pbC9jbiUzZERPRCUyMENBLTI4JTJjb3Ul M2RQS0klMmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292ZXJubWVudCUyY2MlM2RV Uz9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0O2JpbmFyeTBbBgNVHREEVDBSghBt ZXRhZGF0YS5jZXMubWlsghBtZXRhZGF0YS5jZXMubWlsghVtZXRhZGF0YS1jb2xz LmNlcy5taWyCFW1ldGFkYXRhLXNhdHguY2VzLm1pbDAjBgNVHSAEHDAaMAsGCWCG SAFlAgELBTALBglghkgBZQIBCxIwLQYDVR0lBCYwJAYIKwYBBQUHAwEGCCsGAQUF BwMCBggrBgEFBQgCAgYEVR0lADANBgkqhkiG9w0BAQUFAAOCAQEAjVht0bS/D5+M kCoYbxyFLWnAIWzoeyZC2al5znPllgQrW+RTVBjGiYlvKB2W5eXVJF+RCjCBk1k5 qrtINH39+FQQZjivwhidLKWklEUt4MRN3tulRlTj+Hr34F0reD56EQaFSlXXvY0r +LNx5xzudvvrf45dCbHKGNmjDpyDIiezJbCojfYfN7E8ljkA0bq5Ku4eCsAm4sbd ezRoZsxSzzOUuynmP3yo20A+nU6+dDsVPXulkamlLGpVnC7nHnl5f8gspr4S7Ld8 MnC/K7qfNaUTUkpe7Qym8WfKU0dUHWNAzqvSmhYJlk7wYwpKRfRlPi2cxabOkcxL 4F2HMSAkIw== -----END CERTIFICATE----- subject=/C=us/O=u.s. government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil issuer=/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 --- No client certificate CA names sent --- SSL handshake has read 3989 bytes and written 647 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.1 Cipher : AES256-SHA Session-ID: 606DF4ED165AF725E18F3EBAA3BE18669E7E47921BF246EF1851C6E622C15B2A Session-ID-ctx: Master-Key: A7F149F1EFF32EC29C8C1F570A076A7F3A20C7890F58958A9539ECC52822E28BCBBC94949C638AF52D8D89854887018C Key-Arg : None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 172800 (seconds) TLS session ticket: 0000 - 4e 53 53 21 d9 f3 55 ff-e1 a9 5e a1 bb 2c 45 50 NSS!..U...^..,EP 0010 - 27 9c cc 9d 07 2a af 5f-a3 06 ad 26 9a 1d cc 7a '....*._...&...z 0020 - 00 50 e7 85 b2 eb 32 7f-dc 71 d3 ec 39 09 43 8a .P....2..q..9.C. 0030 - 08 40 6c 6f b5 9e df 9c-4b 57 78 49 50 af d4 9b . at lo....KWxIP... 0040 - 84 83 3d 8d de c8 91 6f-2c 9c 83 a4 bc 9c 68 4a ..=....o,.....hJ 0050 - b1 4f 46 1e fb a9 80 3f-f6 ff f7 3a 4f b3 e7 5a .OF....?...:O..Z 0060 - 8f 69 a2 3e 8a 57 d5 53-18 b2 15 bf 72 86 e1 d9 .i.>.W.S....r... 0070 - 9d b5 3e 1e 45 80 d6 96-e3 b7 c5 ca b4 03 d3 21 ..>.E..........! 0080 - 70 95 a7 77 32 9e 92 7b-bf bb 4d b2 92 3f 8f 61 p..w2..{..M..?.a 0090 - 03 dd .. Start Time: 1444922629 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- DONE As you can see, our server is clearing presenting a TLS session ticket which supposedly should be turned off by default in this version of mod_nss. I'm confused, and I'm also a newbie to mod_nss. Could you please help me understand? Thanks, Larry Cohen On Wed, Oct 14, 2015 at 11:26 AM, Rob Crittenden wrote: > Cohen, Laurence wrote: > > I'm trying to find out what version of mod_nss uses TLSSESSIONTICKETS > > and has the ability to turn them off. I see that Fedora has a version > > that has this function, but I need this function for RHEL6. I want to > > try to avoid doing a custom build since this is for a government > customer. > > TLS Session tickets are disabled by default. mod_nss 1.0.12 adds an > option to turn them on. > > rob > > -- [image: www.novetta.com] Larry Cohen System Administrator 12021 Sunset Hills Road, Suite 400 Reston, VA 20190 Email lcohen at novetta.com Office 703-885-1064 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Oct 16 00:38:29 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 15 Oct 2015 20:38:29 -0400 Subject: [Mod_nss-list] TLSSESSIONTICKETS In-Reply-To: References: <561E7421.2000509@redhat.com> Message-ID: <56204705.1090403@redhat.com> Cohen, Laurence wrote: > Hi Rob, > > Thanks for your reply yesterday. Here is my problem. We are using > mod_nss version 1.0.8 on RHEL6. Here is a session that our F5 admin > sent to our production webserver at the command line using openssl. > > # openssl s_client -connect x.x.x.x:443 < /dev/null > > > > CONNECTED(00000003) > depth=2 C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 2 > verify error:num=19:self signed certificate in certificate chain > verify return:0 > --- > Certificate chain > 0 s:/C=us/O=u.s. government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 > 1 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2 > 2 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2 > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2 > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIFczCCBFugAwIBAgIDAMDoMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAlVT > MRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UE > CxMDUEtJMRIwEAYDVQQDEwlET0QgQ0EtMjgwHhcNMTMxMTAxMjExMTM0WhcNMTYx > MTAxMjExMTM0WjBtMQswCQYDVQQGEwJ1czEYMBYGA1UEChMPdS5zLiBnb3Zlcm5t > ZW50MQwwCgYDVQQLEwNET0QxDDAKBgNVBAsTA3BraTENMAsGA1UECxMEZGlzYTEZ > MBcGA1UEAxMQbWV0YWRhdGEuY2VzLm1pbDCCASIwDQYJKoZIhvcNAQEBBQADggEP > ADCCAQoCggEBAMuaXfCzffQnuqtQAwwTssjkbHEpQICFsjD5T0BhhLYwf/6MEZIe > Dfx97j7CvqthxvVEtVe6j5d99OXW0rrXowgo/bGhnc8pR5sDke2hlUbmjb+XkqZR > 03QyKv2+DFhiv8BIlO8EAygQZSYK8lyKxvvEwI19RRht1uZ9Mcn2hUKlm7OD6nnH > grCk+qo8idCE2qO52gln46Q12nHIEHIrc8u6+EcgrdbC/Tpj5G+0HTuzOw4aQ0H8 > EMLQk8e7EdubfOxdhscS2YQtzNBkvLVEgA8QZr2wMleYG2ZJDRB0W5m6n12/3lpv > M+hZMAJO8pDrzzmM1OZ0ZZYTsd2i9pvUNAsCAwEAAaOCAjAwggIsMB8GA1UdIwQY > MBaAFCa0rqotjumNim+2tVud6k6usZxpMB0GA1UdDgQWBBRKkMaGpVHBLnDcBRcL > SdbKrPieKjBjBggrBgEFBQcBAQRXMFUwMQYIKwYBBQUHMAKGJWh0dHA6Ly9jcmwu > ZGlzYS5taWwvc2lnbi9ET0RDQV8yOC5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9v > Y3NwLmRpc2EubWlsMA4GA1UdDwEB/wQEAwIFoDCBwwYDVR0fBIG7MIG4MCqgKKAm > hiRodHRwOi8vY3JsLmRpc2EubWlsL2NybC9ET0RDQV8yOC5jcmwwgYmggYaggYOG > gYBsZGFwOi8vY3JsLmdkcy5kaXNhLm1pbC9jbiUzZERPRCUyMENBLTI4JTJjb3Ul > M2RQS0klMmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292ZXJubWVudCUyY2MlM2RV > Uz9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0O2JpbmFyeTBbBgNVHREEVDBSghBt > ZXRhZGF0YS5jZXMubWlsghBtZXRhZGF0YS5jZXMubWlsghVtZXRhZGF0YS1jb2xz > LmNlcy5taWyCFW1ldGFkYXRhLXNhdHguY2VzLm1pbDAjBgNVHSAEHDAaMAsGCWCG > SAFlAgELBTALBglghkgBZQIBCxIwLQYDVR0lBCYwJAYIKwYBBQUHAwEGCCsGAQUF > BwMCBggrBgEFBQgCAgYEVR0lADANBgkqhkiG9w0BAQUFAAOCAQEAjVht0bS/D5+M > kCoYbxyFLWnAIWzoeyZC2al5znPllgQrW+RTVBjGiYlvKB2W5eXVJF+RCjCBk1k5 > qrtINH39+FQQZjivwhidLKWklEUt4MRN3tulRlTj+Hr34F0reD56EQaFSlXXvY0r > +LNx5xzudvvrf45dCbHKGNmjDpyDIiezJbCojfYfN7E8ljkA0bq5Ku4eCsAm4sbd > ezRoZsxSzzOUuynmP3yo20A+nU6+dDsVPXulkamlLGpVnC7nHnl5f8gspr4S7Ld8 > MnC/K7qfNaUTUkpe7Qym8WfKU0dUHWNAzqvSmhYJlk7wYwpKRfRlPi2cxabOkcxL > 4F2HMSAkIw== > -----END CERTIFICATE----- > subject=/C=us/O=u.s. > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil > > issuer=/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 > --- > No client certificate CA names sent > --- > SSL handshake has read 3989 bytes and written 647 bytes > --- > New, TLSv1/SSLv3, Cipher is AES256-SHA > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1.1 > Cipher : AES256-SHA > Session-ID: > 606DF4ED165AF725E18F3EBAA3BE18669E7E47921BF246EF1851C6E622C15B2A > Session-ID-ctx: > Master-Key: > A7F149F1EFF32EC29C8C1F570A076A7F3A20C7890F58958A9539ECC52822E28BCBBC94949C638AF52D8D89854887018C > Key-Arg : None > PSK identity: None > PSK identity hint: None > TLS session ticket lifetime hint: 172800 (seconds) > TLS session ticket: > 0000 - 4e 53 53 21 d9 f3 55 ff-e1 a9 5e a1 bb 2c 45 50 > NSS!..U...^..,EP > 0010 - 27 9c cc 9d 07 2a af 5f-a3 06 ad 26 9a 1d cc 7a > '....*._...&...z > 0020 - 00 50 e7 85 b2 eb 32 7f-dc 71 d3 ec 39 09 43 8a > .P....2..q..9.C. > 0030 - 08 40 6c 6f b5 9e df 9c-4b 57 78 49 50 af d4 9b > . at lo....KWxIP... > 0040 - 84 83 3d 8d de c8 91 6f-2c 9c 83 a4 bc 9c 68 4a > ..=....o,.....hJ > 0050 - b1 4f 46 1e fb a9 80 3f-f6 ff f7 3a 4f b3 e7 5a > .OF....?...:O..Z > 0060 - 8f 69 a2 3e 8a 57 d5 53-18 b2 15 bf 72 86 e1 d9 > .i.>.W.S....r... > 0070 - 9d b5 3e 1e 45 80 d6 96-e3 b7 c5 ca b4 03 d3 21 > ..>.E..........! > 0080 - 70 95 a7 77 32 9e 92 7b-bf bb 4d b2 92 3f 8f 61 > p..w2..{..M..?.a > 0090 - 03 dd .. > > Start Time: 1444922629 > Timeout : 300 (sec) > Verify return code: 19 (self signed certificate in certificate chain) > --- > DONE > > As you can see, our server is clearing presenting a TLS session ticket > which supposedly should be turned off by default in this version of > mod_nss. I'm confused, and I'm also a newbie to mod_nss. Could you > please help me understand? Can you provide this: rpm -q mod_nss nss rob > > Thanks, > > Larry Cohen > > On Wed, Oct 14, 2015 at 11:26 AM, Rob Crittenden > wrote: > > Cohen, Laurence wrote: > > I'm trying to find out what version of mod_nss uses TLSSESSIONTICKETS > > and has the ability to turn them off. I see that Fedora has a version > > that has this function, but I need this function for RHEL6. I want to > > try to avoid doing a custom build since this is for a government customer. > > TLS Session tickets are disabled by default. mod_nss 1.0.12 adds an > option to turn them on. > > rob > > > > > -- > > www.novetta.com > > Larry Cohen > > System Administrator > > > 12021 Sunset Hills Road, Suite 400 > > Reston, VA 20190 > > Email lcohen at novetta.com > > Office 703-885-1064 > From lcohen at novetta.com Fri Oct 16 15:59:25 2015 From: lcohen at novetta.com (Cohen, Laurence) Date: Fri, 16 Oct 2015 11:59:25 -0400 Subject: [Mod_nss-list] TLSSESSIONTICKETS In-Reply-To: <56204705.1090403@redhat.com> References: <561E7421.2000509@redhat.com> <56204705.1090403@redhat.com> Message-ID: Here you go. mod_nss-1.0.10-1.el6.x86_64 nss-3.19.1-3.el6_6.x86_64 On Thu, Oct 15, 2015 at 8:38 PM, Rob Crittenden wrote: > Cohen, Laurence wrote: > > Hi Rob, > > > > Thanks for your reply yesterday. Here is my problem. We are using > > mod_nss version 1.0.8 on RHEL6. Here is a session that our F5 admin > > sent to our production webserver at the command line using openssl. > > > > # openssl s_client -connect x.x.x.x:443 < /dev/null > > > > > > > > CONNECTED(00000003) > > depth=2 C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root > CA 2 > > verify error:num=19:self signed certificate in certificate chain > > verify return:0 > > --- > > Certificate chain > > 0 s:/C=us/O=u.s. government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil > > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > 1 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2 > > 2 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2 > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2 > > --- > > Server certificate > > -----BEGIN CERTIFICATE----- > > MIIFczCCBFugAwIBAgIDAMDoMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAlVT > > MRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UE > > CxMDUEtJMRIwEAYDVQQDEwlET0QgQ0EtMjgwHhcNMTMxMTAxMjExMTM0WhcNMTYx > > MTAxMjExMTM0WjBtMQswCQYDVQQGEwJ1czEYMBYGA1UEChMPdS5zLiBnb3Zlcm5t > > ZW50MQwwCgYDVQQLEwNET0QxDDAKBgNVBAsTA3BraTENMAsGA1UECxMEZGlzYTEZ > > MBcGA1UEAxMQbWV0YWRhdGEuY2VzLm1pbDCCASIwDQYJKoZIhvcNAQEBBQADggEP > > ADCCAQoCggEBAMuaXfCzffQnuqtQAwwTssjkbHEpQICFsjD5T0BhhLYwf/6MEZIe > > Dfx97j7CvqthxvVEtVe6j5d99OXW0rrXowgo/bGhnc8pR5sDke2hlUbmjb+XkqZR > > 03QyKv2+DFhiv8BIlO8EAygQZSYK8lyKxvvEwI19RRht1uZ9Mcn2hUKlm7OD6nnH > > grCk+qo8idCE2qO52gln46Q12nHIEHIrc8u6+EcgrdbC/Tpj5G+0HTuzOw4aQ0H8 > > EMLQk8e7EdubfOxdhscS2YQtzNBkvLVEgA8QZr2wMleYG2ZJDRB0W5m6n12/3lpv > > M+hZMAJO8pDrzzmM1OZ0ZZYTsd2i9pvUNAsCAwEAAaOCAjAwggIsMB8GA1UdIwQY > > MBaAFCa0rqotjumNim+2tVud6k6usZxpMB0GA1UdDgQWBBRKkMaGpVHBLnDcBRcL > > SdbKrPieKjBjBggrBgEFBQcBAQRXMFUwMQYIKwYBBQUHMAKGJWh0dHA6Ly9jcmwu > > ZGlzYS5taWwvc2lnbi9ET0RDQV8yOC5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9v > > Y3NwLmRpc2EubWlsMA4GA1UdDwEB/wQEAwIFoDCBwwYDVR0fBIG7MIG4MCqgKKAm > > hiRodHRwOi8vY3JsLmRpc2EubWlsL2NybC9ET0RDQV8yOC5jcmwwgYmggYaggYOG > > gYBsZGFwOi8vY3JsLmdkcy5kaXNhLm1pbC9jbiUzZERPRCUyMENBLTI4JTJjb3Ul > > M2RQS0klMmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292ZXJubWVudCUyY2MlM2RV > > Uz9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0O2JpbmFyeTBbBgNVHREEVDBSghBt > > ZXRhZGF0YS5jZXMubWlsghBtZXRhZGF0YS5jZXMubWlsghVtZXRhZGF0YS1jb2xz > > LmNlcy5taWyCFW1ldGFkYXRhLXNhdHguY2VzLm1pbDAjBgNVHSAEHDAaMAsGCWCG > > SAFlAgELBTALBglghkgBZQIBCxIwLQYDVR0lBCYwJAYIKwYBBQUHAwEGCCsGAQUF > > BwMCBggrBgEFBQgCAgYEVR0lADANBgkqhkiG9w0BAQUFAAOCAQEAjVht0bS/D5+M > > kCoYbxyFLWnAIWzoeyZC2al5znPllgQrW+RTVBjGiYlvKB2W5eXVJF+RCjCBk1k5 > > qrtINH39+FQQZjivwhidLKWklEUt4MRN3tulRlTj+Hr34F0reD56EQaFSlXXvY0r > > +LNx5xzudvvrf45dCbHKGNmjDpyDIiezJbCojfYfN7E8ljkA0bq5Ku4eCsAm4sbd > > ezRoZsxSzzOUuynmP3yo20A+nU6+dDsVPXulkamlLGpVnC7nHnl5f8gspr4S7Ld8 > > MnC/K7qfNaUTUkpe7Qym8WfKU0dUHWNAzqvSmhYJlk7wYwpKRfRlPi2cxabOkcxL > > 4F2HMSAkIw== > > -----END CERTIFICATE----- > > subject=/C=us/O=u.s. > > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil > > > > issuer=/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > --- > > No client certificate CA names sent > > --- > > SSL handshake has read 3989 bytes and written 647 bytes > > --- > > New, TLSv1/SSLv3, Cipher is AES256-SHA > > Server public key is 2048 bit > > Secure Renegotiation IS supported > > Compression: NONE > > Expansion: NONE > > SSL-Session: > > Protocol : TLSv1.1 > > Cipher : AES256-SHA > > Session-ID: > > 606DF4ED165AF725E18F3EBAA3BE18669E7E47921BF246EF1851C6E622C15B2A > > Session-ID-ctx: > > Master-Key: > > > A7F149F1EFF32EC29C8C1F570A076A7F3A20C7890F58958A9539ECC52822E28BCBBC94949C638AF52D8D89854887018C > > Key-Arg : None > > PSK identity: None > > PSK identity hint: None > > TLS session ticket lifetime hint: 172800 (seconds) > > TLS session ticket: > > 0000 - 4e 53 53 21 d9 f3 55 ff-e1 a9 5e a1 bb 2c 45 50 > > NSS!..U...^..,EP > > 0010 - 27 9c cc 9d 07 2a af 5f-a3 06 ad 26 9a 1d cc 7a > > '....*._...&...z > > 0020 - 00 50 e7 85 b2 eb 32 7f-dc 71 d3 ec 39 09 43 8a > > .P....2..q..9.C. > > 0030 - 08 40 6c 6f b5 9e df 9c-4b 57 78 49 50 af d4 9b > > . at lo....KWxIP... > > 0040 - 84 83 3d 8d de c8 91 6f-2c 9c 83 a4 bc 9c 68 4a > > ..=....o,.....hJ > > 0050 - b1 4f 46 1e fb a9 80 3f-f6 ff f7 3a 4f b3 e7 5a > > .OF....?...:O..Z > > 0060 - 8f 69 a2 3e 8a 57 d5 53-18 b2 15 bf 72 86 e1 d9 > > .i.>.W.S....r... > > 0070 - 9d b5 3e 1e 45 80 d6 96-e3 b7 c5 ca b4 03 d3 21 > > ..>.E..........! > > 0080 - 70 95 a7 77 32 9e 92 7b-bf bb 4d b2 92 3f 8f 61 > > p..w2..{..M..?.a > > 0090 - 03 dd .. > > > > Start Time: 1444922629 > > Timeout : 300 (sec) > > Verify return code: 19 (self signed certificate in certificate chain) > > --- > > DONE > > > > As you can see, our server is clearing presenting a TLS session ticket > > which supposedly should be turned off by default in this version of > > mod_nss. I'm confused, and I'm also a newbie to mod_nss. Could you > > please help me understand? > > Can you provide this: > > rpm -q mod_nss nss > > rob > > > > > Thanks, > > > > Larry Cohen > > > > On Wed, Oct 14, 2015 at 11:26 AM, Rob Crittenden > > wrote: > > > > Cohen, Laurence wrote: > > > I'm trying to find out what version of mod_nss uses > TLSSESSIONTICKETS > > > and has the ability to turn them off. I see that Fedora has a > version > > > that has this function, but I need this function for RHEL6. I > want to > > > try to avoid doing a custom build since this is for a government > customer. > > > > TLS Session tickets are disabled by default. mod_nss 1.0.12 adds an > > option to turn them on. > > > > rob > > > > > > > > > > -- > > > > www.novetta.com > > > > Larry Cohen > > > > System Administrator > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > Reston, VA 20190 > > > > Email lcohen at novetta.com > > > > Office 703-885-1064 > > > > -- [image: www.novetta.com] Larry Cohen System Administrator 12021 Sunset Hills Road, Suite 400 Reston, VA 20190 Email lcohen at novetta.com Office 703-885-1064 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Oct 19 14:09:29 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 19 Oct 2015 10:09:29 -0400 Subject: [Mod_nss-list] TLSSESSIONTICKETS In-Reply-To: References: <561E7421.2000509@redhat.com> <56204705.1090403@redhat.com> Message-ID: <5624F999.6090206@redhat.com> Cohen, Laurence wrote: > Here you go. > > mod_nss-1.0.10-1.el6.x86_64 > nss-3.19.1-3.el6_6.x86_64 Hmm, I can't duplicate this. I get no session ticket offer in the initial handshake. In fact, using ssltap I can see the client offering the extension and the server ignoring it. In the openssl client request I see: extension type session_ticket, length [0] The server responds only with the renegotiation extension (enabled in my configuration). This feature was added to NSS in 3.12 and according to the docs is disabled by default so I don't know what could be turning it on for you. rob > > On Thu, Oct 15, 2015 at 8:38 PM, Rob Crittenden > wrote: > > Cohen, Laurence wrote: > > Hi Rob, > > > > Thanks for your reply yesterday. Here is my problem. We are using > > mod_nss version 1.0.8 on RHEL6. Here is a session that our F5 admin > > sent to our production webserver at the command line using openssl. > > > > # openssl s_client -connect x.x.x.x:443 < /dev/null > > > > > > > > CONNECTED(00000003) > > depth=2 C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 2 > > verify error:num=19:self signed certificate in certificate chain > > verify return:0 > > --- > > Certificate chain > > 0 s:/C=us/O=u.s. government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil > > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > 1 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2 > > 2 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2 > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2 > > --- > > Server certificate > > -----BEGIN CERTIFICATE----- > > MIIFczCCBFugAwIBAgIDAMDoMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAlVT > > MRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UE > > CxMDUEtJMRIwEAYDVQQDEwlET0QgQ0EtMjgwHhcNMTMxMTAxMjExMTM0WhcNMTYx > > MTAxMjExMTM0WjBtMQswCQYDVQQGEwJ1czEYMBYGA1UEChMPdS5zLiBnb3Zlcm5t > > ZW50MQwwCgYDVQQLEwNET0QxDDAKBgNVBAsTA3BraTENMAsGA1UECxMEZGlzYTEZ > > MBcGA1UEAxMQbWV0YWRhdGEuY2VzLm1pbDCCASIwDQYJKoZIhvcNAQEBBQADggEP > > ADCCAQoCggEBAMuaXfCzffQnuqtQAwwTssjkbHEpQICFsjD5T0BhhLYwf/6MEZIe > > Dfx97j7CvqthxvVEtVe6j5d99OXW0rrXowgo/bGhnc8pR5sDke2hlUbmjb+XkqZR > > 03QyKv2+DFhiv8BIlO8EAygQZSYK8lyKxvvEwI19RRht1uZ9Mcn2hUKlm7OD6nnH > > grCk+qo8idCE2qO52gln46Q12nHIEHIrc8u6+EcgrdbC/Tpj5G+0HTuzOw4aQ0H8 > > EMLQk8e7EdubfOxdhscS2YQtzNBkvLVEgA8QZr2wMleYG2ZJDRB0W5m6n12/3lpv > > M+hZMAJO8pDrzzmM1OZ0ZZYTsd2i9pvUNAsCAwEAAaOCAjAwggIsMB8GA1UdIwQY > > MBaAFCa0rqotjumNim+2tVud6k6usZxpMB0GA1UdDgQWBBRKkMaGpVHBLnDcBRcL > > SdbKrPieKjBjBggrBgEFBQcBAQRXMFUwMQYIKwYBBQUHMAKGJWh0dHA6Ly9jcmwu > > ZGlzYS5taWwvc2lnbi9ET0RDQV8yOC5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9v > > Y3NwLmRpc2EubWlsMA4GA1UdDwEB/wQEAwIFoDCBwwYDVR0fBIG7MIG4MCqgKKAm > > hiRodHRwOi8vY3JsLmRpc2EubWlsL2NybC9ET0RDQV8yOC5jcmwwgYmggYaggYOG > > gYBsZGFwOi8vY3JsLmdkcy5kaXNhLm1pbC9jbiUzZERPRCUyMENBLTI4JTJjb3Ul > > M2RQS0klMmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292ZXJubWVudCUyY2MlM2RV > > Uz9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0O2JpbmFyeTBbBgNVHREEVDBSghBt > > ZXRhZGF0YS5jZXMubWlsghBtZXRhZGF0YS5jZXMubWlsghVtZXRhZGF0YS1jb2xz > > LmNlcy5taWyCFW1ldGFkYXRhLXNhdHguY2VzLm1pbDAjBgNVHSAEHDAaMAsGCWCG > > SAFlAgELBTALBglghkgBZQIBCxIwLQYDVR0lBCYwJAYIKwYBBQUHAwEGCCsGAQUF > > BwMCBggrBgEFBQgCAgYEVR0lADANBgkqhkiG9w0BAQUFAAOCAQEAjVht0bS/D5+M > > kCoYbxyFLWnAIWzoeyZC2al5znPllgQrW+RTVBjGiYlvKB2W5eXVJF+RCjCBk1k5 > > qrtINH39+FQQZjivwhidLKWklEUt4MRN3tulRlTj+Hr34F0reD56EQaFSlXXvY0r > > +LNx5xzudvvrf45dCbHKGNmjDpyDIiezJbCojfYfN7E8ljkA0bq5Ku4eCsAm4sbd > > ezRoZsxSzzOUuynmP3yo20A+nU6+dDsVPXulkamlLGpVnC7nHnl5f8gspr4S7Ld8 > > MnC/K7qfNaUTUkpe7Qym8WfKU0dUHWNAzqvSmhYJlk7wYwpKRfRlPi2cxabOkcxL > > 4F2HMSAkIw== > > -----END CERTIFICATE----- > > subject=/C=us/O=u.s. > > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil > > > > > issuer=/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > --- > > No client certificate CA names sent > > --- > > SSL handshake has read 3989 bytes and written 647 bytes > > --- > > New, TLSv1/SSLv3, Cipher is AES256-SHA > > Server public key is 2048 bit > > Secure Renegotiation IS supported > > Compression: NONE > > Expansion: NONE > > SSL-Session: > > Protocol : TLSv1.1 > > Cipher : AES256-SHA > > Session-ID: > > 606DF4ED165AF725E18F3EBAA3BE18669E7E47921BF246EF1851C6E622C15B2A > > Session-ID-ctx: > > Master-Key: > > > A7F149F1EFF32EC29C8C1F570A076A7F3A20C7890F58958A9539ECC52822E28BCBBC94949C638AF52D8D89854887018C > > Key-Arg : None > > PSK identity: None > > PSK identity hint: None > > TLS session ticket lifetime hint: 172800 (seconds) > > TLS session ticket: > > 0000 - 4e 53 53 21 d9 f3 55 ff-e1 a9 5e a1 bb 2c 45 50 > > NSS!..U...^..,EP > > 0010 - 27 9c cc 9d 07 2a af 5f-a3 06 ad 26 9a 1d cc 7a > > '....*._...&...z > > 0020 - 00 50 e7 85 b2 eb 32 7f-dc 71 d3 ec 39 09 43 8a > > .P....2..q..9.C. > > 0030 - 08 40 6c 6f b5 9e df 9c-4b 57 78 49 50 af d4 9b > > . at lo....KWxIP... > > 0040 - 84 83 3d 8d de c8 91 6f-2c 9c 83 a4 bc 9c 68 4a > > ..=....o,.....hJ > > 0050 - b1 4f 46 1e fb a9 80 3f-f6 ff f7 3a 4f b3 e7 5a > > .OF....?...:O..Z > > 0060 - 8f 69 a2 3e 8a 57 d5 53-18 b2 15 bf 72 86 e1 d9 > > .i.>.W.S....r... > > 0070 - 9d b5 3e 1e 45 80 d6 96-e3 b7 c5 ca b4 03 d3 21 > > ..>.E..........! > > 0080 - 70 95 a7 77 32 9e 92 7b-bf bb 4d b2 92 3f 8f 61 > > p..w2..{..M..?.a > > 0090 - 03 dd .. > > > > Start Time: 1444922629 > > Timeout : 300 (sec) > > Verify return code: 19 (self signed certificate in certificate > chain) > > --- > > DONE > > > > As you can see, our server is clearing presenting a TLS session ticket > > which supposedly should be turned off by default in this version of > > mod_nss. I'm confused, and I'm also a newbie to mod_nss. Could you > > please help me understand? > > Can you provide this: > > rpm -q mod_nss nss > > rob > > > > > Thanks, > > > > Larry Cohen > > > > On Wed, Oct 14, 2015 at 11:26 AM, Rob Crittenden > > >> wrote: > > > > Cohen, Laurence wrote: > > > I'm trying to find out what version of mod_nss uses TLSSESSIONTICKETS > > > and has the ability to turn them off. I see that Fedora has a version > > > that has this function, but I need this function for RHEL6. I want to > > > try to avoid doing a custom build since this is for a government customer. > > > > TLS Session tickets are disabled by default. mod_nss 1.0.12 adds an > > option to turn them on. > > > > rob > > > > > > > > > > -- > > > > www.novetta.com > > > > Larry Cohen > > > > System Administrator > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > Reston, VA 20190 > > > > Email lcohen at novetta.com > > > > > Office 703-885-1064 > > > > > > > -- > > www.novetta.com > > Larry Cohen > > System Administrator > > > 12021 Sunset Hills Road, Suite 400 > > Reston, VA 20190 > > Email lcohen at novetta.com > > Office 703-885-1064 > From lcohen at novetta.com Mon Oct 19 14:40:50 2015 From: lcohen at novetta.com (Cohen, Laurence) Date: Mon, 19 Oct 2015 10:40:50 -0400 Subject: [Mod_nss-list] TLSSESSIONTICKETS In-Reply-To: <5624F999.6090206@redhat.com> References: <561E7421.2000509@redhat.com> <56204705.1090403@redhat.com> <5624F999.6090206@redhat.com> Message-ID: Well, I appreciate your assistance anyway. Is there a way to explicitly turn it off, even though the default is supposed to be off? Thanks, Larry Cohen On Mon, Oct 19, 2015 at 10:09 AM, Rob Crittenden wrote: > Cohen, Laurence wrote: > > Here you go. > > > > mod_nss-1.0.10-1.el6.x86_64 > > nss-3.19.1-3.el6_6.x86_64 > > Hmm, I can't duplicate this. I get no session ticket offer in the > initial handshake. In fact, using ssltap I can see the client offering > the extension and the server ignoring it. In the openssl client request > I see: > > extension type session_ticket, length [0] > > The server responds only with the renegotiation extension (enabled in my > configuration). > > This feature was added to NSS in 3.12 and according to the docs is > disabled by default so I don't know what could be turning it on for you. > > rob > > > > > On Thu, Oct 15, 2015 at 8:38 PM, Rob Crittenden > > wrote: > > > > Cohen, Laurence wrote: > > > Hi Rob, > > > > > > Thanks for your reply yesterday. Here is my problem. We are using > > > mod_nss version 1.0.8 on RHEL6. Here is a session that our F5 > admin > > > sent to our production webserver at the command line using openssl. > > > > > > # openssl s_client -connect x.x.x.x:443 < /dev/null > > > > > > > > > > > > CONNECTED(00000003) > > > depth=2 C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD > Root CA 2 > > > verify error:num=19:self signed certificate in certificate chain > > > verify return:0 > > > --- > > > Certificate chain > > > 0 s:/C=us/O=u.s. government/OU=DOD/OU=pki/OU=disa/CN= > metadata.ces.mil > > > > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > > 1 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2 > > > 2 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2 > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2 > > > --- > > > Server certificate > > > -----BEGIN CERTIFICATE----- > > > MIIFczCCBFugAwIBAgIDAMDoMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAlVT > > > MRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UE > > > CxMDUEtJMRIwEAYDVQQDEwlET0QgQ0EtMjgwHhcNMTMxMTAxMjExMTM0WhcNMTYx > > > MTAxMjExMTM0WjBtMQswCQYDVQQGEwJ1czEYMBYGA1UEChMPdS5zLiBnb3Zlcm5t > > > ZW50MQwwCgYDVQQLEwNET0QxDDAKBgNVBAsTA3BraTENMAsGA1UECxMEZGlzYTEZ > > > MBcGA1UEAxMQbWV0YWRhdGEuY2VzLm1pbDCCASIwDQYJKoZIhvcNAQEBBQADggEP > > > ADCCAQoCggEBAMuaXfCzffQnuqtQAwwTssjkbHEpQICFsjD5T0BhhLYwf/6MEZIe > > > Dfx97j7CvqthxvVEtVe6j5d99OXW0rrXowgo/bGhnc8pR5sDke2hlUbmjb+XkqZR > > > 03QyKv2+DFhiv8BIlO8EAygQZSYK8lyKxvvEwI19RRht1uZ9Mcn2hUKlm7OD6nnH > > > grCk+qo8idCE2qO52gln46Q12nHIEHIrc8u6+EcgrdbC/Tpj5G+0HTuzOw4aQ0H8 > > > EMLQk8e7EdubfOxdhscS2YQtzNBkvLVEgA8QZr2wMleYG2ZJDRB0W5m6n12/3lpv > > > M+hZMAJO8pDrzzmM1OZ0ZZYTsd2i9pvUNAsCAwEAAaOCAjAwggIsMB8GA1UdIwQY > > > MBaAFCa0rqotjumNim+2tVud6k6usZxpMB0GA1UdDgQWBBRKkMaGpVHBLnDcBRcL > > > SdbKrPieKjBjBggrBgEFBQcBAQRXMFUwMQYIKwYBBQUHMAKGJWh0dHA6Ly9jcmwu > > > ZGlzYS5taWwvc2lnbi9ET0RDQV8yOC5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9v > > > Y3NwLmRpc2EubWlsMA4GA1UdDwEB/wQEAwIFoDCBwwYDVR0fBIG7MIG4MCqgKKAm > > > hiRodHRwOi8vY3JsLmRpc2EubWlsL2NybC9ET0RDQV8yOC5jcmwwgYmggYaggYOG > > > gYBsZGFwOi8vY3JsLmdkcy5kaXNhLm1pbC9jbiUzZERPRCUyMENBLTI4JTJjb3Ul > > > M2RQS0klMmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292ZXJubWVudCUyY2MlM2RV > > > Uz9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0O2JpbmFyeTBbBgNVHREEVDBSghBt > > > ZXRhZGF0YS5jZXMubWlsghBtZXRhZGF0YS5jZXMubWlsghVtZXRhZGF0YS1jb2xz > > > LmNlcy5taWyCFW1ldGFkYXRhLXNhdHguY2VzLm1pbDAjBgNVHSAEHDAaMAsGCWCG > > > SAFlAgELBTALBglghkgBZQIBCxIwLQYDVR0lBCYwJAYIKwYBBQUHAwEGCCsGAQUF > > > BwMCBggrBgEFBQgCAgYEVR0lADANBgkqhkiG9w0BAQUFAAOCAQEAjVht0bS/D5+M > > > kCoYbxyFLWnAIWzoeyZC2al5znPllgQrW+RTVBjGiYlvKB2W5eXVJF+RCjCBk1k5 > > > qrtINH39+FQQZjivwhidLKWklEUt4MRN3tulRlTj+Hr34F0reD56EQaFSlXXvY0r > > > +LNx5xzudvvrf45dCbHKGNmjDpyDIiezJbCojfYfN7E8ljkA0bq5Ku4eCsAm4sbd > > > ezRoZsxSzzOUuynmP3yo20A+nU6+dDsVPXulkamlLGpVnC7nHnl5f8gspr4S7Ld8 > > > MnC/K7qfNaUTUkpe7Qym8WfKU0dUHWNAzqvSmhYJlk7wYwpKRfRlPi2cxabOkcxL > > > 4F2HMSAkIw== > > > -----END CERTIFICATE----- > > > subject=/C=us/O=u.s. > > > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil > > > > > > > > issuer=/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > > --- > > > No client certificate CA names sent > > > --- > > > SSL handshake has read 3989 bytes and written 647 bytes > > > --- > > > New, TLSv1/SSLv3, Cipher is AES256-SHA > > > Server public key is 2048 bit > > > Secure Renegotiation IS supported > > > Compression: NONE > > > Expansion: NONE > > > SSL-Session: > > > Protocol : TLSv1.1 > > > Cipher : AES256-SHA > > > Session-ID: > > > 606DF4ED165AF725E18F3EBAA3BE18669E7E47921BF246EF1851C6E622C15B2A > > > Session-ID-ctx: > > > Master-Key: > > > > > > A7F149F1EFF32EC29C8C1F570A076A7F3A20C7890F58958A9539ECC52822E28BCBBC94949C638AF52D8D89854887018C > > > Key-Arg : None > > > PSK identity: None > > > PSK identity hint: None > > > TLS session ticket lifetime hint: 172800 (seconds) > > > TLS session ticket: > > > 0000 - 4e 53 53 21 d9 f3 55 ff-e1 a9 5e a1 bb 2c 45 50 > > > NSS!..U...^..,EP > > > 0010 - 27 9c cc 9d 07 2a af 5f-a3 06 ad 26 9a 1d cc 7a > > > '....*._...&...z > > > 0020 - 00 50 e7 85 b2 eb 32 7f-dc 71 d3 ec 39 09 43 8a > > > .P....2..q..9.C. > > > 0030 - 08 40 6c 6f b5 9e df 9c-4b 57 78 49 50 af d4 9b > > > . at lo....KWxIP... > > > 0040 - 84 83 3d 8d de c8 91 6f-2c 9c 83 a4 bc 9c 68 4a > > > ..=....o,.....hJ > > > 0050 - b1 4f 46 1e fb a9 80 3f-f6 ff f7 3a 4f b3 e7 5a > > > .OF....?...:O..Z > > > 0060 - 8f 69 a2 3e 8a 57 d5 53-18 b2 15 bf 72 86 e1 d9 > > > .i.>.W.S....r... > > > 0070 - 9d b5 3e 1e 45 80 d6 96-e3 b7 c5 ca b4 03 d3 21 > > > ..>.E..........! > > > 0080 - 70 95 a7 77 32 9e 92 7b-bf bb 4d b2 92 3f 8f 61 > > > p..w2..{..M..?.a > > > 0090 - 03 dd .. > > > > > > Start Time: 1444922629 > > > Timeout : 300 (sec) > > > Verify return code: 19 (self signed certificate in certificate > > chain) > > > --- > > > DONE > > > > > > As you can see, our server is clearing presenting a TLS session > ticket > > > which supposedly should be turned off by default in this version of > > > mod_nss. I'm confused, and I'm also a newbie to mod_nss. Could > you > > > please help me understand? > > > > Can you provide this: > > > > rpm -q mod_nss nss > > > > rob > > > > > > > > Thanks, > > > > > > Larry Cohen > > > > > > On Wed, Oct 14, 2015 at 11:26 AM, Rob Crittenden < > rcritten at redhat.com > > > >> wrote: > > > > > > Cohen, Laurence wrote: > > > > I'm trying to find out what version of mod_nss uses > TLSSESSIONTICKETS > > > > and has the ability to turn them off. I see that Fedora has > a version > > > > that has this function, but I need this function for RHEL6. > I want to > > > > try to avoid doing a custom build since this is for a > government customer. > > > > > > TLS Session tickets are disabled by default. mod_nss 1.0.12 > adds an > > > option to turn them on. > > > > > > rob > > > > > > > > > > > > > > > -- > > > > > > www.novetta.com > > > > > > Larry Cohen > > > > > > System Administrator > > > > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > > > Reston, VA 20190 > > > > > > Email lcohen at novetta.com > > > > > > > > Office 703-885-1064 > > > > > > > > > > > > > -- > > > > www.novetta.com > > > > Larry Cohen > > > > System Administrator > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > Reston, VA 20190 > > > > Email lcohen at novetta.com > > > > Office 703-885-1064 > > > > -- [image: www.novetta.com] Larry Cohen System Administrator 12021 Sunset Hills Road, Suite 400 Reston, VA 20190 Email lcohen at novetta.com Office 703-885-1064 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Oct 19 15:39:45 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 19 Oct 2015 11:39:45 -0400 Subject: [Mod_nss-list] TLSSESSIONTICKETS In-Reply-To: References: <561E7421.2000509@redhat.com> <56204705.1090403@redhat.com> <5624F999.6090206@redhat.com> Message-ID: <56250EC1.5080409@redhat.com> Cohen, Laurence wrote: > Well, I appreciate your assistance anyway. Is there a way to explicitly > turn it off, even though the default is supposed to be off? I guess as a test you can pull the latest mod_nss upstream release and try that since it has the ability to turn it off. If behavior changes then we may need to file a bug against nss. rob > > Thanks, > > Larry Cohen > > On Mon, Oct 19, 2015 at 10:09 AM, Rob Crittenden > wrote: > > Cohen, Laurence wrote: > > Here you go. > > > > mod_nss-1.0.10-1.el6.x86_64 > > nss-3.19.1-3.el6_6.x86_64 > > Hmm, I can't duplicate this. I get no session ticket offer in the > initial handshake. In fact, using ssltap I can see the client offering > the extension and the server ignoring it. In the openssl client request > I see: > > extension type session_ticket, length [0] > > The server responds only with the renegotiation extension (enabled in my > configuration). > > This feature was added to NSS in 3.12 and according to the docs is > disabled by default so I don't know what could be turning it on for you. > > rob > > > > > On Thu, Oct 15, 2015 at 8:38 PM, Rob Crittenden > > >> wrote: > > > > Cohen, Laurence wrote: > > > Hi Rob, > > > > > > Thanks for your reply yesterday. Here is my problem. We > are using > > > mod_nss version 1.0.8 on RHEL6. Here is a session that our > F5 admin > > > sent to our production webserver at the command line using > openssl. > > > > > > # openssl s_client -connect x.x.x.x:443 < /dev/null > > > > > > > > > > > > CONNECTED(00000003) > > > depth=2 C = US, O = U.S. Government, OU = DoD, OU = PKI, CN > = DoD Root CA 2 > > > verify error:num=19:self signed certificate in certificate chain > > > verify return:0 > > > --- > > > Certificate chain > > > 0 s:/C=us/O=u.s. > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil > > > > > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > > 1 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2 > > > 2 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2 > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2 > > > --- > > > Server certificate > > > -----BEGIN CERTIFICATE----- > > > MIIFczCCBFugAwIBAgIDAMDoMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAlVT > > > MRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UE > > > CxMDUEtJMRIwEAYDVQQDEwlET0QgQ0EtMjgwHhcNMTMxMTAxMjExMTM0WhcNMTYx > > > MTAxMjExMTM0WjBtMQswCQYDVQQGEwJ1czEYMBYGA1UEChMPdS5zLiBnb3Zlcm5t > > > ZW50MQwwCgYDVQQLEwNET0QxDDAKBgNVBAsTA3BraTENMAsGA1UECxMEZGlzYTEZ > > > MBcGA1UEAxMQbWV0YWRhdGEuY2VzLm1pbDCCASIwDQYJKoZIhvcNAQEBBQADggEP > > > ADCCAQoCggEBAMuaXfCzffQnuqtQAwwTssjkbHEpQICFsjD5T0BhhLYwf/6MEZIe > > > Dfx97j7CvqthxvVEtVe6j5d99OXW0rrXowgo/bGhnc8pR5sDke2hlUbmjb+XkqZR > > > 03QyKv2+DFhiv8BIlO8EAygQZSYK8lyKxvvEwI19RRht1uZ9Mcn2hUKlm7OD6nnH > > > grCk+qo8idCE2qO52gln46Q12nHIEHIrc8u6+EcgrdbC/Tpj5G+0HTuzOw4aQ0H8 > > > EMLQk8e7EdubfOxdhscS2YQtzNBkvLVEgA8QZr2wMleYG2ZJDRB0W5m6n12/3lpv > > > M+hZMAJO8pDrzzmM1OZ0ZZYTsd2i9pvUNAsCAwEAAaOCAjAwggIsMB8GA1UdIwQY > > > MBaAFCa0rqotjumNim+2tVud6k6usZxpMB0GA1UdDgQWBBRKkMaGpVHBLnDcBRcL > > > SdbKrPieKjBjBggrBgEFBQcBAQRXMFUwMQYIKwYBBQUHMAKGJWh0dHA6Ly9jcmwu > > > ZGlzYS5taWwvc2lnbi9ET0RDQV8yOC5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9v > > > Y3NwLmRpc2EubWlsMA4GA1UdDwEB/wQEAwIFoDCBwwYDVR0fBIG7MIG4MCqgKKAm > > > hiRodHRwOi8vY3JsLmRpc2EubWlsL2NybC9ET0RDQV8yOC5jcmwwgYmggYaggYOG > > > gYBsZGFwOi8vY3JsLmdkcy5kaXNhLm1pbC9jbiUzZERPRCUyMENBLTI4JTJjb3Ul > > > M2RQS0klMmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292ZXJubWVudCUyY2MlM2RV > > > Uz9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0O2JpbmFyeTBbBgNVHREEVDBSghBt > > > ZXRhZGF0YS5jZXMubWlsghBtZXRhZGF0YS5jZXMubWlsghVtZXRhZGF0YS1jb2xz > > > LmNlcy5taWyCFW1ldGFkYXRhLXNhdHguY2VzLm1pbDAjBgNVHSAEHDAaMAsGCWCG > > > SAFlAgELBTALBglghkgBZQIBCxIwLQYDVR0lBCYwJAYIKwYBBQUHAwEGCCsGAQUF > > > BwMCBggrBgEFBQgCAgYEVR0lADANBgkqhkiG9w0BAQUFAAOCAQEAjVht0bS/D5+M > > > kCoYbxyFLWnAIWzoeyZC2al5znPllgQrW+RTVBjGiYlvKB2W5eXVJF+RCjCBk1k5 > > > qrtINH39+FQQZjivwhidLKWklEUt4MRN3tulRlTj+Hr34F0reD56EQaFSlXXvY0r > > > +LNx5xzudvvrf45dCbHKGNmjDpyDIiezJbCojfYfN7E8ljkA0bq5Ku4eCsAm4sbd > > > ezRoZsxSzzOUuynmP3yo20A+nU6+dDsVPXulkamlLGpVnC7nHnl5f8gspr4S7Ld8 > > > MnC/K7qfNaUTUkpe7Qym8WfKU0dUHWNAzqvSmhYJlk7wYwpKRfRlPi2cxabOkcxL > > > 4F2HMSAkIw== > > > -----END CERTIFICATE----- > > > subject=/C=us/O=u.s. > > > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil > > > > > > > > > issuer=/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > > --- > > > No client certificate CA names sent > > > --- > > > SSL handshake has read 3989 bytes and written 647 bytes > > > --- > > > New, TLSv1/SSLv3, Cipher is AES256-SHA > > > Server public key is 2048 bit > > > Secure Renegotiation IS supported > > > Compression: NONE > > > Expansion: NONE > > > SSL-Session: > > > Protocol : TLSv1.1 > > > Cipher : AES256-SHA > > > Session-ID: > > > 606DF4ED165AF725E18F3EBAA3BE18669E7E47921BF246EF1851C6E622C15B2A > > > Session-ID-ctx: > > > Master-Key: > > > > > > A7F149F1EFF32EC29C8C1F570A076A7F3A20C7890F58958A9539ECC52822E28BCBBC94949C638AF52D8D89854887018C > > > Key-Arg : None > > > PSK identity: None > > > PSK identity hint: None > > > TLS session ticket lifetime hint: 172800 (seconds) > > > TLS session ticket: > > > 0000 - 4e 53 53 21 d9 f3 55 ff-e1 a9 5e a1 bb 2c 45 50 > > > NSS!..U...^..,EP > > > 0010 - 27 9c cc 9d 07 2a af 5f-a3 06 ad 26 9a 1d cc 7a > > > '....*._...&...z > > > 0020 - 00 50 e7 85 b2 eb 32 7f-dc 71 d3 ec 39 09 43 8a > > > .P....2..q..9.C. > > > 0030 - 08 40 6c 6f b5 9e df 9c-4b 57 78 49 50 af d4 9b > > > . at lo....KWxIP... > > > 0040 - 84 83 3d 8d de c8 91 6f-2c 9c 83 a4 bc 9c 68 4a > > > ..=....o,.....hJ > > > 0050 - b1 4f 46 1e fb a9 80 3f-f6 ff f7 3a 4f b3 e7 5a > > > .OF....?...:O..Z > > > 0060 - 8f 69 a2 3e 8a 57 d5 53-18 b2 15 bf 72 86 e1 d9 > > > .i.>.W.S....r... > > > 0070 - 9d b5 3e 1e 45 80 d6 96-e3 b7 c5 ca b4 03 d3 21 > > > ..>.E..........! > > > 0080 - 70 95 a7 77 32 9e 92 7b-bf bb 4d b2 92 3f 8f 61 > > > p..w2..{..M..?.a > > > 0090 - 03 dd .. > > > > > > Start Time: 1444922629 > > > Timeout : 300 (sec) > > > Verify return code: 19 (self signed certificate in > certificate > > chain) > > > --- > > > DONE > > > > > > As you can see, our server is clearing presenting a TLS > session ticket > > > which supposedly should be turned off by default in this > version of > > > mod_nss. I'm confused, and I'm also a newbie to mod_nss. > Could you > > > please help me understand? > > > > Can you provide this: > > > > rpm -q mod_nss nss > > > > rob > > > > > > > > Thanks, > > > > > > Larry Cohen > > > > > > On Wed, Oct 14, 2015 at 11:26 AM, Rob Crittenden > > > > > > > >>> wrote: > > > > > > Cohen, Laurence wrote: > > > > I'm trying to find out what version of mod_nss uses TLSSESSIONTICKETS > > > > and has the ability to turn them off. I see that Fedora has a version > > > > that has this function, but I need this function for RHEL6. I want to > > > > try to avoid doing a custom build since this is for a government customer. > > > > > > TLS Session tickets are disabled by default. mod_nss 1.0.12 adds an > > > option to turn them on. > > > > > > rob > > > > > > > > > > > > > > > -- > > > > > > www.novetta.com > > > > > > > Larry Cohen > > > > > > System Administrator > > > > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > > > Reston, VA 20190 > > > > > > Email lcohen at novetta.com > > > > > > > > > > Office 703-885-1064 > > > > > > > > > > > > > -- > > > > www.novetta.com > > > > Larry Cohen > > > > System Administrator > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > Reston, VA 20190 > > > > Email lcohen at novetta.com > > > > > Office 703-885-1064 > > > > > > > -- > > www.novetta.com > > Larry Cohen > > System Administrator > > > 12021 Sunset Hills Road, Suite 400 > > Reston, VA 20190 > > Email lcohen at novetta.com > > Office 703-885-1064 > From lcohen at novetta.com Mon Oct 19 16:25:27 2015 From: lcohen at novetta.com (Cohen, Laurence) Date: Mon, 19 Oct 2015 12:25:27 -0400 Subject: [Mod_nss-list] TLSSESSIONTICKETS In-Reply-To: <56250EC1.5080409@redhat.com> References: <561E7421.2000509@redhat.com> <56204705.1090403@redhat.com> <5624F999.6090206@redhat.com> <56250EC1.5080409@redhat.com> Message-ID: Unfortunately the latest one I can find available for RHEL6 is 1.0.10, which is the one we have on our production system. On Mon, Oct 19, 2015 at 11:39 AM, Rob Crittenden wrote: > Cohen, Laurence wrote: > > Well, I appreciate your assistance anyway. Is there a way to explicitly > > turn it off, even though the default is supposed to be off? > > I guess as a test you can pull the latest mod_nss upstream release and > try that since it has the ability to turn it off. If behavior changes > then we may need to file a bug against nss. > > rob > > > > > Thanks, > > > > Larry Cohen > > > > On Mon, Oct 19, 2015 at 10:09 AM, Rob Crittenden > > wrote: > > > > Cohen, Laurence wrote: > > > Here you go. > > > > > > mod_nss-1.0.10-1.el6.x86_64 > > > nss-3.19.1-3.el6_6.x86_64 > > > > Hmm, I can't duplicate this. I get no session ticket offer in the > > initial handshake. In fact, using ssltap I can see the client > offering > > the extension and the server ignoring it. In the openssl client > request > > I see: > > > > extension type session_ticket, length [0] > > > > The server responds only with the renegotiation extension (enabled > in my > > configuration). > > > > This feature was added to NSS in 3.12 and according to the docs is > > disabled by default so I don't know what could be turning it on for > you. > > > > rob > > > > > > > > On Thu, Oct 15, 2015 at 8:38 PM, Rob Crittenden < > rcritten at redhat.com > > > >> wrote: > > > > > > Cohen, Laurence wrote: > > > > Hi Rob, > > > > > > > > Thanks for your reply yesterday. Here is my problem. We > > are using > > > > mod_nss version 1.0.8 on RHEL6. Here is a session that our > > F5 admin > > > > sent to our production webserver at the command line using > > openssl. > > > > > > > > # openssl s_client -connect x.x.x.x:443 < /dev/null > > > > > > > > > > > > > > > > CONNECTED(00000003) > > > > depth=2 C = US, O = U.S. Government, OU = DoD, OU = PKI, CN > > = DoD Root CA 2 > > > > verify error:num=19:self signed certificate in certificate > chain > > > > verify return:0 > > > > --- > > > > Certificate chain > > > > 0 s:/C=us/O=u.s. > > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil > > > > > > > > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > > > 1 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2 > > > > 2 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2 > > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2 > > > > --- > > > > Server certificate > > > > -----BEGIN CERTIFICATE----- > > > > > MIIFczCCBFugAwIBAgIDAMDoMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAlVT > > > > > MRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UE > > > > > CxMDUEtJMRIwEAYDVQQDEwlET0QgQ0EtMjgwHhcNMTMxMTAxMjExMTM0WhcNMTYx > > > > > MTAxMjExMTM0WjBtMQswCQYDVQQGEwJ1czEYMBYGA1UEChMPdS5zLiBnb3Zlcm5t > > > > > ZW50MQwwCgYDVQQLEwNET0QxDDAKBgNVBAsTA3BraTENMAsGA1UECxMEZGlzYTEZ > > > > > MBcGA1UEAxMQbWV0YWRhdGEuY2VzLm1pbDCCASIwDQYJKoZIhvcNAQEBBQADggEP > > > > > ADCCAQoCggEBAMuaXfCzffQnuqtQAwwTssjkbHEpQICFsjD5T0BhhLYwf/6MEZIe > > > > > Dfx97j7CvqthxvVEtVe6j5d99OXW0rrXowgo/bGhnc8pR5sDke2hlUbmjb+XkqZR > > > > > 03QyKv2+DFhiv8BIlO8EAygQZSYK8lyKxvvEwI19RRht1uZ9Mcn2hUKlm7OD6nnH > > > > > grCk+qo8idCE2qO52gln46Q12nHIEHIrc8u6+EcgrdbC/Tpj5G+0HTuzOw4aQ0H8 > > > > > EMLQk8e7EdubfOxdhscS2YQtzNBkvLVEgA8QZr2wMleYG2ZJDRB0W5m6n12/3lpv > > > > > M+hZMAJO8pDrzzmM1OZ0ZZYTsd2i9pvUNAsCAwEAAaOCAjAwggIsMB8GA1UdIwQY > > > > > MBaAFCa0rqotjumNim+2tVud6k6usZxpMB0GA1UdDgQWBBRKkMaGpVHBLnDcBRcL > > > > > SdbKrPieKjBjBggrBgEFBQcBAQRXMFUwMQYIKwYBBQUHMAKGJWh0dHA6Ly9jcmwu > > > > > ZGlzYS5taWwvc2lnbi9ET0RDQV8yOC5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9v > > > > > Y3NwLmRpc2EubWlsMA4GA1UdDwEB/wQEAwIFoDCBwwYDVR0fBIG7MIG4MCqgKKAm > > > > > hiRodHRwOi8vY3JsLmRpc2EubWlsL2NybC9ET0RDQV8yOC5jcmwwgYmggYaggYOG > > > > > gYBsZGFwOi8vY3JsLmdkcy5kaXNhLm1pbC9jbiUzZERPRCUyMENBLTI4JTJjb3Ul > > > > > M2RQS0klMmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292ZXJubWVudCUyY2MlM2RV > > > > > Uz9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0O2JpbmFyeTBbBgNVHREEVDBSghBt > > > > > ZXRhZGF0YS5jZXMubWlsghBtZXRhZGF0YS5jZXMubWlsghVtZXRhZGF0YS1jb2xz > > > > > LmNlcy5taWyCFW1ldGFkYXRhLXNhdHguY2VzLm1pbDAjBgNVHSAEHDAaMAsGCWCG > > > > > SAFlAgELBTALBglghkgBZQIBCxIwLQYDVR0lBCYwJAYIKwYBBQUHAwEGCCsGAQUF > > > > > BwMCBggrBgEFBQgCAgYEVR0lADANBgkqhkiG9w0BAQUFAAOCAQEAjVht0bS/D5+M > > > > > kCoYbxyFLWnAIWzoeyZC2al5znPllgQrW+RTVBjGiYlvKB2W5eXVJF+RCjCBk1k5 > > > > > qrtINH39+FQQZjivwhidLKWklEUt4MRN3tulRlTj+Hr34F0reD56EQaFSlXXvY0r > > > > > +LNx5xzudvvrf45dCbHKGNmjDpyDIiezJbCojfYfN7E8ljkA0bq5Ku4eCsAm4sbd > > > > > ezRoZsxSzzOUuynmP3yo20A+nU6+dDsVPXulkamlLGpVnC7nHnl5f8gspr4S7Ld8 > > > > > MnC/K7qfNaUTUkpe7Qym8WfKU0dUHWNAzqvSmhYJlk7wYwpKRfRlPi2cxabOkcxL > > > > 4F2HMSAkIw== > > > > -----END CERTIFICATE----- > > > > subject=/C=us/O=u.s. > > > > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil > > > > > > > > > > > > > issuer=/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > > > --- > > > > No client certificate CA names sent > > > > --- > > > > SSL handshake has read 3989 bytes and written 647 bytes > > > > --- > > > > New, TLSv1/SSLv3, Cipher is AES256-SHA > > > > Server public key is 2048 bit > > > > Secure Renegotiation IS supported > > > > Compression: NONE > > > > Expansion: NONE > > > > SSL-Session: > > > > Protocol : TLSv1.1 > > > > Cipher : AES256-SHA > > > > Session-ID: > > > > > 606DF4ED165AF725E18F3EBAA3BE18669E7E47921BF246EF1851C6E622C15B2A > > > > Session-ID-ctx: > > > > Master-Key: > > > > > > > > > > A7F149F1EFF32EC29C8C1F570A076A7F3A20C7890F58958A9539ECC52822E28BCBBC94949C638AF52D8D89854887018C > > > > Key-Arg : None > > > > PSK identity: None > > > > PSK identity hint: None > > > > TLS session ticket lifetime hint: 172800 (seconds) > > > > TLS session ticket: > > > > 0000 - 4e 53 53 21 d9 f3 55 ff-e1 a9 5e a1 bb 2c 45 50 > > > > NSS!..U...^..,EP > > > > 0010 - 27 9c cc 9d 07 2a af 5f-a3 06 ad 26 9a 1d cc 7a > > > > '....*._...&...z > > > > 0020 - 00 50 e7 85 b2 eb 32 7f-dc 71 d3 ec 39 09 43 8a > > > > .P....2..q..9.C. > > > > 0030 - 08 40 6c 6f b5 9e df 9c-4b 57 78 49 50 af d4 9b > > > > . at lo....KWxIP... > > > > 0040 - 84 83 3d 8d de c8 91 6f-2c 9c 83 a4 bc 9c 68 4a > > > > ..=....o,.....hJ > > > > 0050 - b1 4f 46 1e fb a9 80 3f-f6 ff f7 3a 4f b3 e7 5a > > > > .OF....?...:O..Z > > > > 0060 - 8f 69 a2 3e 8a 57 d5 53-18 b2 15 bf 72 86 e1 d9 > > > > .i.>.W.S....r... > > > > 0070 - 9d b5 3e 1e 45 80 d6 96-e3 b7 c5 ca b4 03 d3 21 > > > > ..>.E..........! > > > > 0080 - 70 95 a7 77 32 9e 92 7b-bf bb 4d b2 92 3f 8f 61 > > > > p..w2..{..M..?.a > > > > 0090 - 03 dd > .. > > > > > > > > Start Time: 1444922629 > > > > Timeout : 300 (sec) > > > > Verify return code: 19 (self signed certificate in > > certificate > > > chain) > > > > --- > > > > DONE > > > > > > > > As you can see, our server is clearing presenting a TLS > > session ticket > > > > which supposedly should be turned off by default in this > > version of > > > > mod_nss. I'm confused, and I'm also a newbie to mod_nss. > > Could you > > > > please help me understand? > > > > > > Can you provide this: > > > > > > rpm -q mod_nss nss > > > > > > rob > > > > > > > > > > > Thanks, > > > > > > > > Larry Cohen > > > > > > > > On Wed, Oct 14, 2015 at 11:26 AM, Rob Crittenden > > > > > > > > > > > >>> wrote: > > > > > > > > Cohen, Laurence wrote: > > > > > I'm trying to find out what version of mod_nss uses > TLSSESSIONTICKETS > > > > > and has the ability to turn them off. I see that > Fedora has a version > > > > > that has this function, but I need this function for > RHEL6. I want to > > > > > try to avoid doing a custom build since this is for a > government customer. > > > > > > > > TLS Session tickets are disabled by default. mod_nss > 1.0.12 adds an > > > > option to turn them on. > > > > > > > > rob > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > www.novetta.com > > > > > > > > > > Larry Cohen > > > > > > > > System Administrator > > > > > > > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > > > > > Reston, VA 20190 > > > > > > > > Email lcohen at novetta.com > > > > > > > > > > > > > > Office 703-885-1064 > > > > > > > > > > > > > > > > > > > -- > > > > > > www.novetta.com > > > > > > Larry Cohen > > > > > > System Administrator > > > > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > > > Reston, VA 20190 > > > > > > Email lcohen at novetta.com > > > > > > > > Office 703-885-1064 > > > > > > > > > > > > > -- > > > > www.novetta.com > > > > Larry Cohen > > > > System Administrator > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > Reston, VA 20190 > > > > Email lcohen at novetta.com > > > > Office 703-885-1064 > > > > -- [image: www.novetta.com] Larry Cohen System Administrator 12021 Sunset Hills Road, Suite 400 Reston, VA 20190 Email lcohen at novetta.com Office 703-885-1064 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Oct 19 17:23:55 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 19 Oct 2015 13:23:55 -0400 Subject: [Mod_nss-list] TLSSESSIONTICKETS In-Reply-To: References: <561E7421.2000509@redhat.com> <56204705.1090403@redhat.com> <5624F999.6090206@redhat.com> <56250EC1.5080409@redhat.com> Message-ID: <5625272B.10007@redhat.com> Cohen, Laurence wrote: > Unfortunately the latest one I can find available for RHEL6 is 1.0.10, > which is the one we have on our production system. Yeah, you'd need to grab the release tarball and build it yourself. rob > > On Mon, Oct 19, 2015 at 11:39 AM, Rob Crittenden > wrote: > > Cohen, Laurence wrote: > > Well, I appreciate your assistance anyway. Is there a way to explicitly > > turn it off, even though the default is supposed to be off? > > I guess as a test you can pull the latest mod_nss upstream release and > try that since it has the ability to turn it off. If behavior changes > then we may need to file a bug against nss. > > rob > > > > > Thanks, > > > > Larry Cohen > > > > On Mon, Oct 19, 2015 at 10:09 AM, Rob Crittenden > > >> wrote: > > > > Cohen, Laurence wrote: > > > Here you go. > > > > > > mod_nss-1.0.10-1.el6.x86_64 > > > nss-3.19.1-3.el6_6.x86_64 > > > > Hmm, I can't duplicate this. I get no session ticket offer in the > > initial handshake. In fact, using ssltap I can see the client offering > > the extension and the server ignoring it. In the openssl client request > > I see: > > > > extension type session_ticket, length [0] > > > > The server responds only with the renegotiation extension (enabled in my > > configuration). > > > > This feature was added to NSS in 3.12 and according to the docs is > > disabled by default so I don't know what could be turning it on for you. > > > > rob > > > > > > > > On Thu, Oct 15, 2015 at 8:38 PM, Rob Crittenden > > > > > > >>> wrote: > > > > > > Cohen, Laurence wrote: > > > > Hi Rob, > > > > > > > > Thanks for your reply yesterday. Here is my problem. We > > are using > > > > mod_nss version 1.0.8 on RHEL6. Here is a session > that our > > F5 admin > > > > sent to our production webserver at the command line using > > openssl. > > > > > > > > # openssl s_client -connect x.x.x.x:443 < /dev/null > > > > > > > > > > > > > > > > CONNECTED(00000003) > > > > depth=2 C = US, O = U.S. Government, OU = DoD, OU = > PKI, CN > > = DoD Root CA 2 > > > > verify error:num=19:self signed certificate in > certificate chain > > > > verify return:0 > > > > --- > > > > Certificate chain > > > > 0 s:/C=us/O=u.s. > > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil > > > > > > > > > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > > > 1 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root > CA 2 > > > > 2 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root > CA 2 > > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root > CA 2 > > > > --- > > > > Server certificate > > > > -----BEGIN CERTIFICATE----- > > > > > MIIFczCCBFugAwIBAgIDAMDoMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAlVT > > > > > MRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UE > > > > > CxMDUEtJMRIwEAYDVQQDEwlET0QgQ0EtMjgwHhcNMTMxMTAxMjExMTM0WhcNMTYx > > > > > MTAxMjExMTM0WjBtMQswCQYDVQQGEwJ1czEYMBYGA1UEChMPdS5zLiBnb3Zlcm5t > > > > > ZW50MQwwCgYDVQQLEwNET0QxDDAKBgNVBAsTA3BraTENMAsGA1UECxMEZGlzYTEZ > > > > > MBcGA1UEAxMQbWV0YWRhdGEuY2VzLm1pbDCCASIwDQYJKoZIhvcNAQEBBQADggEP > > > > > ADCCAQoCggEBAMuaXfCzffQnuqtQAwwTssjkbHEpQICFsjD5T0BhhLYwf/6MEZIe > > > > > Dfx97j7CvqthxvVEtVe6j5d99OXW0rrXowgo/bGhnc8pR5sDke2hlUbmjb+XkqZR > > > > > 03QyKv2+DFhiv8BIlO8EAygQZSYK8lyKxvvEwI19RRht1uZ9Mcn2hUKlm7OD6nnH > > > > > grCk+qo8idCE2qO52gln46Q12nHIEHIrc8u6+EcgrdbC/Tpj5G+0HTuzOw4aQ0H8 > > > > > EMLQk8e7EdubfOxdhscS2YQtzNBkvLVEgA8QZr2wMleYG2ZJDRB0W5m6n12/3lpv > > > > > M+hZMAJO8pDrzzmM1OZ0ZZYTsd2i9pvUNAsCAwEAAaOCAjAwggIsMB8GA1UdIwQY > > > > > MBaAFCa0rqotjumNim+2tVud6k6usZxpMB0GA1UdDgQWBBRKkMaGpVHBLnDcBRcL > > > > > SdbKrPieKjBjBggrBgEFBQcBAQRXMFUwMQYIKwYBBQUHMAKGJWh0dHA6Ly9jcmwu > > > > > ZGlzYS5taWwvc2lnbi9ET0RDQV8yOC5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9v > > > > > Y3NwLmRpc2EubWlsMA4GA1UdDwEB/wQEAwIFoDCBwwYDVR0fBIG7MIG4MCqgKKAm > > > > > hiRodHRwOi8vY3JsLmRpc2EubWlsL2NybC9ET0RDQV8yOC5jcmwwgYmggYaggYOG > > > > > gYBsZGFwOi8vY3JsLmdkcy5kaXNhLm1pbC9jbiUzZERPRCUyMENBLTI4JTJjb3Ul > > > > > M2RQS0klMmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292ZXJubWVudCUyY2MlM2RV > > > > > Uz9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0O2JpbmFyeTBbBgNVHREEVDBSghBt > > > > > ZXRhZGF0YS5jZXMubWlsghBtZXRhZGF0YS5jZXMubWlsghVtZXRhZGF0YS1jb2xz > > > > > LmNlcy5taWyCFW1ldGFkYXRhLXNhdHguY2VzLm1pbDAjBgNVHSAEHDAaMAsGCWCG > > > > > SAFlAgELBTALBglghkgBZQIBCxIwLQYDVR0lBCYwJAYIKwYBBQUHAwEGCCsGAQUF > > > > > BwMCBggrBgEFBQgCAgYEVR0lADANBgkqhkiG9w0BAQUFAAOCAQEAjVht0bS/D5+M > > > > > kCoYbxyFLWnAIWzoeyZC2al5znPllgQrW+RTVBjGiYlvKB2W5eXVJF+RCjCBk1k5 > > > > > qrtINH39+FQQZjivwhidLKWklEUt4MRN3tulRlTj+Hr34F0reD56EQaFSlXXvY0r > > > > > +LNx5xzudvvrf45dCbHKGNmjDpyDIiezJbCojfYfN7E8ljkA0bq5Ku4eCsAm4sbd > > > > > ezRoZsxSzzOUuynmP3yo20A+nU6+dDsVPXulkamlLGpVnC7nHnl5f8gspr4S7Ld8 > > > > > MnC/K7qfNaUTUkpe7Qym8WfKU0dUHWNAzqvSmhYJlk7wYwpKRfRlPi2cxabOkcxL > > > > 4F2HMSAkIw== > > > > -----END CERTIFICATE----- > > > > subject=/C=us/O=u.s. > > > > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil > > > > > > > > > > > > > > issuer=/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > > > --- > > > > No client certificate CA names sent > > > > --- > > > > SSL handshake has read 3989 bytes and written 647 bytes > > > > --- > > > > New, TLSv1/SSLv3, Cipher is AES256-SHA > > > > Server public key is 2048 bit > > > > Secure Renegotiation IS supported > > > > Compression: NONE > > > > Expansion: NONE > > > > SSL-Session: > > > > Protocol : TLSv1.1 > > > > Cipher : AES256-SHA > > > > Session-ID: > > > > > 606DF4ED165AF725E18F3EBAA3BE18669E7E47921BF246EF1851C6E622C15B2A > > > > Session-ID-ctx: > > > > Master-Key: > > > > > > > > > > A7F149F1EFF32EC29C8C1F570A076A7F3A20C7890F58958A9539ECC52822E28BCBBC94949C638AF52D8D89854887018C > > > > Key-Arg : None > > > > PSK identity: None > > > > PSK identity hint: None > > > > TLS session ticket lifetime hint: 172800 (seconds) > > > > TLS session ticket: > > > > 0000 - 4e 53 53 21 d9 f3 55 ff-e1 a9 5e a1 bb 2c 45 50 > > > > NSS!..U...^..,EP > > > > 0010 - 27 9c cc 9d 07 2a af 5f-a3 06 ad 26 9a 1d cc 7a > > > > '....*._...&...z > > > > 0020 - 00 50 e7 85 b2 eb 32 7f-dc 71 d3 ec 39 09 43 8a > > > > .P....2..q..9.C. > > > > 0030 - 08 40 6c 6f b5 9e df 9c-4b 57 78 49 50 af d4 9b > > > > . at lo....KWxIP... > > > > 0040 - 84 83 3d 8d de c8 91 6f-2c 9c 83 a4 bc 9c 68 4a > > > > ..=....o,.....hJ > > > > 0050 - b1 4f 46 1e fb a9 80 3f-f6 ff f7 3a 4f b3 e7 5a > > > > .OF....?...:O..Z > > > > 0060 - 8f 69 a2 3e 8a 57 d5 53-18 b2 15 bf 72 86 e1 d9 > > > > .i.>.W.S....r... > > > > 0070 - 9d b5 3e 1e 45 80 d6 96-e3 b7 c5 ca b4 03 d3 21 > > > > ..>.E..........! > > > > 0080 - 70 95 a7 77 32 9e 92 7b-bf bb 4d b2 92 3f 8f 61 > > > > p..w2..{..M..?.a > > > > 0090 - 03 dd > .. > > > > > > > > Start Time: 1444922629 > > > > Timeout : 300 (sec) > > > > Verify return code: 19 (self signed certificate in > > certificate > > > chain) > > > > --- > > > > DONE > > > > > > > > As you can see, our server is clearing presenting a TLS > > session ticket > > > > which supposedly should be turned off by default in this > > version of > > > > mod_nss. I'm confused, and I'm also a newbie to mod_nss. > > Could you > > > > please help me understand? > > > > > > Can you provide this: > > > > > > rpm -q mod_nss nss > > > > > > rob > > > > > > > > > > > Thanks, > > > > > > > > Larry Cohen > > > > > > > > On Wed, Oct 14, 2015 at 11:26 AM, Rob Crittenden > > > > > > > >> > > > > > > > > >>>> wrote: > > > > > > > > Cohen, Laurence wrote: > > > > > I'm trying to find out what version of mod_nss > uses TLSSESSIONTICKETS > > > > > and has the ability to turn them off. I see > that Fedora has a version > > > > > that has this function, but I need this function > for RHEL6. I want to > > > > > try to avoid doing a custom build since this is > for a government customer. > > > > > > > > TLS Session tickets are disabled by default. > mod_nss 1.0.12 adds an > > > > option to turn them on. > > > > > > > > rob > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > www.novetta.com > > > > > > > > > > > Larry Cohen > > > > > > > > System Administrator > > > > > > > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > > > > > Reston, VA 20190 > > > > > > > > Email lcohen at novetta.com > > > > > >> > > > > > > > > > > > Office 703-885-1064 > > > > > > > > > > > > > > > > > > > -- > > > > > > www.novetta.com > > > > > > > Larry Cohen > > > > > > System Administrator > > > > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > > > Reston, VA 20190 > > > > > > Email lcohen at novetta.com > > > > > > > > > > Office 703-885-1064 > > > > > > > > > > > > > -- > > > > www.novetta.com > > > > Larry Cohen > > > > System Administrator > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > Reston, VA 20190 > > > > Email lcohen at novetta.com > > > > > Office 703-885-1064 > > > > > > > -- > > www.novetta.com > > Larry Cohen > > System Administrator > > > 12021 Sunset Hills Road, Suite 400 > > Reston, VA 20190 > > Email lcohen at novetta.com > > Office 703-885-1064 > From lcohen at novetta.com Tue Oct 20 15:43:04 2015 From: lcohen at novetta.com (Cohen, Laurence) Date: Tue, 20 Oct 2015 11:43:04 -0400 Subject: [Mod_nss-list] TLSSESSIONTICKETS In-Reply-To: <5625272B.10007@redhat.com> References: <561E7421.2000509@redhat.com> <56204705.1090403@redhat.com> <5624F999.6090206@redhat.com> <56250EC1.5080409@redhat.com> <5625272B.10007@redhat.com> Message-ID: Ok Rob, Thanks for all your help anyway. Someone else on my team is going to create an RPM for version 1.0.12 so that I can just install it. I appreciate your time and effort. Larry Cohen On Mon, Oct 19, 2015 at 1:23 PM, Rob Crittenden wrote: > Cohen, Laurence wrote: > > Unfortunately the latest one I can find available for RHEL6 is 1.0.10, > > which is the one we have on our production system. > > Yeah, you'd need to grab the release tarball and build it yourself. > > rob > > > > > On Mon, Oct 19, 2015 at 11:39 AM, Rob Crittenden > > wrote: > > > > Cohen, Laurence wrote: > > > Well, I appreciate your assistance anyway. Is there a way to > explicitly > > > turn it off, even though the default is supposed to be off? > > > > I guess as a test you can pull the latest mod_nss upstream release > and > > try that since it has the ability to turn it off. If behavior changes > > then we may need to file a bug against nss. > > > > rob > > > > > > > > Thanks, > > > > > > Larry Cohen > > > > > > On Mon, Oct 19, 2015 at 10:09 AM, Rob Crittenden < > rcritten at redhat.com > > > >> wrote: > > > > > > Cohen, Laurence wrote: > > > > Here you go. > > > > > > > > mod_nss-1.0.10-1.el6.x86_64 > > > > nss-3.19.1-3.el6_6.x86_64 > > > > > > Hmm, I can't duplicate this. I get no session ticket offer in > the > > > initial handshake. In fact, using ssltap I can see the client > offering > > > the extension and the server ignoring it. In the openssl > client request > > > I see: > > > > > > extension type session_ticket, length [0] > > > > > > The server responds only with the renegotiation extension > (enabled in my > > > configuration). > > > > > > This feature was added to NSS in 3.12 and according to the > docs is > > > disabled by default so I don't know what could be turning it > on for you. > > > > > > rob > > > > > > > > > > > On Thu, Oct 15, 2015 at 8:38 PM, Rob Crittenden < > rcritten at redhat.com > > > > > > > > > >>> wrote: > > > > > > > > Cohen, Laurence wrote: > > > > > Hi Rob, > > > > > > > > > > Thanks for your reply yesterday. Here is my problem. > We > > > are using > > > > > mod_nss version 1.0.8 on RHEL6. Here is a session > > that our > > > F5 admin > > > > > sent to our production webserver at the command line > using > > > openssl. > > > > > > > > > > # openssl s_client -connect x.x.x.x:443 < /dev/null > > > > > > > > > > > > > > > > > > > > CONNECTED(00000003) > > > > > depth=2 C = US, O = U.S. Government, OU = DoD, OU = > > PKI, CN > > > = DoD Root CA 2 > > > > > verify error:num=19:self signed certificate in > > certificate chain > > > > > verify return:0 > > > > > --- > > > > > Certificate chain > > > > > 0 s:/C=us/O=u.s. > > > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil > > > > > > > > > > > > > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > > > > 1 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root > > CA 2 > > > > > 2 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root > > CA 2 > > > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root > > CA 2 > > > > > --- > > > > > Server certificate > > > > > -----BEGIN CERTIFICATE----- > > > > > > > MIIFczCCBFugAwIBAgIDAMDoMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAlVT > > > > > > > MRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UE > > > > > > > CxMDUEtJMRIwEAYDVQQDEwlET0QgQ0EtMjgwHhcNMTMxMTAxMjExMTM0WhcNMTYx > > > > > > > MTAxMjExMTM0WjBtMQswCQYDVQQGEwJ1czEYMBYGA1UEChMPdS5zLiBnb3Zlcm5t > > > > > > > ZW50MQwwCgYDVQQLEwNET0QxDDAKBgNVBAsTA3BraTENMAsGA1UECxMEZGlzYTEZ > > > > > > > MBcGA1UEAxMQbWV0YWRhdGEuY2VzLm1pbDCCASIwDQYJKoZIhvcNAQEBBQADggEP > > > > > > > ADCCAQoCggEBAMuaXfCzffQnuqtQAwwTssjkbHEpQICFsjD5T0BhhLYwf/6MEZIe > > > > > > > Dfx97j7CvqthxvVEtVe6j5d99OXW0rrXowgo/bGhnc8pR5sDke2hlUbmjb+XkqZR > > > > > > > 03QyKv2+DFhiv8BIlO8EAygQZSYK8lyKxvvEwI19RRht1uZ9Mcn2hUKlm7OD6nnH > > > > > > > grCk+qo8idCE2qO52gln46Q12nHIEHIrc8u6+EcgrdbC/Tpj5G+0HTuzOw4aQ0H8 > > > > > > > EMLQk8e7EdubfOxdhscS2YQtzNBkvLVEgA8QZr2wMleYG2ZJDRB0W5m6n12/3lpv > > > > > > > M+hZMAJO8pDrzzmM1OZ0ZZYTsd2i9pvUNAsCAwEAAaOCAjAwggIsMB8GA1UdIwQY > > > > > > > MBaAFCa0rqotjumNim+2tVud6k6usZxpMB0GA1UdDgQWBBRKkMaGpVHBLnDcBRcL > > > > > > > SdbKrPieKjBjBggrBgEFBQcBAQRXMFUwMQYIKwYBBQUHMAKGJWh0dHA6Ly9jcmwu > > > > > > > ZGlzYS5taWwvc2lnbi9ET0RDQV8yOC5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9v > > > > > > > Y3NwLmRpc2EubWlsMA4GA1UdDwEB/wQEAwIFoDCBwwYDVR0fBIG7MIG4MCqgKKAm > > > > > > > hiRodHRwOi8vY3JsLmRpc2EubWlsL2NybC9ET0RDQV8yOC5jcmwwgYmggYaggYOG > > > > > > > gYBsZGFwOi8vY3JsLmdkcy5kaXNhLm1pbC9jbiUzZERPRCUyMENBLTI4JTJjb3Ul > > > > > > > M2RQS0klMmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292ZXJubWVudCUyY2MlM2RV > > > > > > > Uz9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0O2JpbmFyeTBbBgNVHREEVDBSghBt > > > > > > > ZXRhZGF0YS5jZXMubWlsghBtZXRhZGF0YS5jZXMubWlsghVtZXRhZGF0YS1jb2xz > > > > > > > LmNlcy5taWyCFW1ldGFkYXRhLXNhdHguY2VzLm1pbDAjBgNVHSAEHDAaMAsGCWCG > > > > > > > SAFlAgELBTALBglghkgBZQIBCxIwLQYDVR0lBCYwJAYIKwYBBQUHAwEGCCsGAQUF > > > > > > > BwMCBggrBgEFBQgCAgYEVR0lADANBgkqhkiG9w0BAQUFAAOCAQEAjVht0bS/D5+M > > > > > > > kCoYbxyFLWnAIWzoeyZC2al5znPllgQrW+RTVBjGiYlvKB2W5eXVJF+RCjCBk1k5 > > > > > > > qrtINH39+FQQZjivwhidLKWklEUt4MRN3tulRlTj+Hr34F0reD56EQaFSlXXvY0r > > > > > > > +LNx5xzudvvrf45dCbHKGNmjDpyDIiezJbCojfYfN7E8ljkA0bq5Ku4eCsAm4sbd > > > > > > > ezRoZsxSzzOUuynmP3yo20A+nU6+dDsVPXulkamlLGpVnC7nHnl5f8gspr4S7Ld8 > > > > > > > MnC/K7qfNaUTUkpe7Qym8WfKU0dUHWNAzqvSmhYJlk7wYwpKRfRlPi2cxabOkcxL > > > > > 4F2HMSAkIw== > > > > > -----END CERTIFICATE----- > > > > > subject=/C=us/O=u.s. > > > > > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil > > > > > > > > > > > > > > > > > > > issuer=/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD > CA-28 > > > > > --- > > > > > No client certificate CA names sent > > > > > --- > > > > > SSL handshake has read 3989 bytes and written 647 bytes > > > > > --- > > > > > New, TLSv1/SSLv3, Cipher is AES256-SHA > > > > > Server public key is 2048 bit > > > > > Secure Renegotiation IS supported > > > > > Compression: NONE > > > > > Expansion: NONE > > > > > SSL-Session: > > > > > Protocol : TLSv1.1 > > > > > Cipher : AES256-SHA > > > > > Session-ID: > > > > > > > 606DF4ED165AF725E18F3EBAA3BE18669E7E47921BF246EF1851C6E622C15B2A > > > > > Session-ID-ctx: > > > > > Master-Key: > > > > > > > > > > > > > > > A7F149F1EFF32EC29C8C1F570A076A7F3A20C7890F58958A9539ECC52822E28BCBBC94949C638AF52D8D89854887018C > > > > > Key-Arg : None > > > > > PSK identity: None > > > > > PSK identity hint: None > > > > > TLS session ticket lifetime hint: 172800 (seconds) > > > > > TLS session ticket: > > > > > 0000 - 4e 53 53 21 d9 f3 55 ff-e1 a9 5e a1 bb 2c > 45 50 > > > > > NSS!..U...^..,EP > > > > > 0010 - 27 9c cc 9d 07 2a af 5f-a3 06 ad 26 9a 1d > cc 7a > > > > > '....*._...&...z > > > > > 0020 - 00 50 e7 85 b2 eb 32 7f-dc 71 d3 ec 39 09 > 43 8a > > > > > .P....2..q..9.C. > > > > > 0030 - 08 40 6c 6f b5 9e df 9c-4b 57 78 49 50 af > d4 9b > > > > > . at lo....KWxIP... > > > > > 0040 - 84 83 3d 8d de c8 91 6f-2c 9c 83 a4 bc 9c > 68 4a > > > > > ..=....o,.....hJ > > > > > 0050 - b1 4f 46 1e fb a9 80 3f-f6 ff f7 3a 4f b3 > e7 5a > > > > > .OF....?...:O..Z > > > > > 0060 - 8f 69 a2 3e 8a 57 d5 53-18 b2 15 bf 72 86 > e1 d9 > > > > > .i.>.W.S....r... > > > > > 0070 - 9d b5 3e 1e 45 80 d6 96-e3 b7 c5 ca b4 03 > d3 21 > > > > > ..>.E..........! > > > > > 0080 - 70 95 a7 77 32 9e 92 7b-bf bb 4d b2 92 3f > 8f 61 > > > > > p..w2..{..M..?.a > > > > > 0090 - 03 dd > > .. > > > > > > > > > > Start Time: 1444922629 > > > > > Timeout : 300 (sec) > > > > > Verify return code: 19 (self signed certificate in > > > certificate > > > > chain) > > > > > --- > > > > > DONE > > > > > > > > > > As you can see, our server is clearing presenting a TLS > > > session ticket > > > > > which supposedly should be turned off by default in > this > > > version of > > > > > mod_nss. I'm confused, and I'm also a newbie to > mod_nss. > > > Could you > > > > > please help me understand? > > > > > > > > Can you provide this: > > > > > > > > rpm -q mod_nss nss > > > > > > > > rob > > > > > > > > > > > > > > Thanks, > > > > > > > > > > Larry Cohen > > > > > > > > > > On Wed, Oct 14, 2015 at 11:26 AM, Rob Crittenden > > > > > > > > > > > >> > > > > > > > > > > > > > >>>> wrote: > > > > > > > > > > Cohen, Laurence wrote: > > > > > > I'm trying to find out what version of mod_nss > > uses TLSSESSIONTICKETS > > > > > > and has the ability to turn them off. I see > > that Fedora has a version > > > > > > that has this function, but I need this function > > for RHEL6. I want to > > > > > > try to avoid doing a custom build since this is > > for a government customer. > > > > > > > > > > TLS Session tickets are disabled by default. > > mod_nss 1.0.12 adds an > > > > > option to turn them on. > > > > > > > > > > rob > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > www.novetta.com > > > > > > > > > > > > > > > Larry Cohen > > > > > > > > > > System Administrator > > > > > > > > > > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > > > > > > > Reston, VA 20190 > > > > > > > > > > Email lcohen at novetta.com > > > > > > > > >> > > > > > > > > > > > > > > Office 703-885-1064 > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > www.novetta.com > > > > > > > > > > Larry Cohen > > > > > > > > System Administrator > > > > > > > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > > > > > Reston, VA 20190 > > > > > > > > Email lcohen at novetta.com > > > > > > > > > > > > > > Office 703-885-1064 > > > > > > > > > > > > > > > > > > > -- > > > > > > www.novetta.com > > > > > > Larry Cohen > > > > > > System Administrator > > > > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > > > Reston, VA 20190 > > > > > > Email lcohen at novetta.com > > > > > > > > Office 703-885-1064 > > > > > > > > > > > > > -- > > > > www.novetta.com > > > > Larry Cohen > > > > System Administrator > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > Reston, VA 20190 > > > > Email lcohen at novetta.com > > > > Office 703-885-1064 > > > > -- [image: www.novetta.com] Larry Cohen System Administrator 12021 Sunset Hills Road, Suite 400 Reston, VA 20190 Email lcohen at novetta.com Office 703-885-1064 -------------- next part -------------- An HTML attachment was scrubbed... URL: From lcohen at novetta.com Wed Oct 21 17:08:09 2015 From: lcohen at novetta.com (Cohen, Laurence) Date: Wed, 21 Oct 2015 13:08:09 -0400 Subject: [Mod_nss-list] TLSSESSIONTICKETS In-Reply-To: References: <561E7421.2000509@redhat.com> <56204705.1090403@redhat.com> <5624F999.6090206@redhat.com> <56250EC1.5080409@redhat.com> <5625272B.10007@redhat.com> Message-ID: Rob, It turned out that we were actually running 1.0.12 because someone compiled libmodnss.so to solve a separate problem. He didn't create an rpm to install it though. He just replaced the file directly. Also, with Apache 2.2 which is what we are running, the default is NSSSessionTickets on. You have to explicitly turn them off. They default to off in Apache 2.4. Thanks, Larry Cohen On Tue, Oct 20, 2015 at 11:43 AM, Cohen, Laurence wrote: > Ok Rob, > > Thanks for all your help anyway. Someone else on my team is going to > create an RPM for version 1.0.12 so that I can just install it. I > appreciate your time and effort. > > Larry Cohen > > On Mon, Oct 19, 2015 at 1:23 PM, Rob Crittenden > wrote: > >> Cohen, Laurence wrote: >> > Unfortunately the latest one I can find available for RHEL6 is 1.0.10, >> > which is the one we have on our production system. >> >> Yeah, you'd need to grab the release tarball and build it yourself. >> >> rob >> >> > >> > On Mon, Oct 19, 2015 at 11:39 AM, Rob Crittenden > > > wrote: >> > >> > Cohen, Laurence wrote: >> > > Well, I appreciate your assistance anyway. Is there a way to >> explicitly >> > > turn it off, even though the default is supposed to be off? >> > >> > I guess as a test you can pull the latest mod_nss upstream release >> and >> > try that since it has the ability to turn it off. If behavior >> changes >> > then we may need to file a bug against nss. >> > >> > rob >> > >> > > >> > > Thanks, >> > > >> > > Larry Cohen >> > > >> > > On Mon, Oct 19, 2015 at 10:09 AM, Rob Crittenden < >> rcritten at redhat.com >> > > >> wrote: >> > > >> > > Cohen, Laurence wrote: >> > > > Here you go. >> > > > >> > > > mod_nss-1.0.10-1.el6.x86_64 >> > > > nss-3.19.1-3.el6_6.x86_64 >> > > >> > > Hmm, I can't duplicate this. I get no session ticket offer in >> the >> > > initial handshake. In fact, using ssltap I can see the client >> offering >> > > the extension and the server ignoring it. In the openssl >> client request >> > > I see: >> > > >> > > extension type session_ticket, length [0] >> > > >> > > The server responds only with the renegotiation extension >> (enabled in my >> > > configuration). >> > > >> > > This feature was added to NSS in 3.12 and according to the >> docs is >> > > disabled by default so I don't know what could be turning it >> on for you. >> > > >> > > rob >> > > >> > > > >> > > > On Thu, Oct 15, 2015 at 8:38 PM, Rob Crittenden < >> rcritten at redhat.com >> > > >> > > > >> > >>> wrote: >> > > > >> > > > Cohen, Laurence wrote: >> > > > > Hi Rob, >> > > > > >> > > > > Thanks for your reply yesterday. Here is my >> problem. We >> > > are using >> > > > > mod_nss version 1.0.8 on RHEL6. Here is a session >> > that our >> > > F5 admin >> > > > > sent to our production webserver at the command line >> using >> > > openssl. >> > > > > >> > > > > # openssl s_client -connect x.x.x.x:443 < /dev/null >> > > > > >> > > > > >> > > > > >> > > > > CONNECTED(00000003) >> > > > > depth=2 C = US, O = U.S. Government, OU = DoD, OU = >> > PKI, CN >> > > = DoD Root CA 2 >> > > > > verify error:num=19:self signed certificate in >> > certificate chain >> > > > > verify return:0 >> > > > > --- >> > > > > Certificate chain >> > > > > 0 s:/C=us/O=u.s. >> > > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil >> > >> > > >> > > > > >> > > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD >> CA-28 >> > > > > 1 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD >> CA-28 >> > > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root >> > CA 2 >> > > > > 2 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root >> > CA 2 >> > > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root >> > CA 2 >> > > > > --- >> > > > > Server certificate >> > > > > -----BEGIN CERTIFICATE----- >> > > > > >> > MIIFczCCBFugAwIBAgIDAMDoMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAlVT >> > > > > >> > MRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UE >> > > > > >> > CxMDUEtJMRIwEAYDVQQDEwlET0QgQ0EtMjgwHhcNMTMxMTAxMjExMTM0WhcNMTYx >> > > > > >> > MTAxMjExMTM0WjBtMQswCQYDVQQGEwJ1czEYMBYGA1UEChMPdS5zLiBnb3Zlcm5t >> > > > > >> > ZW50MQwwCgYDVQQLEwNET0QxDDAKBgNVBAsTA3BraTENMAsGA1UECxMEZGlzYTEZ >> > > > > >> > MBcGA1UEAxMQbWV0YWRhdGEuY2VzLm1pbDCCASIwDQYJKoZIhvcNAQEBBQADggEP >> > > > > >> > ADCCAQoCggEBAMuaXfCzffQnuqtQAwwTssjkbHEpQICFsjD5T0BhhLYwf/6MEZIe >> > > > > >> > Dfx97j7CvqthxvVEtVe6j5d99OXW0rrXowgo/bGhnc8pR5sDke2hlUbmjb+XkqZR >> > > > > >> > 03QyKv2+DFhiv8BIlO8EAygQZSYK8lyKxvvEwI19RRht1uZ9Mcn2hUKlm7OD6nnH >> > > > > >> > grCk+qo8idCE2qO52gln46Q12nHIEHIrc8u6+EcgrdbC/Tpj5G+0HTuzOw4aQ0H8 >> > > > > >> > EMLQk8e7EdubfOxdhscS2YQtzNBkvLVEgA8QZr2wMleYG2ZJDRB0W5m6n12/3lpv >> > > > > >> > M+hZMAJO8pDrzzmM1OZ0ZZYTsd2i9pvUNAsCAwEAAaOCAjAwggIsMB8GA1UdIwQY >> > > > > >> > MBaAFCa0rqotjumNim+2tVud6k6usZxpMB0GA1UdDgQWBBRKkMaGpVHBLnDcBRcL >> > > > > >> > SdbKrPieKjBjBggrBgEFBQcBAQRXMFUwMQYIKwYBBQUHMAKGJWh0dHA6Ly9jcmwu >> > > > > >> > ZGlzYS5taWwvc2lnbi9ET0RDQV8yOC5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9v >> > > > > >> > Y3NwLmRpc2EubWlsMA4GA1UdDwEB/wQEAwIFoDCBwwYDVR0fBIG7MIG4MCqgKKAm >> > > > > >> > hiRodHRwOi8vY3JsLmRpc2EubWlsL2NybC9ET0RDQV8yOC5jcmwwgYmggYaggYOG >> > > > > >> > gYBsZGFwOi8vY3JsLmdkcy5kaXNhLm1pbC9jbiUzZERPRCUyMENBLTI4JTJjb3Ul >> > > > > >> > M2RQS0klMmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292ZXJubWVudCUyY2MlM2RV >> > > > > >> > Uz9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0O2JpbmFyeTBbBgNVHREEVDBSghBt >> > > > > >> > ZXRhZGF0YS5jZXMubWlsghBtZXRhZGF0YS5jZXMubWlsghVtZXRhZGF0YS1jb2xz >> > > > > >> > LmNlcy5taWyCFW1ldGFkYXRhLXNhdHguY2VzLm1pbDAjBgNVHSAEHDAaMAsGCWCG >> > > > > >> > SAFlAgELBTALBglghkgBZQIBCxIwLQYDVR0lBCYwJAYIKwYBBQUHAwEGCCsGAQUF >> > > > > >> > BwMCBggrBgEFBQgCAgYEVR0lADANBgkqhkiG9w0BAQUFAAOCAQEAjVht0bS/D5+M >> > > > > >> > kCoYbxyFLWnAIWzoeyZC2al5znPllgQrW+RTVBjGiYlvKB2W5eXVJF+RCjCBk1k5 >> > > > > >> > qrtINH39+FQQZjivwhidLKWklEUt4MRN3tulRlTj+Hr34F0reD56EQaFSlXXvY0r >> > > > > >> > +LNx5xzudvvrf45dCbHKGNmjDpyDIiezJbCojfYfN7E8ljkA0bq5Ku4eCsAm4sbd >> > > > > >> > ezRoZsxSzzOUuynmP3yo20A+nU6+dDsVPXulkamlLGpVnC7nHnl5f8gspr4S7Ld8 >> > > > > >> > MnC/K7qfNaUTUkpe7Qym8WfKU0dUHWNAzqvSmhYJlk7wYwpKRfRlPi2cxabOkcxL >> > > > > 4F2HMSAkIw== >> > > > > -----END CERTIFICATE----- >> > > > > subject=/C=us/O=u.s. >> > > > > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil >> > >> > > >> > > > >> > > > > >> > > > > issuer=/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD >> CA-28 >> > > > > --- >> > > > > No client certificate CA names sent >> > > > > --- >> > > > > SSL handshake has read 3989 bytes and written 647 >> bytes >> > > > > --- >> > > > > New, TLSv1/SSLv3, Cipher is AES256-SHA >> > > > > Server public key is 2048 bit >> > > > > Secure Renegotiation IS supported >> > > > > Compression: NONE >> > > > > Expansion: NONE >> > > > > SSL-Session: >> > > > > Protocol : TLSv1.1 >> > > > > Cipher : AES256-SHA >> > > > > Session-ID: >> > > > > >> > 606DF4ED165AF725E18F3EBAA3BE18669E7E47921BF246EF1851C6E622C15B2A >> > > > > Session-ID-ctx: >> > > > > Master-Key: >> > > > > >> > > > >> > > >> > >> A7F149F1EFF32EC29C8C1F570A076A7F3A20C7890F58958A9539ECC52822E28BCBBC94949C638AF52D8D89854887018C >> > > > > Key-Arg : None >> > > > > PSK identity: None >> > > > > PSK identity hint: None >> > > > > TLS session ticket lifetime hint: 172800 (seconds) >> > > > > TLS session ticket: >> > > > > 0000 - 4e 53 53 21 d9 f3 55 ff-e1 a9 5e a1 bb 2c >> 45 50 >> > > > > NSS!..U...^..,EP >> > > > > 0010 - 27 9c cc 9d 07 2a af 5f-a3 06 ad 26 9a 1d >> cc 7a >> > > > > '....*._...&...z >> > > > > 0020 - 00 50 e7 85 b2 eb 32 7f-dc 71 d3 ec 39 09 >> 43 8a >> > > > > .P....2..q..9.C. >> > > > > 0030 - 08 40 6c 6f b5 9e df 9c-4b 57 78 49 50 af >> d4 9b >> > > > > . at lo....KWxIP... >> > > > > 0040 - 84 83 3d 8d de c8 91 6f-2c 9c 83 a4 bc 9c >> 68 4a >> > > > > ..=....o,.....hJ >> > > > > 0050 - b1 4f 46 1e fb a9 80 3f-f6 ff f7 3a 4f b3 >> e7 5a >> > > > > .OF....?...:O..Z >> > > > > 0060 - 8f 69 a2 3e 8a 57 d5 53-18 b2 15 bf 72 86 >> e1 d9 >> > > > > .i.>.W.S....r... >> > > > > 0070 - 9d b5 3e 1e 45 80 d6 96-e3 b7 c5 ca b4 03 >> d3 21 >> > > > > ..>.E..........! >> > > > > 0080 - 70 95 a7 77 32 9e 92 7b-bf bb 4d b2 92 3f >> 8f 61 >> > > > > p..w2..{..M..?.a >> > > > > 0090 - 03 dd >> > .. >> > > > > >> > > > > Start Time: 1444922629 >> > > > > Timeout : 300 (sec) >> > > > > Verify return code: 19 (self signed certificate in >> > > certificate >> > > > chain) >> > > > > --- >> > > > > DONE >> > > > > >> > > > > As you can see, our server is clearing presenting a >> TLS >> > > session ticket >> > > > > which supposedly should be turned off by default in >> this >> > > version of >> > > > > mod_nss. I'm confused, and I'm also a newbie to >> mod_nss. >> > > Could you >> > > > > please help me understand? >> > > > >> > > > Can you provide this: >> > > > >> > > > rpm -q mod_nss nss >> > > > >> > > > rob >> > > > >> > > > > >> > > > > Thanks, >> > > > > >> > > > > Larry Cohen >> > > > > >> > > > > On Wed, Oct 14, 2015 at 11:26 AM, Rob Crittenden >> > > >> > > >> > > >> > >> >> > > > > > > > > > >> > > >> > >>>> wrote: >> > > > > >> > > > > Cohen, Laurence wrote: >> > > > > > I'm trying to find out what version of mod_nss >> > uses TLSSESSIONTICKETS >> > > > > > and has the ability to turn them off. I see >> > that Fedora has a version >> > > > > > that has this function, but I need this function >> > for RHEL6. I want to >> > > > > > try to avoid doing a custom build since this is >> > for a government customer. >> > > > > >> > > > > TLS Session tickets are disabled by default. >> > mod_nss 1.0.12 adds an >> > > > > option to turn them on. >> > > > > >> > > > > rob >> > > > > >> > > > > >> > > > > >> > > > > >> > > > > -- >> > > > > >> > > > > www.novetta.com >> > >> > > >> > > > > >> > > > > Larry Cohen >> > > > > >> > > > > System Administrator >> > > > > >> > > > > >> > > > > 12021 Sunset Hills Road, Suite 400 >> > > > > >> > > > > Reston, VA 20190 >> > > > > >> > > > > Email lcohen at novetta.com >> > > >> > > >> > >> >> > > > >> > > > > >> > > > > Office 703-885-1064 >> > > > > >> > > > >> > > > >> > > > >> > > > >> > > > -- >> > > > >> > > > www.novetta.com >> > >> > > > >> > > > Larry Cohen >> > > > >> > > > System Administrator >> > > > >> > > > >> > > > 12021 Sunset Hills Road, Suite 400 >> > > > >> > > > Reston, VA 20190 >> > > > >> > > > Email lcohen at novetta.com >> > > >> > > >> > > > >> > > > Office 703-885-1064 >> > > > >> > > >> > > >> > > >> > > >> > > -- >> > > >> > > www.novetta.com >> > > >> > > Larry Cohen >> > > >> > > System Administrator >> > > >> > > >> > > 12021 Sunset Hills Road, Suite 400 >> > > >> > > Reston, VA 20190 >> > > >> > > Email lcohen at novetta.com >> > >> > > >> > > Office 703-885-1064 >> > > >> > >> > >> > >> > >> > -- >> > >> > www.novetta.com >> > >> > Larry Cohen >> > >> > System Administrator >> > >> > >> > 12021 Sunset Hills Road, Suite 400 >> > >> > Reston, VA 20190 >> > >> > Email lcohen at novetta.com >> > >> > Office 703-885-1064 >> > >> >> > > > -- > > [image: www.novetta.com] > > Larry Cohen > > System Administrator > > > 12021 Sunset Hills Road, Suite 400 > > Reston, VA 20190 > > Email lcohen at novetta.com > > Office 703-885-1064 > > -- [image: www.novetta.com] Larry Cohen System Administrator 12021 Sunset Hills Road, Suite 400 Reston, VA 20190 Email lcohen at novetta.com Office 703-885-1064 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Oct 21 20:27:50 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 21 Oct 2015 16:27:50 -0400 Subject: [Mod_nss-list] TLSSESSIONTICKETS In-Reply-To: References: <561E7421.2000509@redhat.com> <56204705.1090403@redhat.com> <5624F999.6090206@redhat.com> <56250EC1.5080409@redhat.com> <5625272B.10007@redhat.com> Message-ID: <5627F546.1090203@redhat.com> Cohen, Laurence wrote: > Rob, > > It turned out that we were actually running 1.0.12 because someone > compiled libmodnss.so to solve a separate problem. He didn't create an > rpm to install it though. He just replaced the file directly. Also, > with Apache 2.2 which is what we are running, the default is > NSSSessionTickets on. You have to explicitly turn them off. They > default to off in Apache 2.4. I'm not sure I understand how the default would be different unless the default is different in the versions of NSS on those systems, or the way I initialize things in mod_nss is somehow different in the different versions of Apache. Can you clarify that at all? rob > > Thanks, > > Larry Cohen > > On Tue, Oct 20, 2015 at 11:43 AM, Cohen, Laurence > wrote: > > Ok Rob, > > Thanks for all your help anyway. Someone else on my team is going > to create an RPM for version 1.0.12 so that I can just install it. > I appreciate your time and effort. > > Larry Cohen > > On Mon, Oct 19, 2015 at 1:23 PM, Rob Crittenden > wrote: > > Cohen, Laurence wrote: > > Unfortunately the latest one I can find available for RHEL6 is 1.0.10, > > which is the one we have on our production system. > > Yeah, you'd need to grab the release tarball and build it yourself. > > rob > > > > > On Mon, Oct 19, 2015 at 11:39 AM, Rob Crittenden > > >> wrote: > > > > Cohen, Laurence wrote: > > > Well, I appreciate your assistance anyway. Is there a way to explicitly > > > turn it off, even though the default is supposed to be off? > > > > I guess as a test you can pull the latest mod_nss upstream release and > > try that since it has the ability to turn it off. If behavior changes > > then we may need to file a bug against nss. > > > > rob > > > > > > > > Thanks, > > > > > > Larry Cohen > > > > > > On Mon, Oct 19, 2015 at 10:09 AM, Rob Crittenden > > > > > > >>> wrote: > > > > > > Cohen, Laurence wrote: > > > > Here you go. > > > > > > > > mod_nss-1.0.10-1.el6.x86_64 > > > > nss-3.19.1-3.el6_6.x86_64 > > > > > > Hmm, I can't duplicate this. I get no session ticket offer in the > > > initial handshake. In fact, using ssltap I can see the client offering > > > the extension and the server ignoring it. In the openssl client request > > > I see: > > > > > > extension type session_ticket, length [0] > > > > > > The server responds only with the renegotiation extension (enabled in my > > > configuration). > > > > > > This feature was added to NSS in 3.12 and according to the docs is > > > disabled by default so I don't know what could be turning it on for you. > > > > > > rob > > > > > > > > > > > On Thu, Oct 15, 2015 at 8:38 PM, Rob Crittenden > > > > > >> > > > > > > > > > >>>> wrote: > > > > > > > > Cohen, Laurence wrote: > > > > > Hi Rob, > > > > > > > > > > Thanks for your reply yesterday. Here is my > problem. We > > > are using > > > > > mod_nss version 1.0.8 on RHEL6. Here is a > session > > that our > > > F5 admin > > > > > sent to our production webserver at the > command line using > > > openssl. > > > > > > > > > > # openssl s_client -connect x.x.x.x:443 < > /dev/null > > > > > > > > > > > > > > > > > > > > CONNECTED(00000003) > > > > > depth=2 C = US, O = U.S. Government, OU = > DoD, OU = > > PKI, CN > > > = DoD Root CA 2 > > > > > verify error:num=19:self signed certificate in > > certificate chain > > > > > verify return:0 > > > > > --- > > > > > Certificate chain > > > > > 0 s:/C=us/O=u.s. > > > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil > > > > > > > > > > > > > > > > i:/C=US/O=U.S. > Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > > > > 1 s:/C=US/O=U.S. > Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > > > > i:/C=US/O=U.S. > Government/OU=DoD/OU=PKI/CN=DoD Root > > CA 2 > > > > > 2 s:/C=US/O=U.S. > Government/OU=DoD/OU=PKI/CN=DoD Root > > CA 2 > > > > > i:/C=US/O=U.S. > Government/OU=DoD/OU=PKI/CN=DoD Root > > CA 2 > > > > > --- > > > > > Server certificate > > > > > -----BEGIN CERTIFICATE----- > > > > > > > > MIIFczCCBFugAwIBAgIDAMDoMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAlVT > > > > > > > > MRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UE > > > > > > > > CxMDUEtJMRIwEAYDVQQDEwlET0QgQ0EtMjgwHhcNMTMxMTAxMjExMTM0WhcNMTYx > > > > > > > > MTAxMjExMTM0WjBtMQswCQYDVQQGEwJ1czEYMBYGA1UEChMPdS5zLiBnb3Zlcm5t > > > > > > > > ZW50MQwwCgYDVQQLEwNET0QxDDAKBgNVBAsTA3BraTENMAsGA1UECxMEZGlzYTEZ > > > > > > > > MBcGA1UEAxMQbWV0YWRhdGEuY2VzLm1pbDCCASIwDQYJKoZIhvcNAQEBBQADggEP > > > > > > > > ADCCAQoCggEBAMuaXfCzffQnuqtQAwwTssjkbHEpQICFsjD5T0BhhLYwf/6MEZIe > > > > > > > > Dfx97j7CvqthxvVEtVe6j5d99OXW0rrXowgo/bGhnc8pR5sDke2hlUbmjb+XkqZR > > > > > > > > 03QyKv2+DFhiv8BIlO8EAygQZSYK8lyKxvvEwI19RRht1uZ9Mcn2hUKlm7OD6nnH > > > > > > > > grCk+qo8idCE2qO52gln46Q12nHIEHIrc8u6+EcgrdbC/Tpj5G+0HTuzOw4aQ0H8 > > > > > > > > EMLQk8e7EdubfOxdhscS2YQtzNBkvLVEgA8QZr2wMleYG2ZJDRB0W5m6n12/3lpv > > > > > > > > M+hZMAJO8pDrzzmM1OZ0ZZYTsd2i9pvUNAsCAwEAAaOCAjAwggIsMB8GA1UdIwQY > > > > > > > > MBaAFCa0rqotjumNim+2tVud6k6usZxpMB0GA1UdDgQWBBRKkMaGpVHBLnDcBRcL > > > > > > > > SdbKrPieKjBjBggrBgEFBQcBAQRXMFUwMQYIKwYBBQUHMAKGJWh0dHA6Ly9jcmwu > > > > > > > > ZGlzYS5taWwvc2lnbi9ET0RDQV8yOC5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9v > > > > > > > > Y3NwLmRpc2EubWlsMA4GA1UdDwEB/wQEAwIFoDCBwwYDVR0fBIG7MIG4MCqgKKAm > > > > > > > > hiRodHRwOi8vY3JsLmRpc2EubWlsL2NybC9ET0RDQV8yOC5jcmwwgYmggYaggYOG > > > > > > > > gYBsZGFwOi8vY3JsLmdkcy5kaXNhLm1pbC9jbiUzZERPRCUyMENBLTI4JTJjb3Ul > > > > > > > > M2RQS0klMmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292ZXJubWVudCUyY2MlM2RV > > > > > > > > Uz9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0O2JpbmFyeTBbBgNVHREEVDBSghBt > > > > > > > > ZXRhZGF0YS5jZXMubWlsghBtZXRhZGF0YS5jZXMubWlsghVtZXRhZGF0YS1jb2xz > > > > > > > > LmNlcy5taWyCFW1ldGFkYXRhLXNhdHguY2VzLm1pbDAjBgNVHSAEHDAaMAsGCWCG > > > > > > > > SAFlAgELBTALBglghkgBZQIBCxIwLQYDVR0lBCYwJAYIKwYBBQUHAwEGCCsGAQUF > > > > > > > > BwMCBggrBgEFBQgCAgYEVR0lADANBgkqhkiG9w0BAQUFAAOCAQEAjVht0bS/D5+M > > > > > > > > kCoYbxyFLWnAIWzoeyZC2al5znPllgQrW+RTVBjGiYlvKB2W5eXVJF+RCjCBk1k5 > > > > > > > > qrtINH39+FQQZjivwhidLKWklEUt4MRN3tulRlTj+Hr34F0reD56EQaFSlXXvY0r > > > > > > > > +LNx5xzudvvrf45dCbHKGNmjDpyDIiezJbCojfYfN7E8ljkA0bq5Ku4eCsAm4sbd > > > > > > > > ezRoZsxSzzOUuynmP3yo20A+nU6+dDsVPXulkamlLGpVnC7nHnl5f8gspr4S7Ld8 > > > > > > > > MnC/K7qfNaUTUkpe7Qym8WfKU0dUHWNAzqvSmhYJlk7wYwpKRfRlPi2cxabOkcxL > > > > > 4F2HMSAkIw== > > > > > -----END CERTIFICATE----- > > > > > subject=/C=us/O=u.s. > > > > > > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil > > > > > > > > > > > > > > > > > > > > issuer=/C=US/O=U.S. > Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > > > > --- > > > > > No client certificate CA names sent > > > > > --- > > > > > SSL handshake has read 3989 bytes and > written 647 bytes > > > > > --- > > > > > New, TLSv1/SSLv3, Cipher is AES256-SHA > > > > > Server public key is 2048 bit > > > > > Secure Renegotiation IS supported > > > > > Compression: NONE > > > > > Expansion: NONE > > > > > SSL-Session: > > > > > Protocol : TLSv1.1 > > > > > Cipher : AES256-SHA > > > > > Session-ID: > > > > > > > > 606DF4ED165AF725E18F3EBAA3BE18669E7E47921BF246EF1851C6E622C15B2A > > > > > Session-ID-ctx: > > > > > Master-Key: > > > > > > > > > > > > > > > A7F149F1EFF32EC29C8C1F570A076A7F3A20C7890F58958A9539ECC52822E28BCBBC94949C638AF52D8D89854887018C > > > > > Key-Arg : None > > > > > PSK identity: None > > > > > PSK identity hint: None > > > > > TLS session ticket lifetime hint: 172800 > (seconds) > > > > > TLS session ticket: > > > > > 0000 - 4e 53 53 21 d9 f3 55 ff-e1 a9 5e > a1 bb 2c 45 50 > > > > > NSS!..U...^..,EP > > > > > 0010 - 27 9c cc 9d 07 2a af 5f-a3 06 ad > 26 9a 1d cc 7a > > > > > '....*._...&...z > > > > > 0020 - 00 50 e7 85 b2 eb 32 7f-dc 71 d3 > ec 39 09 43 8a > > > > > .P....2..q..9.C. > > > > > 0030 - 08 40 6c 6f b5 9e df 9c-4b 57 78 > 49 50 af d4 9b > > > > > . at lo....KWxIP... > > > > > 0040 - 84 83 3d 8d de c8 91 6f-2c 9c 83 > a4 bc 9c 68 4a > > > > > ..=....o,.....hJ > > > > > 0050 - b1 4f 46 1e fb a9 80 3f-f6 ff f7 > 3a 4f b3 e7 5a > > > > > .OF....?...:O..Z > > > > > 0060 - 8f 69 a2 3e 8a 57 d5 53-18 b2 15 > bf 72 86 e1 d9 > > > > > .i.>.W.S....r... > > > > > 0070 - 9d b5 3e 1e 45 80 d6 96-e3 b7 c5 > ca b4 03 d3 21 > > > > > ..>.E..........! > > > > > 0080 - 70 95 a7 77 32 9e 92 7b-bf bb 4d > b2 92 3f 8f 61 > > > > > p..w2..{..M..?.a > > > > > 0090 - 03 dd > > .. > > > > > > > > > > Start Time: 1444922629 > > > > > Timeout : 300 (sec) > > > > > Verify return code: 19 (self signed > certificate in > > > certificate > > > > chain) > > > > > --- > > > > > DONE > > > > > > > > > > As you can see, our server is clearing > presenting a TLS > > > session ticket > > > > > which supposedly should be turned off by > default in this > > > version of > > > > > mod_nss. I'm confused, and I'm also a > newbie to mod_nss. > > > Could you > > > > > please help me understand? > > > > > > > > Can you provide this: > > > > > > > > rpm -q mod_nss nss > > > > > > > > rob > > > > > > > > > > > > > > Thanks, > > > > > > > > > > Larry Cohen > > > > > > > > > > On Wed, Oct 14, 2015 at 11:26 AM, Rob Crittenden > > > > > > > > >> > > > > > > > >>> > > > > > > > > > > > >> > > > > > > > >>>>> wrote: > > > > > > > > > > Cohen, Laurence wrote: > > > > > > I'm trying to find out what version of > mod_nss > > uses TLSSESSIONTICKETS > > > > > > and has the ability to turn them off. > I see > > that Fedora has a version > > > > > > that has this function, but I need > this function > > for RHEL6. I want to > > > > > > try to avoid doing a custom build > since this is > > for a government customer. > > > > > > > > > > TLS Session tickets are disabled by default. > > mod_nss 1.0.12 adds an > > > > > option to turn them on. > > > > > > > > > > rob > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > www.novetta.com > > > > > > > > > > > > > > > > Larry Cohen > > > > > > > > > > System Administrator > > > > > > > > > > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > > > > > > > Reston, VA 20190 > > > > > > > > > > Email lcohen at novetta.com > > > > > >> > > > > > > > >>> > > > > > > > > > > > > > > Office 703-885-1064 > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > www.novetta.com > > > > > > > > > > > Larry Cohen > > > > > > > > System Administrator > > > > > > > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > > > > > Reston, VA 20190 > > > > > > > > Email lcohen at novetta.com > > > > > >> > > > > > > > > > > > Office 703-885-1064 > > > > > > > > > > > > > > > > > > > -- > > > > > > www.novetta.com > > > > > > > Larry Cohen > > > > > > System Administrator > > > > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > > > Reston, VA 20190 > > > > > > Email lcohen at novetta.com > > > > > > > > > > Office 703-885-1064 > > > > > > > > > > > > > -- > > > > www.novetta.com > > > > Larry Cohen > > > > System Administrator > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > Reston, VA 20190 > > > > Email lcohen at novetta.com > > > > > Office 703-885-1064 > > > > > > > -- > > www.novetta.com > > Larry Cohen > > System Administrator > > > 12021 Sunset Hills Road, Suite 400 > > Reston, VA 20190 > > Email lcohen at novetta.com > > Office 703-885-1064 > > > > > -- > > www.novetta.com > > Larry Cohen > > System Administrator > > > 12021 Sunset Hills Road, Suite 400 > > Reston, VA 20190 > > Email lcohen at novetta.com > > Office 703-885-1064 > From lcohen at novetta.com Wed Oct 21 20:40:09 2015 From: lcohen at novetta.com (Cohen, Laurence) Date: Wed, 21 Oct 2015 16:40:09 -0400 Subject: [Mod_nss-list] TLSSESSIONTICKETS In-Reply-To: <5627F546.1090203@redhat.com> References: <561E7421.2000509@redhat.com> <56204705.1090403@redhat.com> <5624F999.6090206@redhat.com> <56250EC1.5080409@redhat.com> <5625272B.10007@redhat.com> <5627F546.1090203@redhat.com> Message-ID: It's actually the version of Apache that has the different default. This is coming from the guy who compiled the RPM for me. On Wed, Oct 21, 2015 at 4:27 PM, Rob Crittenden wrote: > Cohen, Laurence wrote: > > Rob, > > > > It turned out that we were actually running 1.0.12 because someone > > compiled libmodnss.so to solve a separate problem. He didn't create an > > rpm to install it though. He just replaced the file directly. Also, > > with Apache 2.2 which is what we are running, the default is > > NSSSessionTickets on. You have to explicitly turn them off. They > > default to off in Apache 2.4. > > I'm not sure I understand how the default would be different unless the > default is different in the versions of NSS on those systems, or the way > I initialize things in mod_nss is somehow different in the different > versions of Apache. Can you clarify that at all? > > rob > > > > > Thanks, > > > > Larry Cohen > > > > On Tue, Oct 20, 2015 at 11:43 AM, Cohen, Laurence > > wrote: > > > > Ok Rob, > > > > Thanks for all your help anyway. Someone else on my team is going > > to create an RPM for version 1.0.12 so that I can just install it. > > I appreciate your time and effort. > > > > Larry Cohen > > > > On Mon, Oct 19, 2015 at 1:23 PM, Rob Crittenden > > wrote: > > > > Cohen, Laurence wrote: > > > Unfortunately the latest one I can find available for RHEL6 is > 1.0.10, > > > which is the one we have on our production system. > > > > Yeah, you'd need to grab the release tarball and build it > yourself. > > > > rob > > > > > > > > On Mon, Oct 19, 2015 at 11:39 AM, Rob Crittenden < > rcritten at redhat.com > > > >> > wrote: > > > > > > Cohen, Laurence wrote: > > > > Well, I appreciate your assistance anyway. Is there a > way to explicitly > > > > turn it off, even though the default is supposed to be > off? > > > > > > I guess as a test you can pull the latest mod_nss upstream > release and > > > try that since it has the ability to turn it off. If > behavior changes > > > then we may need to file a bug against nss. > > > > > > rob > > > > > > > > > > > Thanks, > > > > > > > > Larry Cohen > > > > > > > > On Mon, Oct 19, 2015 at 10:09 AM, Rob Crittenden < > rcritten at redhat.com > > > > > > > > > >>> > wrote: > > > > > > > > Cohen, Laurence wrote: > > > > > Here you go. > > > > > > > > > > mod_nss-1.0.10-1.el6.x86_64 > > > > > nss-3.19.1-3.el6_6.x86_64 > > > > > > > > Hmm, I can't duplicate this. I get no session ticket > offer in the > > > > initial handshake. In fact, using ssltap I can see > the client offering > > > > the extension and the server ignoring it. In the > openssl client request > > > > I see: > > > > > > > > extension type session_ticket, length [0] > > > > > > > > The server responds only with the renegotiation > extension (enabled in my > > > > configuration). > > > > > > > > This feature was added to NSS in 3.12 and according > to the docs is > > > > disabled by default so I don't know what could be > turning it on for you. > > > > > > > > rob > > > > > > > > > > > > > > On Thu, Oct 15, 2015 at 8:38 PM, Rob Crittenden < > rcritten at redhat.com > > > > > > > > >> > > > > > rcritten at redhat.com> > > > > > > > > >>>> > wrote: > > > > > > > > > > Cohen, Laurence wrote: > > > > > > Hi Rob, > > > > > > > > > > > > Thanks for your reply yesterday. Here is my > > problem. We > > > > are using > > > > > > mod_nss version 1.0.8 on RHEL6. Here is a > > session > > > that our > > > > F5 admin > > > > > > sent to our production webserver at the > > command line using > > > > openssl. > > > > > > > > > > > > # openssl s_client -connect x.x.x.x:443 < > > /dev/null > > > > > > > > > > > > > > > > > > > > > > > > CONNECTED(00000003) > > > > > > depth=2 C = US, O = U.S. Government, OU = > > DoD, OU = > > > PKI, CN > > > > = DoD Root CA 2 > > > > > > verify error:num=19:self signed certificate > in > > > certificate chain > > > > > > verify return:0 > > > > > > --- > > > > > > Certificate chain > > > > > > 0 s:/C=us/O=u.s. > > > > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil > > > > > > > > > > > > > > > > > > > > > i:/C=US/O=U.S. > > Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > > > > > 1 s:/C=US/O=U.S. > > Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > > > > > i:/C=US/O=U.S. > > Government/OU=DoD/OU=PKI/CN=DoD Root > > > CA 2 > > > > > > 2 s:/C=US/O=U.S. > > Government/OU=DoD/OU=PKI/CN=DoD Root > > > CA 2 > > > > > > i:/C=US/O=U.S. > > Government/OU=DoD/OU=PKI/CN=DoD Root > > > CA 2 > > > > > > --- > > > > > > Server certificate > > > > > > -----BEGIN CERTIFICATE----- > > > > > > > > > > > MIIFczCCBFugAwIBAgIDAMDoMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAlVT > > > > > > > > > > > MRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UE > > > > > > > > > > > CxMDUEtJMRIwEAYDVQQDEwlET0QgQ0EtMjgwHhcNMTMxMTAxMjExMTM0WhcNMTYx > > > > > > > > > > > MTAxMjExMTM0WjBtMQswCQYDVQQGEwJ1czEYMBYGA1UEChMPdS5zLiBnb3Zlcm5t > > > > > > > > > > > ZW50MQwwCgYDVQQLEwNET0QxDDAKBgNVBAsTA3BraTENMAsGA1UECxMEZGlzYTEZ > > > > > > > > > > > MBcGA1UEAxMQbWV0YWRhdGEuY2VzLm1pbDCCASIwDQYJKoZIhvcNAQEBBQADggEP > > > > > > > > > > > ADCCAQoCggEBAMuaXfCzffQnuqtQAwwTssjkbHEpQICFsjD5T0BhhLYwf/6MEZIe > > > > > > > > > > > Dfx97j7CvqthxvVEtVe6j5d99OXW0rrXowgo/bGhnc8pR5sDke2hlUbmjb+XkqZR > > > > > > > > > > > 03QyKv2+DFhiv8BIlO8EAygQZSYK8lyKxvvEwI19RRht1uZ9Mcn2hUKlm7OD6nnH > > > > > > > > > > > grCk+qo8idCE2qO52gln46Q12nHIEHIrc8u6+EcgrdbC/Tpj5G+0HTuzOw4aQ0H8 > > > > > > > > > > > EMLQk8e7EdubfOxdhscS2YQtzNBkvLVEgA8QZr2wMleYG2ZJDRB0W5m6n12/3lpv > > > > > > > > > > > M+hZMAJO8pDrzzmM1OZ0ZZYTsd2i9pvUNAsCAwEAAaOCAjAwggIsMB8GA1UdIwQY > > > > > > > > > > > MBaAFCa0rqotjumNim+2tVud6k6usZxpMB0GA1UdDgQWBBRKkMaGpVHBLnDcBRcL > > > > > > > > > > > SdbKrPieKjBjBggrBgEFBQcBAQRXMFUwMQYIKwYBBQUHMAKGJWh0dHA6Ly9jcmwu > > > > > > > > > > > ZGlzYS5taWwvc2lnbi9ET0RDQV8yOC5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9v > > > > > > > > > > > Y3NwLmRpc2EubWlsMA4GA1UdDwEB/wQEAwIFoDCBwwYDVR0fBIG7MIG4MCqgKKAm > > > > > > > > > > > hiRodHRwOi8vY3JsLmRpc2EubWlsL2NybC9ET0RDQV8yOC5jcmwwgYmggYaggYOG > > > > > > > > > > > gYBsZGFwOi8vY3JsLmdkcy5kaXNhLm1pbC9jbiUzZERPRCUyMENBLTI4JTJjb3Ul > > > > > > > > > > > M2RQS0klMmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292ZXJubWVudCUyY2MlM2RV > > > > > > > > > > > Uz9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0O2JpbmFyeTBbBgNVHREEVDBSghBt > > > > > > > > > > > ZXRhZGF0YS5jZXMubWlsghBtZXRhZGF0YS5jZXMubWlsghVtZXRhZGF0YS1jb2xz > > > > > > > > > > > LmNlcy5taWyCFW1ldGFkYXRhLXNhdHguY2VzLm1pbDAjBgNVHSAEHDAaMAsGCWCG > > > > > > > > > > > SAFlAgELBTALBglghkgBZQIBCxIwLQYDVR0lBCYwJAYIKwYBBQUHAwEGCCsGAQUF > > > > > > > > > > > BwMCBggrBgEFBQgCAgYEVR0lADANBgkqhkiG9w0BAQUFAAOCAQEAjVht0bS/D5+M > > > > > > > > > > > kCoYbxyFLWnAIWzoeyZC2al5znPllgQrW+RTVBjGiYlvKB2W5eXVJF+RCjCBk1k5 > > > > > > > > > > > qrtINH39+FQQZjivwhidLKWklEUt4MRN3tulRlTj+Hr34F0reD56EQaFSlXXvY0r > > > > > > > > > > > +LNx5xzudvvrf45dCbHKGNmjDpyDIiezJbCojfYfN7E8ljkA0bq5Ku4eCsAm4sbd > > > > > > > > > > > ezRoZsxSzzOUuynmP3yo20A+nU6+dDsVPXulkamlLGpVnC7nHnl5f8gspr4S7Ld8 > > > > > > > > > > > MnC/K7qfNaUTUkpe7Qym8WfKU0dUHWNAzqvSmhYJlk7wYwpKRfRlPi2cxabOkcxL > > > > > > 4F2HMSAkIw== > > > > > > -----END CERTIFICATE----- > > > > > > subject=/C=us/O=u.s. > > > > > > > > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil > > > > > > > > > > > > > > > > > > > > > > > > > > issuer=/C=US/O=U.S. > > Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > > > > > --- > > > > > > No client certificate CA names sent > > > > > > --- > > > > > > SSL handshake has read 3989 bytes and > > written 647 bytes > > > > > > --- > > > > > > New, TLSv1/SSLv3, Cipher is AES256-SHA > > > > > > Server public key is 2048 bit > > > > > > Secure Renegotiation IS supported > > > > > > Compression: NONE > > > > > > Expansion: NONE > > > > > > SSL-Session: > > > > > > Protocol : TLSv1.1 > > > > > > Cipher : AES256-SHA > > > > > > Session-ID: > > > > > > > > > > > 606DF4ED165AF725E18F3EBAA3BE18669E7E47921BF246EF1851C6E622C15B2A > > > > > > Session-ID-ctx: > > > > > > Master-Key: > > > > > > > > > > > > > > > > > > > > > A7F149F1EFF32EC29C8C1F570A076A7F3A20C7890F58958A9539ECC52822E28BCBBC94949C638AF52D8D89854887018C > > > > > > Key-Arg : None > > > > > > PSK identity: None > > > > > > PSK identity hint: None > > > > > > TLS session ticket lifetime hint: 172800 > > (seconds) > > > > > > TLS session ticket: > > > > > > 0000 - 4e 53 53 21 d9 f3 55 ff-e1 a9 5e > > a1 bb 2c 45 50 > > > > > > NSS!..U...^..,EP > > > > > > 0010 - 27 9c cc 9d 07 2a af 5f-a3 06 ad > > 26 9a 1d cc 7a > > > > > > '....*._...&...z > > > > > > 0020 - 00 50 e7 85 b2 eb 32 7f-dc 71 d3 > > ec 39 09 43 8a > > > > > > .P....2..q..9.C. > > > > > > 0030 - 08 40 6c 6f b5 9e df 9c-4b 57 78 > > 49 50 af d4 9b > > > > > > . at lo....KWxIP... > > > > > > 0040 - 84 83 3d 8d de c8 91 6f-2c 9c 83 > > a4 bc 9c 68 4a > > > > > > ..=....o,.....hJ > > > > > > 0050 - b1 4f 46 1e fb a9 80 3f-f6 ff f7 > > 3a 4f b3 e7 5a > > > > > > .OF....?...:O..Z > > > > > > 0060 - 8f 69 a2 3e 8a 57 d5 53-18 b2 15 > > bf 72 86 e1 d9 > > > > > > .i.>.W.S....r... > > > > > > 0070 - 9d b5 3e 1e 45 80 d6 96-e3 b7 c5 > > ca b4 03 d3 21 > > > > > > ..>.E..........! > > > > > > 0080 - 70 95 a7 77 32 9e 92 7b-bf bb 4d > > b2 92 3f 8f 61 > > > > > > p..w2..{..M..?.a > > > > > > 0090 - 03 dd > > > .. > > > > > > > > > > > > Start Time: 1444922629 > > > > > > Timeout : 300 (sec) > > > > > > Verify return code: 19 (self signed > > certificate in > > > > certificate > > > > > chain) > > > > > > --- > > > > > > DONE > > > > > > > > > > > > As you can see, our server is clearing > > presenting a TLS > > > > session ticket > > > > > > which supposedly should be turned off by > > default in this > > > > version of > > > > > > mod_nss. I'm confused, and I'm also a > > newbie to mod_nss. > > > > Could you > > > > > > please help me understand? > > > > > > > > > > Can you provide this: > > > > > > > > > > rpm -q mod_nss nss > > > > > > > > > > rob > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > Larry Cohen > > > > > > > > > > > > On Wed, Oct 14, 2015 at 11:26 AM, Rob > Crittenden > > > > > > > > > > > > >> > > > > > > > > > > > > >>> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > >>>>> > wrote: > > > > > > > > > > > > Cohen, Laurence wrote: > > > > > > > I'm trying to find out what version of > > mod_nss > > > uses TLSSESSIONTICKETS > > > > > > > and has the ability to turn them off. > > I see > > > that Fedora has a version > > > > > > > that has this function, but I need > > this function > > > for RHEL6. I want to > > > > > > > try to avoid doing a custom build > > since this is > > > for a government customer. > > > > > > > > > > > > TLS Session tickets are disabled by > default. > > > mod_nss 1.0.12 adds an > > > > > > option to turn them on. > > > > > > > > > > > > rob > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > www.novetta.com > > > > > > > > > > > > > > > > > > > > > Larry Cohen > > > > > > > > > > > > System Administrator > > > > > > > > > > > > > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > > > > > > > > > Reston, VA 20190 > > > > > > > > > > > > Email lcohen at novetta.com > > > > > > > > > >> > > > > > > > > > > > > >>> > > > > > > > > > > > > > > > > > Office 703-885-1064 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > www.novetta.com > > > > > > > > > > > > > > > Larry Cohen > > > > > > > > > > System Administrator > > > > > > > > > > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > > > > > > > Reston, VA 20190 > > > > > > > > > > Email lcohen at novetta.com > > > > > > > > > >> > > > > > > > > > > > > > > Office 703-885-1064 > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > www.novetta.com > > > > > > > > > > Larry Cohen > > > > > > > > System Administrator > > > > > > > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > > > > > Reston, VA 20190 > > > > > > > > Email lcohen at novetta.com > > > > > > > > > > > > > > Office 703-885-1064 > > > > > > > > > > > > > > > > > > > -- > > > > > > www.novetta.com > > > > > > Larry Cohen > > > > > > System Administrator > > > > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > > > Reston, VA 20190 > > > > > > Email lcohen at novetta.com > > > > > > > > Office 703-885-1064 > > > > > > > > > > > > > -- > > > > www.novetta.com > > > > Larry Cohen > > > > System Administrator > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > Reston, VA 20190 > > > > Email lcohen at novetta.com > > > > Office 703-885-1064 > > > > > > > > > > -- > > > > www.novetta.com > > > > Larry Cohen > > > > System Administrator > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > Reston, VA 20190 > > > > Email lcohen at novetta.com > > > > Office 703-885-1064 > > > > -- [image: www.novetta.com] Larry Cohen System Administrator 12021 Sunset Hills Road, Suite 400 Reston, VA 20190 Email lcohen at novetta.com Office 703-885-1064 -------------- next part -------------- An HTML attachment was scrubbed... URL: