[Mod_nss-list] TLSSESSIONTICKETS
Cohen, Laurence
lcohen at novetta.com
Thu Oct 15 17:17:50 UTC 2015
Hi Rob,
Thanks for your reply yesterday. Here is my problem. We are using mod_nss
version 1.0.8 on RHEL6. Here is a session that our F5 admin sent to our
production webserver at the command line using openssl.
# openssl s_client -connect x.x.x.x:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 2
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=us/O=u.s. government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil
i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28
1 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28
i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2
2 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2
i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFczCCBFugAwIBAgIDAMDoMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAlVT
MRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UE
CxMDUEtJMRIwEAYDVQQDEwlET0QgQ0EtMjgwHhcNMTMxMTAxMjExMTM0WhcNMTYx
MTAxMjExMTM0WjBtMQswCQYDVQQGEwJ1czEYMBYGA1UEChMPdS5zLiBnb3Zlcm5t
ZW50MQwwCgYDVQQLEwNET0QxDDAKBgNVBAsTA3BraTENMAsGA1UECxMEZGlzYTEZ
MBcGA1UEAxMQbWV0YWRhdGEuY2VzLm1pbDCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMuaXfCzffQnuqtQAwwTssjkbHEpQICFsjD5T0BhhLYwf/6MEZIe
Dfx97j7CvqthxvVEtVe6j5d99OXW0rrXowgo/bGhnc8pR5sDke2hlUbmjb+XkqZR
03QyKv2+DFhiv8BIlO8EAygQZSYK8lyKxvvEwI19RRht1uZ9Mcn2hUKlm7OD6nnH
grCk+qo8idCE2qO52gln46Q12nHIEHIrc8u6+EcgrdbC/Tpj5G+0HTuzOw4aQ0H8
EMLQk8e7EdubfOxdhscS2YQtzNBkvLVEgA8QZr2wMleYG2ZJDRB0W5m6n12/3lpv
M+hZMAJO8pDrzzmM1OZ0ZZYTsd2i9pvUNAsCAwEAAaOCAjAwggIsMB8GA1UdIwQY
MBaAFCa0rqotjumNim+2tVud6k6usZxpMB0GA1UdDgQWBBRKkMaGpVHBLnDcBRcL
SdbKrPieKjBjBggrBgEFBQcBAQRXMFUwMQYIKwYBBQUHMAKGJWh0dHA6Ly9jcmwu
ZGlzYS5taWwvc2lnbi9ET0RDQV8yOC5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9v
Y3NwLmRpc2EubWlsMA4GA1UdDwEB/wQEAwIFoDCBwwYDVR0fBIG7MIG4MCqgKKAm
hiRodHRwOi8vY3JsLmRpc2EubWlsL2NybC9ET0RDQV8yOC5jcmwwgYmggYaggYOG
gYBsZGFwOi8vY3JsLmdkcy5kaXNhLm1pbC9jbiUzZERPRCUyMENBLTI4JTJjb3Ul
M2RQS0klMmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292ZXJubWVudCUyY2MlM2RV
Uz9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0O2JpbmFyeTBbBgNVHREEVDBSghBt
ZXRhZGF0YS5jZXMubWlsghBtZXRhZGF0YS5jZXMubWlsghVtZXRhZGF0YS1jb2xz
LmNlcy5taWyCFW1ldGFkYXRhLXNhdHguY2VzLm1pbDAjBgNVHSAEHDAaMAsGCWCG
SAFlAgELBTALBglghkgBZQIBCxIwLQYDVR0lBCYwJAYIKwYBBQUHAwEGCCsGAQUF
BwMCBggrBgEFBQgCAgYEVR0lADANBgkqhkiG9w0BAQUFAAOCAQEAjVht0bS/D5+M
kCoYbxyFLWnAIWzoeyZC2al5znPllgQrW+RTVBjGiYlvKB2W5eXVJF+RCjCBk1k5
qrtINH39+FQQZjivwhidLKWklEUt4MRN3tulRlTj+Hr34F0reD56EQaFSlXXvY0r
+LNx5xzudvvrf45dCbHKGNmjDpyDIiezJbCojfYfN7E8ljkA0bq5Ku4eCsAm4sbd
ezRoZsxSzzOUuynmP3yo20A+nU6+dDsVPXulkamlLGpVnC7nHnl5f8gspr4S7Ld8
MnC/K7qfNaUTUkpe7Qym8WfKU0dUHWNAzqvSmhYJlk7wYwpKRfRlPi2cxabOkcxL
4F2HMSAkIw==
-----END CERTIFICATE-----
subject=/C=us/O=u.s. government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil
issuer=/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28
---
No client certificate CA names sent
---
SSL handshake has read 3989 bytes and written 647 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : AES256-SHA
Session-ID:
606DF4ED165AF725E18F3EBAA3BE18669E7E47921BF246EF1851C6E622C15B2A
Session-ID-ctx:
Master-Key:
A7F149F1EFF32EC29C8C1F570A076A7F3A20C7890F58958A9539ECC52822E28BCBBC94949C638AF52D8D89854887018C
Key-Arg : None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 172800 (seconds)
TLS session ticket:
0000 - 4e 53 53 21 d9 f3 55 ff-e1 a9 5e a1 bb 2c 45 50
NSS!..U...^..,EP
0010 - 27 9c cc 9d 07 2a af 5f-a3 06 ad 26 9a 1d cc 7a
'....*._...&...z
0020 - 00 50 e7 85 b2 eb 32 7f-dc 71 d3 ec 39 09 43 8a
.P....2..q..9.C.
0030 - 08 40 6c 6f b5 9e df 9c-4b 57 78 49 50 af d4 9b
. at lo....KWxIP...
0040 - 84 83 3d 8d de c8 91 6f-2c 9c 83 a4 bc 9c 68 4a
..=....o,.....hJ
0050 - b1 4f 46 1e fb a9 80 3f-f6 ff f7 3a 4f b3 e7 5a
.OF....?...:O..Z
0060 - 8f 69 a2 3e 8a 57 d5 53-18 b2 15 bf 72 86 e1 d9
.i.>.W.S....r...
0070 - 9d b5 3e 1e 45 80 d6 96-e3 b7 c5 ca b4 03 d3 21
..>.E..........!
0080 - 70 95 a7 77 32 9e 92 7b-bf bb 4d b2 92 3f 8f 61
p..w2..{..M..?.a
0090 - 03 dd ..
Start Time: 1444922629
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
DONE
As you can see, our server is clearing presenting a TLS session ticket
which supposedly should be turned off by default in this version of
mod_nss. I'm confused, and I'm also a newbie to mod_nss. Could you please
help me understand?
Thanks,
Larry Cohen
On Wed, Oct 14, 2015 at 11:26 AM, Rob Crittenden <rcritten at redhat.com>
wrote:
> Cohen, Laurence wrote:
> > I'm trying to find out what version of mod_nss uses TLSSESSIONTICKETS
> > and has the ability to turn them off. I see that Fedora has a version
> > that has this function, but I need this function for RHEL6. I want to
> > try to avoid doing a custom build since this is for a government
> customer.
>
> TLS Session tickets are disabled by default. mod_nss 1.0.12 adds an
> option to turn them on.
>
> rob
>
>
--
[image: www.novetta.com]
Larry Cohen
System Administrator
12021 Sunset Hills Road, Suite 400
Reston, VA 20190
Email lcohen at novetta.com
Office 703-885-1064
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20151015/bc4e837f/attachment.htm>
More information about the Mod_nss-list
mailing list