[Mod_nss-list] TLSSESSIONTICKETS
Cohen, Laurence
lcohen at novetta.com
Tue Oct 20 15:43:04 UTC 2015
Ok Rob,
Thanks for all your help anyway. Someone else on my team is going to
create an RPM for version 1.0.12 so that I can just install it. I
appreciate your time and effort.
Larry Cohen
On Mon, Oct 19, 2015 at 1:23 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Cohen, Laurence wrote:
> > Unfortunately the latest one I can find available for RHEL6 is 1.0.10,
> > which is the one we have on our production system.
>
> Yeah, you'd need to grab the release tarball and build it yourself.
>
> rob
>
> >
> > On Mon, Oct 19, 2015 at 11:39 AM, Rob Crittenden <rcritten at redhat.com
> > <mailto:rcritten at redhat.com>> wrote:
> >
> > Cohen, Laurence wrote:
> > > Well, I appreciate your assistance anyway. Is there a way to
> explicitly
> > > turn it off, even though the default is supposed to be off?
> >
> > I guess as a test you can pull the latest mod_nss upstream release
> and
> > try that since it has the ability to turn it off. If behavior changes
> > then we may need to file a bug against nss.
> >
> > rob
> >
> > >
> > > Thanks,
> > >
> > > Larry Cohen
> > >
> > > On Mon, Oct 19, 2015 at 10:09 AM, Rob Crittenden <
> rcritten at redhat.com <mailto:rcritten at redhat.com>
> > > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
> > >
> > > Cohen, Laurence wrote:
> > > > Here you go.
> > > >
> > > > mod_nss-1.0.10-1.el6.x86_64
> > > > nss-3.19.1-3.el6_6.x86_64
> > >
> > > Hmm, I can't duplicate this. I get no session ticket offer in
> the
> > > initial handshake. In fact, using ssltap I can see the client
> offering
> > > the extension and the server ignoring it. In the openssl
> client request
> > > I see:
> > >
> > > extension type session_ticket, length [0]
> > >
> > > The server responds only with the renegotiation extension
> (enabled in my
> > > configuration).
> > >
> > > This feature was added to NSS in 3.12 and according to the
> docs is
> > > disabled by default so I don't know what could be turning it
> on for you.
> > >
> > > rob
> > >
> > > >
> > > > On Thu, Oct 15, 2015 at 8:38 PM, Rob Crittenden <
> rcritten at redhat.com <mailto:rcritten at redhat.com>
> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>
> > > > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>
> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>> wrote:
> > > >
> > > > Cohen, Laurence wrote:
> > > > > Hi Rob,
> > > > >
> > > > > Thanks for your reply yesterday. Here is my problem.
> We
> > > are using
> > > > > mod_nss version 1.0.8 on RHEL6. Here is a session
> > that our
> > > F5 admin
> > > > > sent to our production webserver at the command line
> using
> > > openssl.
> > > > >
> > > > > # openssl s_client -connect x.x.x.x:443 < /dev/null
> > > > >
> > > > >
> > > > >
> > > > > CONNECTED(00000003)
> > > > > depth=2 C = US, O = U.S. Government, OU = DoD, OU =
> > PKI, CN
> > > = DoD Root CA 2
> > > > > verify error:num=19:self signed certificate in
> > certificate chain
> > > > > verify return:0
> > > > > ---
> > > > > Certificate chain
> > > > > 0 s:/C=us/O=u.s.
> > > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil
> > <http://metadata.ces.mil>
> > > <http://metadata.ces.mil> <http://metadata.ces.mil>
> > > > > <http://metadata.ces.mil>
> > > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28
> > > > > 1 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28
> > > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root
> > CA 2
> > > > > 2 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root
> > CA 2
> > > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root
> > CA 2
> > > > > ---
> > > > > Server certificate
> > > > > -----BEGIN CERTIFICATE-----
> > > > >
> > MIIFczCCBFugAwIBAgIDAMDoMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAlVT
> > > > >
> > MRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UE
> > > > >
> > CxMDUEtJMRIwEAYDVQQDEwlET0QgQ0EtMjgwHhcNMTMxMTAxMjExMTM0WhcNMTYx
> > > > >
> > MTAxMjExMTM0WjBtMQswCQYDVQQGEwJ1czEYMBYGA1UEChMPdS5zLiBnb3Zlcm5t
> > > > >
> > ZW50MQwwCgYDVQQLEwNET0QxDDAKBgNVBAsTA3BraTENMAsGA1UECxMEZGlzYTEZ
> > > > >
> > MBcGA1UEAxMQbWV0YWRhdGEuY2VzLm1pbDCCASIwDQYJKoZIhvcNAQEBBQADggEP
> > > > >
> > ADCCAQoCggEBAMuaXfCzffQnuqtQAwwTssjkbHEpQICFsjD5T0BhhLYwf/6MEZIe
> > > > >
> > Dfx97j7CvqthxvVEtVe6j5d99OXW0rrXowgo/bGhnc8pR5sDke2hlUbmjb+XkqZR
> > > > >
> > 03QyKv2+DFhiv8BIlO8EAygQZSYK8lyKxvvEwI19RRht1uZ9Mcn2hUKlm7OD6nnH
> > > > >
> > grCk+qo8idCE2qO52gln46Q12nHIEHIrc8u6+EcgrdbC/Tpj5G+0HTuzOw4aQ0H8
> > > > >
> > EMLQk8e7EdubfOxdhscS2YQtzNBkvLVEgA8QZr2wMleYG2ZJDRB0W5m6n12/3lpv
> > > > >
> > M+hZMAJO8pDrzzmM1OZ0ZZYTsd2i9pvUNAsCAwEAAaOCAjAwggIsMB8GA1UdIwQY
> > > > >
> > MBaAFCa0rqotjumNim+2tVud6k6usZxpMB0GA1UdDgQWBBRKkMaGpVHBLnDcBRcL
> > > > >
> > SdbKrPieKjBjBggrBgEFBQcBAQRXMFUwMQYIKwYBBQUHMAKGJWh0dHA6Ly9jcmwu
> > > > >
> > ZGlzYS5taWwvc2lnbi9ET0RDQV8yOC5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9v
> > > > >
> > Y3NwLmRpc2EubWlsMA4GA1UdDwEB/wQEAwIFoDCBwwYDVR0fBIG7MIG4MCqgKKAm
> > > > >
> > hiRodHRwOi8vY3JsLmRpc2EubWlsL2NybC9ET0RDQV8yOC5jcmwwgYmggYaggYOG
> > > > >
> > gYBsZGFwOi8vY3JsLmdkcy5kaXNhLm1pbC9jbiUzZERPRCUyMENBLTI4JTJjb3Ul
> > > > >
> > M2RQS0klMmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292ZXJubWVudCUyY2MlM2RV
> > > > >
> > Uz9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0O2JpbmFyeTBbBgNVHREEVDBSghBt
> > > > >
> > ZXRhZGF0YS5jZXMubWlsghBtZXRhZGF0YS5jZXMubWlsghVtZXRhZGF0YS1jb2xz
> > > > >
> > LmNlcy5taWyCFW1ldGFkYXRhLXNhdHguY2VzLm1pbDAjBgNVHSAEHDAaMAsGCWCG
> > > > >
> > SAFlAgELBTALBglghkgBZQIBCxIwLQYDVR0lBCYwJAYIKwYBBQUHAwEGCCsGAQUF
> > > > >
> > BwMCBggrBgEFBQgCAgYEVR0lADANBgkqhkiG9w0BAQUFAAOCAQEAjVht0bS/D5+M
> > > > >
> > kCoYbxyFLWnAIWzoeyZC2al5znPllgQrW+RTVBjGiYlvKB2W5eXVJF+RCjCBk1k5
> > > > >
> > qrtINH39+FQQZjivwhidLKWklEUt4MRN3tulRlTj+Hr34F0reD56EQaFSlXXvY0r
> > > > >
> > +LNx5xzudvvrf45dCbHKGNmjDpyDIiezJbCojfYfN7E8ljkA0bq5Ku4eCsAm4sbd
> > > > >
> > ezRoZsxSzzOUuynmP3yo20A+nU6+dDsVPXulkamlLGpVnC7nHnl5f8gspr4S7Ld8
> > > > >
> > MnC/K7qfNaUTUkpe7Qym8WfKU0dUHWNAzqvSmhYJlk7wYwpKRfRlPi2cxabOkcxL
> > > > > 4F2HMSAkIw==
> > > > > -----END CERTIFICATE-----
> > > > > subject=/C=us/O=u.s.
> > > > > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil
> > <http://metadata.ces.mil>
> > > <http://metadata.ces.mil>
> > > > <http://metadata.ces.mil>
> > > > > <http://metadata.ces.mil>
> > > > > issuer=/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD
> CA-28
> > > > > ---
> > > > > No client certificate CA names sent
> > > > > ---
> > > > > SSL handshake has read 3989 bytes and written 647 bytes
> > > > > ---
> > > > > New, TLSv1/SSLv3, Cipher is AES256-SHA
> > > > > Server public key is 2048 bit
> > > > > Secure Renegotiation IS supported
> > > > > Compression: NONE
> > > > > Expansion: NONE
> > > > > SSL-Session:
> > > > > Protocol : TLSv1.1
> > > > > Cipher : AES256-SHA
> > > > > Session-ID:
> > > > >
> > 606DF4ED165AF725E18F3EBAA3BE18669E7E47921BF246EF1851C6E622C15B2A
> > > > > Session-ID-ctx:
> > > > > Master-Key:
> > > > >
> > > >
> > >
> >
> A7F149F1EFF32EC29C8C1F570A076A7F3A20C7890F58958A9539ECC52822E28BCBBC94949C638AF52D8D89854887018C
> > > > > Key-Arg : None
> > > > > PSK identity: None
> > > > > PSK identity hint: None
> > > > > TLS session ticket lifetime hint: 172800 (seconds)
> > > > > TLS session ticket:
> > > > > 0000 - 4e 53 53 21 d9 f3 55 ff-e1 a9 5e a1 bb 2c
> 45 50
> > > > > NSS!..U...^..,EP
> > > > > 0010 - 27 9c cc 9d 07 2a af 5f-a3 06 ad 26 9a 1d
> cc 7a
> > > > > '....*._...&...z
> > > > > 0020 - 00 50 e7 85 b2 eb 32 7f-dc 71 d3 ec 39 09
> 43 8a
> > > > > .P....2..q..9.C.
> > > > > 0030 - 08 40 6c 6f b5 9e df 9c-4b 57 78 49 50 af
> d4 9b
> > > > > . at lo....KWxIP...
> > > > > 0040 - 84 83 3d 8d de c8 91 6f-2c 9c 83 a4 bc 9c
> 68 4a
> > > > > ..=....o,.....hJ
> > > > > 0050 - b1 4f 46 1e fb a9 80 3f-f6 ff f7 3a 4f b3
> e7 5a
> > > > > .OF....?...:O..Z
> > > > > 0060 - 8f 69 a2 3e 8a 57 d5 53-18 b2 15 bf 72 86
> e1 d9
> > > > > .i.>.W.S....r...
> > > > > 0070 - 9d b5 3e 1e 45 80 d6 96-e3 b7 c5 ca b4 03
> d3 21
> > > > > ..>.E..........!
> > > > > 0080 - 70 95 a7 77 32 9e 92 7b-bf bb 4d b2 92 3f
> 8f 61
> > > > > p..w2..{..M..?.a
> > > > > 0090 - 03 dd
> > ..
> > > > >
> > > > > Start Time: 1444922629
> > > > > Timeout : 300 (sec)
> > > > > Verify return code: 19 (self signed certificate in
> > > certificate
> > > > chain)
> > > > > ---
> > > > > DONE
> > > > >
> > > > > As you can see, our server is clearing presenting a TLS
> > > session ticket
> > > > > which supposedly should be turned off by default in
> this
> > > version of
> > > > > mod_nss. I'm confused, and I'm also a newbie to
> mod_nss.
> > > Could you
> > > > > please help me understand?
> > > >
> > > > Can you provide this:
> > > >
> > > > rpm -q mod_nss nss
> > > >
> > > > rob
> > > >
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Larry Cohen
> > > > >
> > > > > On Wed, Oct 14, 2015 at 11:26 AM, Rob Crittenden
> > > <rcritten at redhat.com <mailto:rcritten at redhat.com>
> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>
> > > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>
> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>
> > > > > <mailto:rcritten at redhat.com
> > <mailto:rcritten at redhat.com> <mailto:rcritten at redhat.com
> > <mailto:rcritten at redhat.com>>
> > > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>
> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>>> wrote:
> > > > >
> > > > > Cohen, Laurence wrote:
> > > > > > I'm trying to find out what version of mod_nss
> > uses TLSSESSIONTICKETS
> > > > > > and has the ability to turn them off. I see
> > that Fedora has a version
> > > > > > that has this function, but I need this function
> > for RHEL6. I want to
> > > > > > try to avoid doing a custom build since this is
> > for a government customer.
> > > > >
> > > > > TLS Session tickets are disabled by default.
> > mod_nss 1.0.12 adds an
> > > > > option to turn them on.
> > > > >
> > > > > rob
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > >
> > > > > www.novetta.com <http://www.novetta.com>
> > <http://www.novetta.com>
> > > <http://www.novetta.com>
> > > > >
> > > > > Larry Cohen
> > > > >
> > > > > System Administrator
> > > > >
> > > > >
> > > > > 12021 Sunset Hills Road, Suite 400
> > > > >
> > > > > Reston, VA 20190
> > > > >
> > > > > Email lcohen at novetta.com <mailto:lcohen at novetta.com>
> > <mailto:lcohen at novetta.com <mailto:lcohen at novetta.com>>
> > > <mailto:lcohen at novetta.com <mailto:lcohen at novetta.com>
> > <mailto:lcohen at novetta.com <mailto:lcohen at novetta.com>>>
> > > > <http://novetta.com>
> > > > >
> > > > > Office 703-885-1064
> > > > >
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > >
> > > > www.novetta.com <http://www.novetta.com>
> > <http://www.novetta.com>
> > > >
> > > > Larry Cohen
> > > >
> > > > System Administrator
> > > >
> > > >
> > > > 12021 Sunset Hills Road, Suite 400
> > > >
> > > > Reston, VA 20190
> > > >
> > > > Email lcohen at novetta.com <mailto:lcohen at novetta.com>
> > <mailto:lcohen at novetta.com <mailto:lcohen at novetta.com>>
> > > <http://novetta.com>
> > > >
> > > > Office 703-885-1064
> > > >
> > >
> > >
> > >
> > >
> > > --
> > >
> > > www.novetta.com <http://www.novetta.com>
> > >
> > > Larry Cohen
> > >
> > > System Administrator
> > >
> > >
> > > 12021 Sunset Hills Road, Suite 400
> > >
> > > Reston, VA 20190
> > >
> > > Email lcohen at novetta.com <mailto:lcohen at novetta.com>
> > <http://novetta.com>
> > >
> > > Office 703-885-1064
> > >
> >
> >
> >
> >
> > --
> >
> > www.novetta.com
> >
> > Larry Cohen
> >
> > System Administrator
> >
> >
> > 12021 Sunset Hills Road, Suite 400
> >
> > Reston, VA 20190
> >
> > Email lcohen at novetta.com <http://novetta.com>
> >
> > Office 703-885-1064
> >
>
>
--
[image: www.novetta.com]
Larry Cohen
System Administrator
12021 Sunset Hills Road, Suite 400
Reston, VA 20190
Email lcohen at novetta.com
Office 703-885-1064
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20151020/2ff65a83/attachment.htm>
More information about the Mod_nss-list
mailing list