[Mod_nss-list] TLSSESSIONTICKETS
Cohen, Laurence
lcohen at novetta.com
Wed Oct 21 17:08:09 UTC 2015
Rob,
It turned out that we were actually running 1.0.12 because someone compiled
libmodnss.so to solve a separate problem. He didn't create an rpm to
install it though. He just replaced the file directly. Also, with Apache
2.2 which is what we are running, the default is NSSSessionTickets on. You
have to explicitly turn them off. They default to off in Apache 2.4.
Thanks,
Larry Cohen
On Tue, Oct 20, 2015 at 11:43 AM, Cohen, Laurence <lcohen at novetta.com>
wrote:
> Ok Rob,
>
> Thanks for all your help anyway. Someone else on my team is going to
> create an RPM for version 1.0.12 so that I can just install it. I
> appreciate your time and effort.
>
> Larry Cohen
>
> On Mon, Oct 19, 2015 at 1:23 PM, Rob Crittenden <rcritten at redhat.com>
> wrote:
>
>> Cohen, Laurence wrote:
>> > Unfortunately the latest one I can find available for RHEL6 is 1.0.10,
>> > which is the one we have on our production system.
>>
>> Yeah, you'd need to grab the release tarball and build it yourself.
>>
>> rob
>>
>> >
>> > On Mon, Oct 19, 2015 at 11:39 AM, Rob Crittenden <rcritten at redhat.com
>> > <mailto:rcritten at redhat.com>> wrote:
>> >
>> > Cohen, Laurence wrote:
>> > > Well, I appreciate your assistance anyway. Is there a way to
>> explicitly
>> > > turn it off, even though the default is supposed to be off?
>> >
>> > I guess as a test you can pull the latest mod_nss upstream release
>> and
>> > try that since it has the ability to turn it off. If behavior
>> changes
>> > then we may need to file a bug against nss.
>> >
>> > rob
>> >
>> > >
>> > > Thanks,
>> > >
>> > > Larry Cohen
>> > >
>> > > On Mon, Oct 19, 2015 at 10:09 AM, Rob Crittenden <
>> rcritten at redhat.com <mailto:rcritten at redhat.com>
>> > > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
>> > >
>> > > Cohen, Laurence wrote:
>> > > > Here you go.
>> > > >
>> > > > mod_nss-1.0.10-1.el6.x86_64
>> > > > nss-3.19.1-3.el6_6.x86_64
>> > >
>> > > Hmm, I can't duplicate this. I get no session ticket offer in
>> the
>> > > initial handshake. In fact, using ssltap I can see the client
>> offering
>> > > the extension and the server ignoring it. In the openssl
>> client request
>> > > I see:
>> > >
>> > > extension type session_ticket, length [0]
>> > >
>> > > The server responds only with the renegotiation extension
>> (enabled in my
>> > > configuration).
>> > >
>> > > This feature was added to NSS in 3.12 and according to the
>> docs is
>> > > disabled by default so I don't know what could be turning it
>> on for you.
>> > >
>> > > rob
>> > >
>> > > >
>> > > > On Thu, Oct 15, 2015 at 8:38 PM, Rob Crittenden <
>> rcritten at redhat.com <mailto:rcritten at redhat.com>
>> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>
>> > > > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>
>> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>> wrote:
>> > > >
>> > > > Cohen, Laurence wrote:
>> > > > > Hi Rob,
>> > > > >
>> > > > > Thanks for your reply yesterday. Here is my
>> problem. We
>> > > are using
>> > > > > mod_nss version 1.0.8 on RHEL6. Here is a session
>> > that our
>> > > F5 admin
>> > > > > sent to our production webserver at the command line
>> using
>> > > openssl.
>> > > > >
>> > > > > # openssl s_client -connect x.x.x.x:443 < /dev/null
>> > > > >
>> > > > >
>> > > > >
>> > > > > CONNECTED(00000003)
>> > > > > depth=2 C = US, O = U.S. Government, OU = DoD, OU =
>> > PKI, CN
>> > > = DoD Root CA 2
>> > > > > verify error:num=19:self signed certificate in
>> > certificate chain
>> > > > > verify return:0
>> > > > > ---
>> > > > > Certificate chain
>> > > > > 0 s:/C=us/O=u.s.
>> > > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil
>> > <http://metadata.ces.mil>
>> > > <http://metadata.ces.mil> <http://metadata.ces.mil>
>> > > > > <http://metadata.ces.mil>
>> > > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD
>> CA-28
>> > > > > 1 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD
>> CA-28
>> > > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root
>> > CA 2
>> > > > > 2 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root
>> > CA 2
>> > > > > i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root
>> > CA 2
>> > > > > ---
>> > > > > Server certificate
>> > > > > -----BEGIN CERTIFICATE-----
>> > > > >
>> > MIIFczCCBFugAwIBAgIDAMDoMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAlVT
>> > > > >
>> > MRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UE
>> > > > >
>> > CxMDUEtJMRIwEAYDVQQDEwlET0QgQ0EtMjgwHhcNMTMxMTAxMjExMTM0WhcNMTYx
>> > > > >
>> > MTAxMjExMTM0WjBtMQswCQYDVQQGEwJ1czEYMBYGA1UEChMPdS5zLiBnb3Zlcm5t
>> > > > >
>> > ZW50MQwwCgYDVQQLEwNET0QxDDAKBgNVBAsTA3BraTENMAsGA1UECxMEZGlzYTEZ
>> > > > >
>> > MBcGA1UEAxMQbWV0YWRhdGEuY2VzLm1pbDCCASIwDQYJKoZIhvcNAQEBBQADggEP
>> > > > >
>> > ADCCAQoCggEBAMuaXfCzffQnuqtQAwwTssjkbHEpQICFsjD5T0BhhLYwf/6MEZIe
>> > > > >
>> > Dfx97j7CvqthxvVEtVe6j5d99OXW0rrXowgo/bGhnc8pR5sDke2hlUbmjb+XkqZR
>> > > > >
>> > 03QyKv2+DFhiv8BIlO8EAygQZSYK8lyKxvvEwI19RRht1uZ9Mcn2hUKlm7OD6nnH
>> > > > >
>> > grCk+qo8idCE2qO52gln46Q12nHIEHIrc8u6+EcgrdbC/Tpj5G+0HTuzOw4aQ0H8
>> > > > >
>> > EMLQk8e7EdubfOxdhscS2YQtzNBkvLVEgA8QZr2wMleYG2ZJDRB0W5m6n12/3lpv
>> > > > >
>> > M+hZMAJO8pDrzzmM1OZ0ZZYTsd2i9pvUNAsCAwEAAaOCAjAwggIsMB8GA1UdIwQY
>> > > > >
>> > MBaAFCa0rqotjumNim+2tVud6k6usZxpMB0GA1UdDgQWBBRKkMaGpVHBLnDcBRcL
>> > > > >
>> > SdbKrPieKjBjBggrBgEFBQcBAQRXMFUwMQYIKwYBBQUHMAKGJWh0dHA6Ly9jcmwu
>> > > > >
>> > ZGlzYS5taWwvc2lnbi9ET0RDQV8yOC5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9v
>> > > > >
>> > Y3NwLmRpc2EubWlsMA4GA1UdDwEB/wQEAwIFoDCBwwYDVR0fBIG7MIG4MCqgKKAm
>> > > > >
>> > hiRodHRwOi8vY3JsLmRpc2EubWlsL2NybC9ET0RDQV8yOC5jcmwwgYmggYaggYOG
>> > > > >
>> > gYBsZGFwOi8vY3JsLmdkcy5kaXNhLm1pbC9jbiUzZERPRCUyMENBLTI4JTJjb3Ul
>> > > > >
>> > M2RQS0klMmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292ZXJubWVudCUyY2MlM2RV
>> > > > >
>> > Uz9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0O2JpbmFyeTBbBgNVHREEVDBSghBt
>> > > > >
>> > ZXRhZGF0YS5jZXMubWlsghBtZXRhZGF0YS5jZXMubWlsghVtZXRhZGF0YS1jb2xz
>> > > > >
>> > LmNlcy5taWyCFW1ldGFkYXRhLXNhdHguY2VzLm1pbDAjBgNVHSAEHDAaMAsGCWCG
>> > > > >
>> > SAFlAgELBTALBglghkgBZQIBCxIwLQYDVR0lBCYwJAYIKwYBBQUHAwEGCCsGAQUF
>> > > > >
>> > BwMCBggrBgEFBQgCAgYEVR0lADANBgkqhkiG9w0BAQUFAAOCAQEAjVht0bS/D5+M
>> > > > >
>> > kCoYbxyFLWnAIWzoeyZC2al5znPllgQrW+RTVBjGiYlvKB2W5eXVJF+RCjCBk1k5
>> > > > >
>> > qrtINH39+FQQZjivwhidLKWklEUt4MRN3tulRlTj+Hr34F0reD56EQaFSlXXvY0r
>> > > > >
>> > +LNx5xzudvvrf45dCbHKGNmjDpyDIiezJbCojfYfN7E8ljkA0bq5Ku4eCsAm4sbd
>> > > > >
>> > ezRoZsxSzzOUuynmP3yo20A+nU6+dDsVPXulkamlLGpVnC7nHnl5f8gspr4S7Ld8
>> > > > >
>> > MnC/K7qfNaUTUkpe7Qym8WfKU0dUHWNAzqvSmhYJlk7wYwpKRfRlPi2cxabOkcxL
>> > > > > 4F2HMSAkIw==
>> > > > > -----END CERTIFICATE-----
>> > > > > subject=/C=us/O=u.s.
>> > > > > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil
>> > <http://metadata.ces.mil>
>> > > <http://metadata.ces.mil>
>> > > > <http://metadata.ces.mil>
>> > > > > <http://metadata.ces.mil>
>> > > > > issuer=/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD
>> CA-28
>> > > > > ---
>> > > > > No client certificate CA names sent
>> > > > > ---
>> > > > > SSL handshake has read 3989 bytes and written 647
>> bytes
>> > > > > ---
>> > > > > New, TLSv1/SSLv3, Cipher is AES256-SHA
>> > > > > Server public key is 2048 bit
>> > > > > Secure Renegotiation IS supported
>> > > > > Compression: NONE
>> > > > > Expansion: NONE
>> > > > > SSL-Session:
>> > > > > Protocol : TLSv1.1
>> > > > > Cipher : AES256-SHA
>> > > > > Session-ID:
>> > > > >
>> > 606DF4ED165AF725E18F3EBAA3BE18669E7E47921BF246EF1851C6E622C15B2A
>> > > > > Session-ID-ctx:
>> > > > > Master-Key:
>> > > > >
>> > > >
>> > >
>> >
>> A7F149F1EFF32EC29C8C1F570A076A7F3A20C7890F58958A9539ECC52822E28BCBBC94949C638AF52D8D89854887018C
>> > > > > Key-Arg : None
>> > > > > PSK identity: None
>> > > > > PSK identity hint: None
>> > > > > TLS session ticket lifetime hint: 172800 (seconds)
>> > > > > TLS session ticket:
>> > > > > 0000 - 4e 53 53 21 d9 f3 55 ff-e1 a9 5e a1 bb 2c
>> 45 50
>> > > > > NSS!..U...^..,EP
>> > > > > 0010 - 27 9c cc 9d 07 2a af 5f-a3 06 ad 26 9a 1d
>> cc 7a
>> > > > > '....*._...&...z
>> > > > > 0020 - 00 50 e7 85 b2 eb 32 7f-dc 71 d3 ec 39 09
>> 43 8a
>> > > > > .P....2..q..9.C.
>> > > > > 0030 - 08 40 6c 6f b5 9e df 9c-4b 57 78 49 50 af
>> d4 9b
>> > > > > . at lo....KWxIP...
>> > > > > 0040 - 84 83 3d 8d de c8 91 6f-2c 9c 83 a4 bc 9c
>> 68 4a
>> > > > > ..=....o,.....hJ
>> > > > > 0050 - b1 4f 46 1e fb a9 80 3f-f6 ff f7 3a 4f b3
>> e7 5a
>> > > > > .OF....?...:O..Z
>> > > > > 0060 - 8f 69 a2 3e 8a 57 d5 53-18 b2 15 bf 72 86
>> e1 d9
>> > > > > .i.>.W.S....r...
>> > > > > 0070 - 9d b5 3e 1e 45 80 d6 96-e3 b7 c5 ca b4 03
>> d3 21
>> > > > > ..>.E..........!
>> > > > > 0080 - 70 95 a7 77 32 9e 92 7b-bf bb 4d b2 92 3f
>> 8f 61
>> > > > > p..w2..{..M..?.a
>> > > > > 0090 - 03 dd
>> > ..
>> > > > >
>> > > > > Start Time: 1444922629
>> > > > > Timeout : 300 (sec)
>> > > > > Verify return code: 19 (self signed certificate in
>> > > certificate
>> > > > chain)
>> > > > > ---
>> > > > > DONE
>> > > > >
>> > > > > As you can see, our server is clearing presenting a
>> TLS
>> > > session ticket
>> > > > > which supposedly should be turned off by default in
>> this
>> > > version of
>> > > > > mod_nss. I'm confused, and I'm also a newbie to
>> mod_nss.
>> > > Could you
>> > > > > please help me understand?
>> > > >
>> > > > Can you provide this:
>> > > >
>> > > > rpm -q mod_nss nss
>> > > >
>> > > > rob
>> > > >
>> > > > >
>> > > > > Thanks,
>> > > > >
>> > > > > Larry Cohen
>> > > > >
>> > > > > On Wed, Oct 14, 2015 at 11:26 AM, Rob Crittenden
>> > > <rcritten at redhat.com <mailto:rcritten at redhat.com>
>> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>
>> > > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>
>> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>
>> > > > > <mailto:rcritten at redhat.com
>> > <mailto:rcritten at redhat.com> <mailto:rcritten at redhat.com
>> > <mailto:rcritten at redhat.com>>
>> > > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>
>> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>>> wrote:
>> > > > >
>> > > > > Cohen, Laurence wrote:
>> > > > > > I'm trying to find out what version of mod_nss
>> > uses TLSSESSIONTICKETS
>> > > > > > and has the ability to turn them off. I see
>> > that Fedora has a version
>> > > > > > that has this function, but I need this function
>> > for RHEL6. I want to
>> > > > > > try to avoid doing a custom build since this is
>> > for a government customer.
>> > > > >
>> > > > > TLS Session tickets are disabled by default.
>> > mod_nss 1.0.12 adds an
>> > > > > option to turn them on.
>> > > > >
>> > > > > rob
>> > > > >
>> > > > >
>> > > > >
>> > > > >
>> > > > > --
>> > > > >
>> > > > > www.novetta.com <http://www.novetta.com>
>> > <http://www.novetta.com>
>> > > <http://www.novetta.com>
>> > > > >
>> > > > > Larry Cohen
>> > > > >
>> > > > > System Administrator
>> > > > >
>> > > > >
>> > > > > 12021 Sunset Hills Road, Suite 400
>> > > > >
>> > > > > Reston, VA 20190
>> > > > >
>> > > > > Email lcohen at novetta.com <mailto:lcohen at novetta.com>
>> > <mailto:lcohen at novetta.com <mailto:lcohen at novetta.com>>
>> > > <mailto:lcohen at novetta.com <mailto:lcohen at novetta.com>
>> > <mailto:lcohen at novetta.com <mailto:lcohen at novetta.com>>>
>> > > > <http://novetta.com>
>> > > > >
>> > > > > Office 703-885-1064
>> > > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > > --
>> > > >
>> > > > www.novetta.com <http://www.novetta.com>
>> > <http://www.novetta.com>
>> > > >
>> > > > Larry Cohen
>> > > >
>> > > > System Administrator
>> > > >
>> > > >
>> > > > 12021 Sunset Hills Road, Suite 400
>> > > >
>> > > > Reston, VA 20190
>> > > >
>> > > > Email lcohen at novetta.com <mailto:lcohen at novetta.com>
>> > <mailto:lcohen at novetta.com <mailto:lcohen at novetta.com>>
>> > > <http://novetta.com>
>> > > >
>> > > > Office 703-885-1064
>> > > >
>> > >
>> > >
>> > >
>> > >
>> > > --
>> > >
>> > > www.novetta.com <http://www.novetta.com>
>> > >
>> > > Larry Cohen
>> > >
>> > > System Administrator
>> > >
>> > >
>> > > 12021 Sunset Hills Road, Suite 400
>> > >
>> > > Reston, VA 20190
>> > >
>> > > Email lcohen at novetta.com <mailto:lcohen at novetta.com>
>> > <http://novetta.com>
>> > >
>> > > Office 703-885-1064
>> > >
>> >
>> >
>> >
>> >
>> > --
>> >
>> > www.novetta.com
>> >
>> > Larry Cohen
>> >
>> > System Administrator
>> >
>> >
>> > 12021 Sunset Hills Road, Suite 400
>> >
>> > Reston, VA 20190
>> >
>> > Email lcohen at novetta.com <http://novetta.com>
>> >
>> > Office 703-885-1064
>> >
>>
>>
>
>
> --
>
> [image: www.novetta.com]
>
> Larry Cohen
>
> System Administrator
>
>
> 12021 Sunset Hills Road, Suite 400
>
> Reston, VA 20190
>
> Email lcohen at novetta.com
>
> Office 703-885-1064
>
>
--
[image: www.novetta.com]
Larry Cohen
System Administrator
12021 Sunset Hills Road, Suite 400
Reston, VA 20190
Email lcohen at novetta.com
Office 703-885-1064
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20151021/e2d6c926/attachment.htm>
More information about the Mod_nss-list
mailing list