From gjn at gjn.priv.at Sat Aug 6 14:45:44 2016
From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer)
Date: Sat, 06 Aug 2016 16:45:44 +0200
Subject: [Mod_nss-list] SNI Problem
Message-ID: <3952559.xDTIjLZFmt@techz>
Hello,
Version 1.0.14
I have in my logs this Message
No hostname was provided via SNI for a name based virtual host
I search in the "world" ;-) and found it for a SSL Configuration
SSLStrictSNIVHostCheck off
I know that means the Browser but with the last chromium and firefox I have
this message ?
but nothing for a NSS Configuration
Have any a Idea what this is or i can do?
and the second please have a look on my nss.conf is this correct ??
my nss.conf
#
# This is the Apache server configuration file providing SSL support using.
# the mod_nss plugin. It contains the configuration directives to instruct
# the server how to serve pages over an https connection.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
# Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:443"
#
Listen 443
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
#NSSPassPhraseDialog builtin
NSSPassPhraseDialog file:/etc/httpd/conf/password.conf
# Pass Phrase Helper:
# This helper program stores the token password pins between
# restarts of Apache.
NSSPassPhraseHelper /usr/libexec/nss_pcache
# Configure the SSL Session Cache.
# NSSSessionCacheSize is the number of entries in the cache.
# NSSSessionCacheTimeout is the SSL2 session timeout (in seconds).
# NSSSession3CacheTimeout is the SSL3/TLS session timeout (in seconds).
NSSSessionCacheSize 10000
NSSSessionCacheTimeout 100
NSSSession3CacheTimeout 86400
#
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. Those platforms usually also provide a non-blocking
# device, /dev/urandom, which may be used instead.
#
# This does not support seeding the RNG with each connection.
#NSSRandomSeed startup builtin
#NSSRandomSeed startup file:/dev/random 512
NSSRandomSeed startup file:/dev/urandom 512
#
# TLS Negotiation configuration under RFC 5746
#
# Only renegotiate if the peer's hello bears the TLS renegotiation_info
# extension. Default off.
NSSRenegotiation off
# Peer must send Signaling Cipher Suite Value (SCSV) or
# Renegotiation Info (RI) extension in ALL handshakes. Default: off
NSSRequireSafeNegotiation off
##
## SSL Virtual Host Context
##
# General setup for the virtual host
#DocumentRoot "/etc/httpd/htdocs"
ServerName www.example.at:443
ServerAlias example.at
ServerAdmin webmaster at example.at
# mod_nss can log to separate log files, you can choose to do that if you'd
like
# LogLevel is not inherited from httpd.conf.
ErrorLog /etc/httpd/logs/error_log
TransferLog /etc/httpd/logs/access_log
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
NSSEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_nss documentation for a complete list.
NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,
+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,
+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,
+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,
+rsa_aes_128_sha,+rsa_aes_256_sha
# SSL Protocol:
# Cryptographic protocols that provide communication security.
# NSS handles the specified protocols as "ranges", and automatically
# negotiates the use of the strongest protocol for a connection starting
# with the maximum specified protocol and downgrading as necessary to the
# minimum specified protocol that can be used between two processes.
# Since all protocol ranges are completely inclusive, and no protocol in the
# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
# SSL Certificate Nickname:
# The nickname of the RSA server certificate you are going to use.
NSSNickname Server-Cert-Example
# SSL Certificate Nickname:
# The nickname of the ECC server certificate you are going to use, if you
# have an ECC-enabled version of NSS and mod_nss
#NSSECCNickname Server-Cert-ecc
# Server Certificate Database:
# The NSS security database directory that holds the certificates and
# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
# Provide the directory that these files exist.
NSSCertificateDatabase /etc/httpd/alias
# Database Prefix:
# In order to be able to store multiple NSS databases in one directory
# they need unique names. This option sets the database prefix used for
# cert8.db and key3.db.
#NSSDBPrefix my-prefix-
# Client Authentication (Type):
# Client certificate verification type. Types are none, optional and
# require.
#NSSVerifyClient none
#
# Online Certificate Status Protocol (OCSP).
# Verify that certificates have not been revoked before accepting them.
#NSSOCSP off
#
# Use a default OCSP responder. If enabled this will be used regardless
# of whether one is included in a client certificate. Note that the
# server certificate is verified during startup.
#
# NSSOCSPDefaultURL defines the service URL of the OCSP responder
# NSSOCSPDefaultName is the nickname of the certificate to trust to
# sign the OCSP responses.
#NSSOCSPDefaultResponder on
#NSSOCSPDefaultURL http://example.com/ocsp/status
#NSSOCSPDefaultName ocsp-nickname
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_nss documentation
# for more details.
#
#NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "NSSRequireSSL" or "NSSRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#NSSOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
NSSOptions +StdEnvVars
NSSOptions +StdEnvVars
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
#CustomLog /home/rcrit/redhat/apache/logs/ssl_request_log \
# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
## Virtual Host example1.at
# General setup for the virtual host
DocumentRoot "/var/www/www.example1.at/html"
ServerName www.example1.at:443
ServerAlias example1.at
ServerAdmin webmaster at example1.at
# mod_nss can log to separate log files, you can choose to do that if you'd
like
# LogLevel is not inherited from httpd.conf.
ErrorLog /etc/httpd/logs/exampl1.at-error_log
TransferLog /etc/httpd/logs/example1.at-access_log
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
NSSEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_nss documentation for a complete list.
NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,
+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,
+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,
+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,
+rsa_aes_128_sha,+rsa_aes_256_sha
# SSL Protocol:
# Cryptographic protocols that provide communication security.
# NSS handles the specified protocols as "ranges", and automatically
# negotiates the use of the strongest protocol for a connection starting
# with the maximum specified protocol and downgrading as necessary to the
# minimum specified protocol that can be used between two processes.
# Since all protocol ranges are completely inclusive, and no protocol in the
# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
# SSL Certificate Nickname:
# The nickname of the RSA server certificate you are going to use.
NSSNickname Server-Cert-GU-Bauconsulting
# SSL Certificate Nickname:
# The nickname of the ECC server certificate you are going to use, if you
# have an ECC-enabled version of NSS and mod_nss
#NSSECCNickname Server-Cert-ecc
# Server Certificate Database:
# The NSS security database directory that holds the certificates and
# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
# Provide the directory that these files exist.
NSSCertificateDatabase /etc/httpd/alias
# Database Prefix:
# In order to be able to store multiple NSS databases in one directory
# they need unique names. This option sets the database prefix used for
# cert8.db and key3.db.
#NSSDBPrefix my-prefix-
# Client Authentication (Type):
# Client certificate verification type. Types are none, optional and
# require.
#NSSVerifyClient none
#
# Online Certificate Status Protocol (OCSP).
# Verify that certificates have not been revoked before accepting them.
#NSSOCSP off
#
# Use a default OCSP responder. If enabled this will be used regardless
# of whether one is included in a client certificate. Note that the
# server certificate is verified during startup.
#
# NSSOCSPDefaultURL defines the service URL of the OCSP responder
# NSSOCSPDefaultName is the nickname of the certificate to trust to
# sign the OCSP responses.
#NSSOCSPDefaultResponder on
#NSSOCSPDefaultURL http://example.com/ocsp/status
#NSSOCSPDefaultName ocsp-nickname
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_nss documentation
# for more details.
#
#NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "NSSRequireSSL" or "NSSRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#NSSOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
NSSOptions +StdEnvVars
NSSOptions +StdEnvVars
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
#CustomLog /home/rcrit/redhat/apache/logs/ssl_request_log \
# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
## Virtual Host example3.com
# General setup for the virtual host
DocumentRoot "/var/www/www.example3.com/html"
ServerName www.example3.com:443
ServerAlias example3.com
ServerAdmin webmaster at example3.com
# mod_nss can log to separate log files, you can choose to do that if you'd
like
# LogLevel is not inherited from httpd.conf.
ErrorLog /etc/httpd/logs/example3.com-error_log
TransferLog /etc/httpd/logs/example3.com-access_log
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
NSSEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_nss documentation for a complete list.
NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,
+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,
+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,
+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,
+rsa_aes_128_sha,+rsa_aes_256_sha
# SSL Protocol:
# Cryptographic protocols that provide communication security.
# NSS handles the specified protocols as "ranges", and automatically
# negotiates the use of the strongest protocol for a connection starting
# with the maximum specified protocol and downgrading as necessary to the
# minimum specified protocol that can be used between two processes.
# Since all protocol ranges are completely inclusive, and no protocol in the
# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
# SSL Certificate Nickname:
# The nickname of the RSA server certificate you are going to use.
NSSNickname Server-Cert-Example3
# SSL Certificate Nickname:
# The nickname of the ECC server certificate you are going to use, if you
# have an ECC-enabled version of NSS and mod_nss
#NSSECCNickname Server-Cert-ecc
# Server Certificate Database:
# The NSS security database directory that holds the certificates and
# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
# Provide the directory that these files exist.
NSSCertificateDatabase /etc/httpd/alias
# Database Prefix:
# In order to be able to store multiple NSS databases in one directory
# they need unique names. This option sets the database prefix used for
# cert8.db and key3.db.
#NSSDBPrefix my-prefix-
# Client Authentication (Type):
# Client certificate verification type. Types are none, optional and
# require.
#NSSVerifyClient none
#
# Online Certificate Status Protocol (OCSP).
# Verify that certificates have not been revoked before accepting them.
#NSSOCSP off
#
# Use a default OCSP responder. If enabled this will be used regardless
# of whether one is included in a client certificate. Note that the
# server certificate is verified during startup.
#
# NSSOCSPDefaultURL defines the service URL of the OCSP responder
# NSSOCSPDefaultName is the nickname of the certificate to trust to
# sign the OCSP responses.
#NSSOCSPDefaultResponder on
#NSSOCSPDefaultURL http://example.com/ocsp/status
#NSSOCSPDefaultName ocsp-nickname
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_nss documentation
# for more details.
#
#NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "NSSRequireSSL" or "NSSRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#NSSOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
NSSOptions +StdEnvVars
NSSOptions +StdEnvVars
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
#CustomLog /home/rcrit/redhat/apache/logs/ssl_request_log \
# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
--
mit freundlichen Gr??en / best regards,
G?nther J. Niederwimmer
From rcritten at redhat.com Tue Aug 9 19:19:40 2016
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 9 Aug 2016 15:19:40 -0400
Subject: [Mod_nss-list] SNI Problem
In-Reply-To: <3952559.xDTIjLZFmt@techz>
References: <3952559.xDTIjLZFmt@techz>
Message-ID: <57AA2CCC.5010706@redhat.com>
G?nther J. Niederwimmer wrote:
> Hello,
>
> Version 1.0.14
>
> I have in my logs this Message
>
> No hostname was provided via SNI for a name based virtual host
>
> I search in the "world" ;-) and found it for a SSL Configuration
>
> SSLStrictSNIVHostCheck off
>
> I know that means the Browser but with the last chromium and firefox I have
> this message ?
>
> but nothing for a NSS Configuration
The equivalent is NSSStrictSNIVHostCheck off
I don't know why the browser isn't setting SNI in the request, I can't
reproduce it here.
What does "last" version mean, specifics are needed.
rob
>
> Have any a Idea what this is or i can do?
>
> and the second please have a look on my nss.conf is this correct ??
>
> my nss.conf
> #
> # This is the Apache server configuration file providing SSL support using.
> # the mod_nss plugin. It contains the configuration directives to instruct
> # the server how to serve pages over an https connection.
> #
> # Do NOT simply read the instructions in here without understanding
> # what they do. They're here only as hints or reminders. If you are unsure
> # consult the online docs. You have been warned.
> #
>
> #
> # When we also provide SSL we have to listen to the
> # standard HTTP port (see above) and to the HTTPS port
> #
> # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
> # Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:443"
> #
> Listen 443
>
> ##
> ## SSL Global Context
> ##
> ## All SSL configuration in this context applies both to
> ## the main server and all SSL-enabled virtual hosts.
> ##
>
> #
> # Some MIME-types for downloading Certificates and CRLs
> #
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl .crl
>
> # Pass Phrase Dialog:
> # Configure the pass phrase gathering process.
> # The filtering dialog program (`builtin' is a internal
> # terminal dialog) has to provide the pass phrase on stdout.
> #NSSPassPhraseDialog builtin
> NSSPassPhraseDialog file:/etc/httpd/conf/password.conf
>
>
> # Pass Phrase Helper:
> # This helper program stores the token password pins between
> # restarts of Apache.
> NSSPassPhraseHelper /usr/libexec/nss_pcache
>
> # Configure the SSL Session Cache.
> # NSSSessionCacheSize is the number of entries in the cache.
> # NSSSessionCacheTimeout is the SSL2 session timeout (in seconds).
> # NSSSession3CacheTimeout is the SSL3/TLS session timeout (in seconds).
> NSSSessionCacheSize 10000
> NSSSessionCacheTimeout 100
> NSSSession3CacheTimeout 86400
>
> #
> # Pseudo Random Number Generator (PRNG):
> # Configure one or more sources to seed the PRNG of the SSL library.
> # The seed data should be of good random quality.
> # WARNING! On some platforms /dev/random blocks if not enough entropy
> # is available. Those platforms usually also provide a non-blocking
> # device, /dev/urandom, which may be used instead.
> #
> # This does not support seeding the RNG with each connection.
>
> #NSSRandomSeed startup builtin
> #NSSRandomSeed startup file:/dev/random 512
> NSSRandomSeed startup file:/dev/urandom 512
>
> #
> # TLS Negotiation configuration under RFC 5746
> #
> # Only renegotiate if the peer's hello bears the TLS renegotiation_info
> # extension. Default off.
> NSSRenegotiation off
>
> # Peer must send Signaling Cipher Suite Value (SCSV) or
> # Renegotiation Info (RI) extension in ALL handshakes. Default: off
> NSSRequireSafeNegotiation off
>
> ##
> ## SSL Virtual Host Context
> ##
>
>
>
> # General setup for the virtual host
> #DocumentRoot "/etc/httpd/htdocs"
> ServerName www.example.at:443
> ServerAlias example.at
> ServerAdmin webmaster at example.at
>
> # mod_nss can log to separate log files, you can choose to do that if you'd
> like
> # LogLevel is not inherited from httpd.conf.
> ErrorLog /etc/httpd/logs/error_log
> TransferLog /etc/httpd/logs/access_log
> LogLevel warn
>
> # SSL Engine Switch:
> # Enable/Disable SSL for this virtual host.
> NSSEngine on
>
> # SSL Cipher Suite:
> # List the ciphers that the client is permitted to negotiate.
> # See the mod_nss documentation for a complete list.
>
> NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,
> +ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,
> +ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,
> +ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,
> +rsa_aes_128_sha,+rsa_aes_256_sha
>
> # SSL Protocol:
> # Cryptographic protocols that provide communication security.
> # NSS handles the specified protocols as "ranges", and automatically
> # negotiates the use of the strongest protocol for a connection starting
> # with the maximum specified protocol and downgrading as necessary to the
> # minimum specified protocol that can be used between two processes.
> # Since all protocol ranges are completely inclusive, and no protocol in the
> # middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
> # is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>
> # SSL Certificate Nickname:
> # The nickname of the RSA server certificate you are going to use.
> NSSNickname Server-Cert-Example
>
> # SSL Certificate Nickname:
> # The nickname of the ECC server certificate you are going to use, if you
> # have an ECC-enabled version of NSS and mod_nss
> #NSSECCNickname Server-Cert-ecc
>
> # Server Certificate Database:
> # The NSS security database directory that holds the certificates and
> # keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
> # Provide the directory that these files exist.
> NSSCertificateDatabase /etc/httpd/alias
>
> # Database Prefix:
> # In order to be able to store multiple NSS databases in one directory
> # they need unique names. This option sets the database prefix used for
> # cert8.db and key3.db.
> #NSSDBPrefix my-prefix-
>
> # Client Authentication (Type):
> # Client certificate verification type. Types are none, optional and
> # require.
> #NSSVerifyClient none
>
> #
> # Online Certificate Status Protocol (OCSP).
> # Verify that certificates have not been revoked before accepting them.
> #NSSOCSP off
>
> #
> # Use a default OCSP responder. If enabled this will be used regardless
> # of whether one is included in a client certificate. Note that the
> # server certificate is verified during startup.
> #
> # NSSOCSPDefaultURL defines the service URL of the OCSP responder
> # NSSOCSPDefaultName is the nickname of the certificate to trust to
> # sign the OCSP responses.
> #NSSOCSPDefaultResponder on
> #NSSOCSPDefaultURL http://example.com/ocsp/status
> #NSSOCSPDefaultName ocsp-nickname
>
> # Access Control:
> # With SSLRequire you can do per-directory access control based
> # on arbitrary complex boolean expressions containing server
> # variable checks and other lookup directives. The syntax is a
> # mixture between C and Perl. See the mod_nss documentation
> # for more details.
> #
> #NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
> # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
> # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
> # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
> #
>
> # SSL Engine Options:
> # Set various options for the SSL engine.
> # o FakeBasicAuth:
> # Translate the client X.509 into a Basic Authorisation. This means that
> # the standard Auth/DBMAuth methods can be used for access control. The
> # user name is the `one line' version of the client's X.509 certificate.
> # Note that no password is obtained from the user. Every entry in the user
> # file needs this password: `xxj31ZMTZzkVA'.
> # o ExportCertData:
> # This exports two additional environment variables: SSL_CLIENT_CERT and
> # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
> # server (always existing) and the client (only existing when client
> # authentication is used). This can be used to import the certificates
> # into CGI scripts.
> # o StdEnvVars:
> # This exports the standard SSL/TLS related `SSL_*' environment variables.
> # Per default this exportation is switched off for performance reasons,
> # because the extraction step is an expensive operation and is usually
> # useless for serving static content. So one usually enables the
> # exportation for CGI and SSI requests only.
> # o StrictRequire:
> # This denies access when "NSSRequireSSL" or "NSSRequire" applied even
> # under a "Satisfy any" situation, i.e. when it applies access is denied
> # and no other module can change it.
> # o OptRenegotiate:
> # This enables optimized SSL connection renegotiation handling when SSL
> # directives are used in per-directory context.
> #NSSOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
>
> NSSOptions +StdEnvVars
>
>
> NSSOptions +StdEnvVars
>
>
> # Per-Server Logging:
> # The home of a custom SSL log file. Use this when you want a
> # compact non-error SSL logfile on a virtual host basis.
> #CustomLog /home/rcrit/redhat/apache/logs/ssl_request_log \
> # "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>
>
> ## Virtual Host example1.at
>
>
>
> # General setup for the virtual host
> DocumentRoot "/var/www/www.example1.at/html"
> ServerName www.example1.at:443
> ServerAlias example1.at
> ServerAdmin webmaster at example1.at
>
> # mod_nss can log to separate log files, you can choose to do that if you'd
> like
> # LogLevel is not inherited from httpd.conf.
> ErrorLog /etc/httpd/logs/exampl1.at-error_log
> TransferLog /etc/httpd/logs/example1.at-access_log
> LogLevel warn
>
> # SSL Engine Switch:
> # Enable/Disable SSL for this virtual host.
> NSSEngine on
>
> # SSL Cipher Suite:
> # List the ciphers that the client is permitted to negotiate.
> # See the mod_nss documentation for a complete list.
>
> NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,
> +ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,
> +ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,
> +ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,
> +rsa_aes_128_sha,+rsa_aes_256_sha
>
> # SSL Protocol:
> # Cryptographic protocols that provide communication security.
> # NSS handles the specified protocols as "ranges", and automatically
> # negotiates the use of the strongest protocol for a connection starting
> # with the maximum specified protocol and downgrading as necessary to the
> # minimum specified protocol that can be used between two processes.
> # Since all protocol ranges are completely inclusive, and no protocol in the
> # middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
> # is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>
> # SSL Certificate Nickname:
> # The nickname of the RSA server certificate you are going to use.
> NSSNickname Server-Cert-GU-Bauconsulting
>
> # SSL Certificate Nickname:
> # The nickname of the ECC server certificate you are going to use, if you
> # have an ECC-enabled version of NSS and mod_nss
> #NSSECCNickname Server-Cert-ecc
>
> # Server Certificate Database:
> # The NSS security database directory that holds the certificates and
> # keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
> # Provide the directory that these files exist.
> NSSCertificateDatabase /etc/httpd/alias
>
> # Database Prefix:
> # In order to be able to store multiple NSS databases in one directory
> # they need unique names. This option sets the database prefix used for
> # cert8.db and key3.db.
> #NSSDBPrefix my-prefix-
>
> # Client Authentication (Type):
> # Client certificate verification type. Types are none, optional and
> # require.
> #NSSVerifyClient none
>
> #
> # Online Certificate Status Protocol (OCSP).
> # Verify that certificates have not been revoked before accepting them.
> #NSSOCSP off
>
> #
> # Use a default OCSP responder. If enabled this will be used regardless
> # of whether one is included in a client certificate. Note that the
> # server certificate is verified during startup.
> #
> # NSSOCSPDefaultURL defines the service URL of the OCSP responder
> # NSSOCSPDefaultName is the nickname of the certificate to trust to
> # sign the OCSP responses.
> #NSSOCSPDefaultResponder on
> #NSSOCSPDefaultURL http://example.com/ocsp/status
> #NSSOCSPDefaultName ocsp-nickname
>
> # Access Control:
> # With SSLRequire you can do per-directory access control based
> # on arbitrary complex boolean expressions containing server
> # variable checks and other lookup directives. The syntax is a
> # mixture between C and Perl. See the mod_nss documentation
> # for more details.
> #
> #NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
> # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
> # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
> # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
> #
>
> # SSL Engine Options:
> # Set various options for the SSL engine.
> # o FakeBasicAuth:
> # Translate the client X.509 into a Basic Authorisation. This means that
> # the standard Auth/DBMAuth methods can be used for access control. The
> # user name is the `one line' version of the client's X.509 certificate.
> # Note that no password is obtained from the user. Every entry in the user
> # file needs this password: `xxj31ZMTZzkVA'.
> # o ExportCertData:
> # This exports two additional environment variables: SSL_CLIENT_CERT and
> # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
> # server (always existing) and the client (only existing when client
> # authentication is used). This can be used to import the certificates
> # into CGI scripts.
> # o StdEnvVars:
> # This exports the standard SSL/TLS related `SSL_*' environment variables.
> # Per default this exportation is switched off for performance reasons,
> # because the extraction step is an expensive operation and is usually
> # useless for serving static content. So one usually enables the
> # exportation for CGI and SSI requests only.
> # o StrictRequire:
> # This denies access when "NSSRequireSSL" or "NSSRequire" applied even
> # under a "Satisfy any" situation, i.e. when it applies access is denied
> # and no other module can change it.
> # o OptRenegotiate:
> # This enables optimized SSL connection renegotiation handling when SSL
> # directives are used in per-directory context.
> #NSSOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
>
> NSSOptions +StdEnvVars
>
>
> NSSOptions +StdEnvVars
>
>
> # Per-Server Logging:
> # The home of a custom SSL log file. Use this when you want a
> # compact non-error SSL logfile on a virtual host basis.
> #CustomLog /home/rcrit/redhat/apache/logs/ssl_request_log \
> # "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>
>
> ## Virtual Host example3.com
>
>
>
> # General setup for the virtual host
> DocumentRoot "/var/www/www.example3.com/html"
> ServerName www.example3.com:443
> ServerAlias example3.com
> ServerAdmin webmaster at example3.com
>
> # mod_nss can log to separate log files, you can choose to do that if you'd
> like
> # LogLevel is not inherited from httpd.conf.
> ErrorLog /etc/httpd/logs/example3.com-error_log
> TransferLog /etc/httpd/logs/example3.com-access_log
> LogLevel warn
>
> # SSL Engine Switch:
> # Enable/Disable SSL for this virtual host.
> NSSEngine on
>
> # SSL Cipher Suite:
> # List the ciphers that the client is permitted to negotiate.
> # See the mod_nss documentation for a complete list.
>
> NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,
> +ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,
> +ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,
> +ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,
> +rsa_aes_128_sha,+rsa_aes_256_sha
>
> # SSL Protocol:
> # Cryptographic protocols that provide communication security.
> # NSS handles the specified protocols as "ranges", and automatically
> # negotiates the use of the strongest protocol for a connection starting
> # with the maximum specified protocol and downgrading as necessary to the
> # minimum specified protocol that can be used between two processes.
> # Since all protocol ranges are completely inclusive, and no protocol in the
> # middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
> # is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>
> # SSL Certificate Nickname:
> # The nickname of the RSA server certificate you are going to use.
> NSSNickname Server-Cert-Example3
>
> # SSL Certificate Nickname:
> # The nickname of the ECC server certificate you are going to use, if you
> # have an ECC-enabled version of NSS and mod_nss
> #NSSECCNickname Server-Cert-ecc
>
> # Server Certificate Database:
> # The NSS security database directory that holds the certificates and
> # keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
> # Provide the directory that these files exist.
> NSSCertificateDatabase /etc/httpd/alias
>
> # Database Prefix:
> # In order to be able to store multiple NSS databases in one directory
> # they need unique names. This option sets the database prefix used for
> # cert8.db and key3.db.
> #NSSDBPrefix my-prefix-
>
> # Client Authentication (Type):
> # Client certificate verification type. Types are none, optional and
> # require.
> #NSSVerifyClient none
>
> #
> # Online Certificate Status Protocol (OCSP).
> # Verify that certificates have not been revoked before accepting them.
> #NSSOCSP off
>
> #
> # Use a default OCSP responder. If enabled this will be used regardless
> # of whether one is included in a client certificate. Note that the
> # server certificate is verified during startup.
> #
> # NSSOCSPDefaultURL defines the service URL of the OCSP responder
> # NSSOCSPDefaultName is the nickname of the certificate to trust to
> # sign the OCSP responses.
> #NSSOCSPDefaultResponder on
> #NSSOCSPDefaultURL http://example.com/ocsp/status
> #NSSOCSPDefaultName ocsp-nickname
>
> # Access Control:
> # With SSLRequire you can do per-directory access control based
> # on arbitrary complex boolean expressions containing server
> # variable checks and other lookup directives. The syntax is a
> # mixture between C and Perl. See the mod_nss documentation
> # for more details.
> #
> #NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
> # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
> # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
> # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
> #
>
> # SSL Engine Options:
> # Set various options for the SSL engine.
> # o FakeBasicAuth:
> # Translate the client X.509 into a Basic Authorisation. This means that
> # the standard Auth/DBMAuth methods can be used for access control. The
> # user name is the `one line' version of the client's X.509 certificate.
> # Note that no password is obtained from the user. Every entry in the user
> # file needs this password: `xxj31ZMTZzkVA'.
> # o ExportCertData:
> # This exports two additional environment variables: SSL_CLIENT_CERT and
> # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
> # server (always existing) and the client (only existing when client
> # authentication is used). This can be used to import the certificates
> # into CGI scripts.
> # o StdEnvVars:
> # This exports the standard SSL/TLS related `SSL_*' environment variables.
> # Per default this exportation is switched off for performance reasons,
> # because the extraction step is an expensive operation and is usually
> # useless for serving static content. So one usually enables the
> # exportation for CGI and SSI requests only.
> # o StrictRequire:
> # This denies access when "NSSRequireSSL" or "NSSRequire" applied even
> # under a "Satisfy any" situation, i.e. when it applies access is denied
> # and no other module can change it.
> # o OptRenegotiate:
> # This enables optimized SSL connection renegotiation handling when SSL
> # directives are used in per-directory context.
> #NSSOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
>
> NSSOptions +StdEnvVars
>
>
> NSSOptions +StdEnvVars
>
>
> # Per-Server Logging:
> # The home of a custom SSL log file. Use this when you want a
> # compact non-error SSL logfile on a virtual host basis.
> #CustomLog /home/rcrit/redhat/apache/logs/ssl_request_log \
> # "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>
>
>
From gjn at gjn.priv.at Wed Aug 10 11:56:16 2016
From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer)
Date: Wed, 10 Aug 2016 13:56:16 +0200
Subject: [Mod_nss-list] SNI Problem
In-Reply-To: <57AA2CCC.5010706@redhat.com>
References: <3952559.xDTIjLZFmt@techz> <57AA2CCC.5010706@redhat.com>
Message-ID: <5140289.hnNvZ2dQ4e@techz>
Hello Rob,
thanks for the Answer ?
Am Dienstag, 9. August 2016, 15:19:40 schrieb Rob Crittenden:
> G?nther J. Niederwimmer wrote:
> > Hello,
> >
> > Version 1.0.14
> >
> > I have in my logs this Message
> >
> > No hostname was provided via SNI for a name based virtual host
> >
> > I search in the "world" ;-) and found it for a SSL Configuration
> >
> > SSLStrictSNIVHostCheck off
> >
> > I know that means the Browser but with the last chromium and firefox I
> > have
> > this message ?
> >
> > but nothing for a NSS Configuration
>
> The equivalent is NSSStrictSNIVHostCheck off
>
> I don't know why the browser isn't setting SNI in the request, I can't
> reproduce it here.
>
> What does "last" version mean, specifics are needed.
I mean version 48 for firefox and 52 for chromium
and the Linux Version is Leap 42.1
> > Have any a Idea what this is or i can do?
--
mit freundlichen Gr??en / best regards,
G?nther J. Niederwimmer
From rcritten at redhat.com Wed Aug 10 17:33:51 2016
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 10 Aug 2016 13:33:51 -0400
Subject: [Mod_nss-list] SNI Problem
In-Reply-To: <5140289.hnNvZ2dQ4e@techz>
References: <3952559.xDTIjLZFmt@techz> <57AA2CCC.5010706@redhat.com>
<5140289.hnNvZ2dQ4e@techz>
Message-ID: <57AB657F.3060200@redhat.com>
G?nther J. Niederwimmer wrote:
> Hello Rob,
>
> thanks for the Answer ?
>
> Am Dienstag, 9. August 2016, 15:19:40 schrieb Rob Crittenden:
>> G?nther J. Niederwimmer wrote:
>>> Hello,
>>>
>>> Version 1.0.14
>>>
>>> I have in my logs this Message
>>>
>>> No hostname was provided via SNI for a name based virtual host
>>>
>>> I search in the "world" ;-) and found it for a SSL Configuration
>>>
>>> SSLStrictSNIVHostCheck off
>>>
>>> I know that means the Browser but with the last chromium and firefox I
>>> have
>>> this message ?
>>>
>>> but nothing for a NSS Configuration
>>
>> The equivalent is NSSStrictSNIVHostCheck off
>>
>> I don't know why the browser isn't setting SNI in the request, I can't
>> reproduce it here.
>>
>> What does "last" version mean, specifics are needed.
>
> I mean version 48 for firefox and 52 for chromium
> and the Linux Version is Leap 42.1
Ok, I'll take a look.
rob
From rcritten at redhat.com Wed Aug 10 18:00:55 2016
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 10 Aug 2016 14:00:55 -0400
Subject: [Mod_nss-list] SNI Problem
In-Reply-To: <57AB657F.3060200@redhat.com>
References: <3952559.xDTIjLZFmt@techz> <57AA2CCC.5010706@redhat.com>
<5140289.hnNvZ2dQ4e@techz> <57AB657F.3060200@redhat.com>
Message-ID: <57AB6BD7.5050104@redhat.com>
Rob Crittenden wrote:
> G?nther J. Niederwimmer wrote:
>> Hello Rob,
>>
>> thanks for the Answer ?
>>
>> Am Dienstag, 9. August 2016, 15:19:40 schrieb Rob Crittenden:
>>> G?nther J. Niederwimmer wrote:
>>>> Hello,
>>>>
>>>> Version 1.0.14
>>>>
>>>> I have in my logs this Message
>>>>
>>>> No hostname was provided via SNI for a name based virtual host
>>>>
>>>> I search in the "world" ;-) and found it for a SSL Configuration
>>>>
>>>> SSLStrictSNIVHostCheck off
>>>>
>>>> I know that means the Browser but with the last chromium and firefox I
>>>> have
>>>> this message ?
>>>>
>>>> but nothing for a NSS Configuration
>>>
>>> The equivalent is NSSStrictSNIVHostCheck off
>>>
>>> I don't know why the browser isn't setting SNI in the request, I can't
>>> reproduce it here.
>>>
>>> What does "last" version mean, specifics are needed.
>>
>> I mean version 48 for firefox and 52 for chromium
>> and the Linux Version is Leap 42.1
>
> Ok, I'll take a look.
Looks like a bug in NSS. I filed
https://bugzilla.redhat.com/show_bug.cgi?id=1366011
rob
From gjn at gjn.priv.at Mon Aug 15 13:49:37 2016
From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer)
Date: Mon, 15 Aug 2016 15:49:37 +0200
Subject: [Mod_nss-list] mod_nss 1.0.14
Message-ID: <1760518.2r19MRsu8W@techz>
Hello Rob,
what is wrong on this spec file ?
Is this the Build service or ....
I like to create my mod_nss rpm like
mod_nss-1.0.14.el7_xx.x86_64.rpm
but I become a
mod_nss-1.0.14-6.1.x86_64.rpm
the spec file is attached
--
mit freundlichen Gr??en / best regards,
G?nther J. Niederwimmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mod_nss.spec
Type: text/x-rpm-spec
Size: 26278 bytes
Desc: not available
URL:
From rcritten at redhat.com Mon Aug 15 15:17:59 2016
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 15 Aug 2016 11:17:59 -0400
Subject: [Mod_nss-list] mod_nss 1.0.14
In-Reply-To: <1760518.2r19MRsu8W@techz>
References: <1760518.2r19MRsu8W@techz>
Message-ID: <57B1DD27.8070303@redhat.com>
G?nther J. Niederwimmer wrote:
> Hello Rob,
>
> what is wrong on this spec file ?
> Is this the Build service or ....
>
> I like to create my mod_nss rpm like
> mod_nss-1.0.14.el7_xx.x86_64.rpm
>
> but I become a
> mod_nss-1.0.14-6.1.x86_64.rpm
>
> the spec file is attached
I don't know where 6.1 is coming from but the lack of ?dist shouldn't
concern you. If you really want it you can install the redhat-rpm-config
package, or --define dist when you do the build.
rob
From georgewash87 at gmail.com Fri Aug 26 16:42:45 2016
From: georgewash87 at gmail.com (George Wash)
Date: Fri, 26 Aug 2016 12:42:45 -0400
Subject: [Mod_nss-list] ordering of ciphersuites
Message-ID:
Using mod_nss version 1.0.12-1.fc23 on fedora
Is there a way to specify the ordering if of suites in the NSSCipherSuites
directive?
I have done some testing with curl,
For example:
Client asserts: rsa_aes_256_sha, rsa_aes_128_sha
Server Accepts: +rsa_aes_256_sha,+rsa_aes_128_sha
Negotiated: rsa_aes_128_sha
Client asserts: rsa_aes_128_sha, rsa_aes_256_sha
Server Accepts: +rsa_aes_256_sha,+rsa_aes_128_sha
Negotiated: rsa_aes_128_sha
Client asserts: rsa_aes_256_sha, rsa_aes_128_sha
Server Accepts: +rsa_aes_128_sha, +rsa_aes_256_sha,
Negotiated: rsa_aes_128_sha
Client asserts: rsa_aes_128_sha, rsa_aes_256_sha
Server Accepts: +rsa_aes_128_sha, +rsa_aes_256_sha,
Negotiated: rsa_aes_128_sha
Control test:
Client asserts: rsa_aes_256_sha
Server Accepts: +rsa_aes_128_sha, +rsa_aes_256_sha,
Negotiated: rsa_aes_256_sha
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From rcritten at redhat.com Fri Aug 26 17:26:54 2016
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 26 Aug 2016 13:26:54 -0400
Subject: [Mod_nss-list] ordering of ciphersuites
In-Reply-To:
References:
Message-ID: <57C07BDE.70201@redhat.com>
George Wash wrote:
> Using mod_nss version 1.0.12-1.fc23 on fedora
>
> Is there a way to specify the ordering if of suites in the
> NSSCipherSuites directive?
No, NSS doesn't allow custom ordering of suites. It orders them on its
own strength calculations.
rob
>
> I have done some testing with curl,
>
> For example:____
>
> Client asserts: rsa_aes_256_sha, rsa_aes_128_sha____
>
> Server Accepts: +rsa_aes_256_sha,+rsa_aes_128_sha____
>
> Negotiated: rsa_aes_128_sha____
>
> __ __
>
> Client asserts: rsa_aes_128_sha, rsa_aes_256_sha____
>
> Server Accepts: +rsa_aes_256_sha,+rsa_aes_128_sha____
>
> Negotiated: rsa_aes_128_sha____
>
> __ __
>
> __ __
>
> Client asserts: rsa_aes_256_sha, rsa_aes_128_sha____
>
> Server Accepts: +rsa_aes_128_sha, +rsa_aes_256_sha,____
>
> Negotiated: rsa_aes_128_sha____
>
> __ __
>
> Client asserts: rsa_aes_128_sha, rsa_aes_256_sha____
>
> Server Accepts: +rsa_aes_128_sha, +rsa_aes_256_sha,____
>
> Negotiated: rsa_aes_128_sha____
>
> __ __
>
> Control test:____
>
> Client asserts: rsa_aes_256_sha____
>
> Server Accepts: +rsa_aes_128_sha, +rsa_aes_256_sha,____
>
> Negotiated: rsa_aes_256_sha
>
>
> Thanks
>
>
>
> _______________________________________________
> Mod_nss-list mailing list
> Mod_nss-list at redhat.com
> https://www.redhat.com/mailman/listinfo/mod_nss-list
>