From relst at relst.nl Sat Jul 16 06:57:04 2016 From: relst at relst.nl (Remy van Elst) Date: Sat, 16 Jul 2016 08:57:04 +0200 Subject: [Mod_nss-list] Apache, mod_nss SSL Library Error: -8023 Unknown Message-ID: Hi there, I'm using mod_nss on Ubuntu 16.04 with Apache, the Nitrokey HSM and the OpenSC PKCS#11 module. I do experience frequent crashes of Apache. The browsers gives SSL_ERROR_HANDSHAKE_FAILURE_ALERT. This is in the error log, with Loglevel debug: [Sat Jul 16 08:51:21.798715 2016] [:info] [pid 15788] Connection to child 2 established (server rsa1024.tst.raymii.org, client 172.16.20.55) [Sat Jul 16 08:51:21.799585 2016] [:info] [pid 15788] SSL input filter read failed. [Sat Jul 16 08:51:21.799889 2016] [:error] [pid 15788] SSL Library Error: -8152 The key does not support the requested operation [Sat Jul 16 08:51:21.800184 2016] [:info] [pid 15788] Connection to child 2 closed (server rsa1024.tst.raymii.org:443, client 172.16.20.55) [Sat Jul 16 08:51:21.840763 2016] [:info] [pid 15791] SSL input filter read failed. [Sat Jul 16 08:51:21.841044 2016] [:error] [pid 15791] SSL Library Error: -8023 Unknown [Sat Jul 16 08:51:21.841245 2016] [:info] [pid 15791] Connection to child 3 closed (server rsa1024.tst.raymii.org:443, client 172.16.20.55) [Sat Jul 16 08:51:21.932461 2016] [:info] [pid 15791] Connection to child 3 established (server rsa1024.tst.raymii.org, client 172.16.20.55) [Sat Jul 16 08:51:21.933291 2016] [:info] [pid 15791] SSL input filter read failed. [Sat Jul 16 08:51:21.933480 2016] [:error] [pid 15791] SSL Library Error: -8152 The key does not support the requested operation This problem occurs when loading a Wordpres site. A simple single HTML page also gives this error, but it takes many more refreshes. The Wordpress site triggers it after a few (5, 6) pages. A restart of the Apache server is required to make the error go away. Best regards, Remy https://raymii.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jul 18 15:43:51 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jul 2016 11:43:51 -0400 Subject: [Mod_nss-list] Apache, mod_nss SSL Library Error: -8023 Unknown In-Reply-To: References: Message-ID: <578CF937.1080105@redhat.com> Remy van Elst wrote: > > Hi there, > > I'm using mod_nss on Ubuntu 16.04 with Apache, the Nitrokey HSM and the > OpenSC PKCS#11 module. I do experience frequent crashes of Apache. The > browsers gives SSL_ERROR_HANDSHAKE_FAILURE_ALERT. > > > This is in the error log, with Loglevel debug: > > [Sat Jul 16 08:51:21.798715 2016] [:info] [pid 15788] Connection to > child 2 established (server rsa1024.tst.raymii.org > , client 172.16.20.55) > [Sat Jul 16 08:51:21.799585 2016] [:info] [pid 15788] SSL input > filter read failed. > [Sat Jul 16 08:51:21.799889 2016] [:error] [pid 15788] SSL Library > Error: -8152 The key does not support the requested operation > [Sat Jul 16 08:51:21.800184 2016] [:info] [pid 15788] Connection to > child 2 closed (server rsa1024.tst.raymii.org:443 > , client 172.16.20.55) > [Sat Jul 16 08:51:21.840763 2016] [:info] [pid 15791] SSL input > filter read failed. > [Sat Jul 16 08:51:21.841044 2016] [:error] [pid 15791] SSL Library > Error: -8023 Unknown > [Sat Jul 16 08:51:21.841245 2016] [:info] [pid 15791] Connection to > child 3 closed (server rsa1024.tst.raymii.org:443 > , client 172.16.20.55) > [Sat Jul 16 08:51:21.932461 2016] [:info] [pid 15791] Connection to > child 3 established (server rsa1024.tst.raymii.org > , client 172.16.20.55) > [Sat Jul 16 08:51:21.933291 2016] [:info] [pid 15791] SSL input > filter read failed. > [Sat Jul 16 08:51:21.933480 2016] [:error] [pid 15791] SSL Library > Error: -8152 The key does not support the requested operation > > This problem occurs when loading a Wordpres site. A simple single HTML > page also gives this error, but it takes many more refreshes. The > Wordpress site triggers it after a few (5, 6) pages. > > A restart of the Apache server is required to make the error go away. What version of NSS and mod_nss do you have installed? I'm not sure if this is a PKCS#11 issue or something else. rob From fkiefer at mozilla.com Tue Jul 19 05:56:39 2016 From: fkiefer at mozilla.com (Franziskus Kiefer) Date: Tue, 19 Jul 2016 07:56:39 +0200 Subject: [Mod_nss-list] mod_nss ALPN Message-ID: Hi Rob, all, I was wondering if you or anyone else has more infos on [1], i.e. the comment that this requires changes to mod_http2 in order to get H2 running. I have a patch that adds ALPN support to mod_nss but I don't get Apache to actually do H2 (it negotiates H2 but then doesn't send necessary messages such as settings). Cheers, Franziskus [1] https://fedorahosted.org/mod_nss/ticket/14 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jul 19 13:32:40 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Jul 2016 09:32:40 -0400 Subject: [Mod_nss-list] mod_nss ALPN In-Reply-To: References: Message-ID: <578E2BF8.40304@redhat.com> Franziskus Kiefer wrote: > Hi Rob, all, > > I was wondering if you or anyone else has more infos on [1], i.e. the > comment that this requires changes to mod_http2 in order to get H2 running. > I have a patch that adds ALPN support to mod_nss but I don't get Apache > to actually do H2 (it negotiates H2 but then doesn't send necessary > messages such as settings). In Apache modules/http2/mod_http2.c in h2_hooks() you need to include mod_nss in the SSL modules ordering list: static const char *const mod_ssl[] = { "mod_ssl.c", "mod_nss.c", NULL}; rob From fkiefer at mozilla.com Wed Jul 20 15:09:28 2016 From: fkiefer at mozilla.com (Franziskus Kiefer) Date: Wed, 20 Jul 2016 17:09:28 +0200 Subject: [Mod_nss-list] mod_nss ALPN In-Reply-To: <578E2BF8.40304@redhat.com> References: <578E2BF8.40304@redhat.com> Message-ID: Thanks for your reply. But that doesn't seem to change anything :/ Cheers On Tue, Jul 19, 2016 at 3:32 PM, Rob Crittenden wrote: > Franziskus Kiefer wrote: > >> Hi Rob, all, >> >> I was wondering if you or anyone else has more infos on [1], i.e. the >> comment that this requires changes to mod_http2 in order to get H2 >> running. >> I have a patch that adds ALPN support to mod_nss but I don't get Apache >> to actually do H2 (it negotiates H2 but then doesn't send necessary >> messages such as settings). >> > > In Apache modules/http2/mod_http2.c in h2_hooks() you need to include > mod_nss in the SSL modules ordering list: > > static const char *const mod_ssl[] = { "mod_ssl.c", "mod_nss.c", NULL}; > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Jul 20 15:33:36 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Jul 2016 11:33:36 -0400 Subject: [Mod_nss-list] mod_nss ALPN In-Reply-To: References: <578E2BF8.40304@redhat.com> Message-ID: <578F99D0.2080507@redhat.com> Franziskus Kiefer wrote: > Thanks for your reply. > But that doesn't seem to change anything :/ I'm not sure. I worked on this in the spring and made a little bit of progress when using curl as a client but failed with Firefox. I'll attach the patch I was working on. Be aware that it is pretty much a mess with lots of hardcoded values and such. rob > > Cheers > > On Tue, Jul 19, 2016 at 3:32 PM, Rob Crittenden > wrote: > > Franziskus Kiefer wrote: > > Hi Rob, all, > > I was wondering if you or anyone else has more infos on [1], > i.e. the > comment that this requires changes to mod_http2 in order to get > H2 running. > I have a patch that adds ALPN support to mod_nss but I don't get > Apache > to actually do H2 (it negotiates H2 but then doesn't send necessary > messages such as settings). > > > In Apache modules/http2/mod_http2.c in h2_hooks() you need to > include mod_nss in the SSL modules ordering list: > > static const char *const mod_ssl[] = { "mod_ssl.c", "mod_nss.c", NULL}; > > rob > > -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-ALPN-WIP-basically-works-no-client-proxy.patch Type: text/x-diff Size: 15964 bytes Desc: not available URL: From fkiefer at mozilla.com Wed Jul 20 15:38:37 2016 From: fkiefer at mozilla.com (Franziskus Kiefer) Date: Wed, 20 Jul 2016 17:38:37 +0200 Subject: [Mod_nss-list] mod_nss ALPN In-Reply-To: <578F99D0.2080507@redhat.com> References: <578E2BF8.40304@redhat.com> <578F99D0.2080507@redhat.com> Message-ID: Thanks! I'll check your patch. Also note that there are currently bugs in the NSS ALPN implementation that have to be fixed before this can work properly. Cheers On Wed, Jul 20, 2016 at 5:33 PM, Rob Crittenden wrote: > Franziskus Kiefer wrote: > >> Thanks for your reply. >> But that doesn't seem to change anything :/ >> > > I'm not sure. I worked on this in the spring and made a little bit of > progress when using curl as a client but failed with Firefox. I'll attach > the patch I was working on. Be aware that it is pretty much a mess with > lots of hardcoded values and such. > > rob > > >> Cheers >> >> On Tue, Jul 19, 2016 at 3:32 PM, Rob Crittenden > > wrote: >> >> Franziskus Kiefer wrote: >> >> Hi Rob, all, >> >> I was wondering if you or anyone else has more infos on [1], >> i.e. the >> comment that this requires changes to mod_http2 in order to get >> H2 running. >> I have a patch that adds ALPN support to mod_nss but I don't get >> Apache >> to actually do H2 (it negotiates H2 but then doesn't send >> necessary >> messages such as settings). >> >> >> In Apache modules/http2/mod_http2.c in h2_hooks() you need to >> include mod_nss in the SSL modules ordering list: >> >> static const char *const mod_ssl[] = { "mod_ssl.c", "mod_nss.c", >> NULL}; >> >> rob >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gjn at gjn.priv.at Wed Jul 27 12:58:12 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Wed, 27 Jul 2016 14:58:12 +0200 Subject: [Mod_nss-list] nss config Message-ID: <19340377.xkb573VVcF@techz> Hello, this is my first installation with CenOS 7 apache and mod_nss ;-) my Questions are is it possible to install more VHosts in nss.conf nss.conf ..... ... ServerName www.example.com ..... ... DocumentRoot /var/www/cloud.example.com/html/ ServerName cloud.example.com ..... ... DocumentRoot /var/www/www.example1.com/html/" ServerName www.example1.com ..... ... DokumentRoot /var/www/www.example2.com/html/ ServerName www.example2.com ..... and what is the best way to rewrite / forward to nss Thanks for a answer, -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From rcritten at redhat.com Wed Jul 27 13:42:47 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Jul 2016 09:42:47 -0400 Subject: [Mod_nss-list] nss config In-Reply-To: <19340377.xkb573VVcF@techz> References: <19340377.xkb573VVcF@techz> Message-ID: <5798BA57.50300@redhat.com> G?nther J. Niederwimmer wrote: > Hello, > > this is my first installation with CenOS 7 apache and mod_nss ;-) > > my Questions are > > is it possible to install more VHosts in nss.conf mod_nss added SNI support in 1.0.12 and RHEL 7.2 has 1.0.11 so if you're having problems, that's why. > and what is the best way to rewrite / forward to nss The same way as with mod_ssl. You can use mod_rewrite or the Redirect directive. rob From gjn at gjn.priv.at Wed Jul 27 14:16:26 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Wed, 27 Jul 2016 16:16:26 +0200 Subject: [Mod_nss-list] nss config In-Reply-To: <5798BA57.50300@redhat.com> References: <19340377.xkb573VVcF@techz> <5798BA57.50300@redhat.com> Message-ID: <2978173.N2lmOTXqXR@techz> Hello Rob, thanks for the answer. yes I mean I must have SNI support when I like NSS. I have a wild Card Certificate installed Is it possible to download from any repositories the 1.0.12 for CentOS 7.2 ? Am Mittwoch, 27. Juli 2016, 09:42:47 schrieb Rob Crittenden: > G?nther J. Niederwimmer wrote: > > Hello, > > > > this is my first installation with CenOS 7 apache and mod_nss ;-) > > > > my Questions are > > > > is it possible to install more VHosts in nss.conf > > mod_nss added SNI support in 1.0.12 and RHEL 7.2 has 1.0.11 so if you're > having problems, that's why. > > > and what is the best way to rewrite / forward to nss > > The same way as with mod_ssl. You can use mod_rewrite or the Redirect > directive. This are my first experiments with apache Server, I have not installed before a HTTP Server ;-). Thanks, -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From rcritten at redhat.com Wed Jul 27 14:24:11 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Jul 2016 10:24:11 -0400 Subject: [Mod_nss-list] nss config In-Reply-To: <2978173.N2lmOTXqXR@techz> References: <19340377.xkb573VVcF@techz> <5798BA57.50300@redhat.com> <2978173.N2lmOTXqXR@techz> Message-ID: <5798C40B.6010802@redhat.com> G?nther J. Niederwimmer wrote: > Hello Rob, > > thanks for the answer. > > yes I mean I must have SNI support when I like NSS. > > I have a wild Card Certificate installed > > Is it possible to download from any repositories the 1.0.12 for CentOS 7.2 ? There may be one but I don't know of any. If you do end up building it yourself I'd use 1.0.14, the latest. > > Am Mittwoch, 27. Juli 2016, 09:42:47 schrieb Rob Crittenden: >> G?nther J. Niederwimmer wrote: >>> Hello, >>> >>> this is my first installation with CenOS 7 apache and mod_nss ;-) >>> >>> my Questions are >>> >>> is it possible to install more VHosts in nss.conf >> >> mod_nss added SNI support in 1.0.12 and RHEL 7.2 has 1.0.11 so if you're >> having problems, that's why. >> >>> and what is the best way to rewrite / forward to nss >> >> The same way as with mod_ssl. You can use mod_rewrite or the Redirect >> directive. > > This are my first experiments with apache Server, I have not installed before a > HTTP Server ;-). The Apache docs (and google) will serve you well. Pretty much anything generic to Apache will work with mod_nss. rob From gjn at gjn.priv.at Wed Jul 27 22:18:21 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Thu, 28 Jul 2016 00:18:21 +0200 Subject: [Mod_nss-list] nss config In-Reply-To: <5798C40B.6010802@redhat.com> References: <19340377.xkb573VVcF@techz> <2978173.N2lmOTXqXR@techz> <5798C40B.6010802@redhat.com> Message-ID: <4853572.LlMqL6v2qZ@techz> Hello Rob, Am Mittwoch, 27. Juli 2016, 10:24:11 schrieb Rob Crittenden: > G?nther J. Niederwimmer wrote: > > Hello Rob, > > > > thanks for the answer. > > > > yes I mean I must have SNI support when I like NSS. > > > > I have a wild Card Certificate installed > > > > Is it possible to download from any repositories the 1.0.12 for CentOS 7.2 > > ? > There may be one but I don't know of any. If you do end up building it > yourself I'd use 1.0.14, the latest. I am not a programmer :-( but I test the build Service from openSUSE but it is not working :-(. Can you help a little bit ;-) I have start with your spec file inside the packages source. I include the Log File from the test? > > Am Mittwoch, 27. Juli 2016, 09:42:47 schrieb Rob Crittenden: > >> G?nther J. Niederwimmer wrote: > >>> Hello, > >>> > >>> this is my first installation with CenOS 7 apache and mod_nss ;-) > >>> > >>> my Questions are > >>> > >>> is it possible to install more VHosts in nss.conf > >> > >> mod_nss added SNI support in 1.0.12 and RHEL 7.2 has 1.0.11 so if you're > >> having problems, that's why. > >> > >>> and what is the best way to rewrite / forward to nss > >> > >> The same way as with mod_ssl. You can use mod_rewrite or the Redirect > >> directive. > > > > This are my first experiments with apache Server, I have not installed > > before a HTTP Server ;-). > > The Apache docs (and google) will serve you well. Pretty much anything > generic to Apache will work with mod_nss. > > rob -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer -------------- next part -------------- A non-text attachment was scrubbed... Name: nss_build-x86_64.log Type: text/x-log Size: 10495 bytes Desc: not available URL: From gjn at gjn.priv.at Thu Jul 28 12:57:16 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Thu, 28 Jul 2016 14:57:16 +0200 Subject: [Mod_nss-list] nss config In-Reply-To: <19340377.xkb573VVcF@techz> References: <19340377.xkb573VVcF@techz> Message-ID: <2067416.lQ4FRuHoiT@techz> Hello Rob, Am Mittwoch, 27. Juli 2016, 14:58:12 schrieb G?nther J. Niederwimmer: > Hello, > > this is my first installation with CenOS 7 apache and mod_nss ;-) > > my Questions are > I mean I have a packet 1.0.14, now the question is, is it working correct ? I make it with help from the spec file 1.0.11 Please Rob, can you make a short test ? Thanks Thanks for a answer, -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer -------------- next part -------------- A non-text attachment was scrubbed... Name: mod_nss-1.0.14-6.1.x86_64.rpm Type: application/x-rpm Size: 111736 bytes Desc: not available URL: From rcritten at redhat.com Thu Jul 28 13:19:19 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Jul 2016 09:19:19 -0400 Subject: [Mod_nss-list] nss config In-Reply-To: <4853572.LlMqL6v2qZ@techz> References: <19340377.xkb573VVcF@techz> <2978173.N2lmOTXqXR@techz> <5798C40B.6010802@redhat.com> <4853572.LlMqL6v2qZ@techz> Message-ID: <579A0657.5080102@redhat.com> G?nther J. Niederwimmer wrote: > Hello Rob, > > Am Mittwoch, 27. Juli 2016, 10:24:11 schrieb Rob Crittenden: >> G?nther J. Niederwimmer wrote: >>> Hello Rob, >>> >>> thanks for the answer. >>> >>> yes I mean I must have SNI support when I like NSS. >>> >>> I have a wild Card Certificate installed >>> >>> Is it possible to download from any repositories the 1.0.12 for CentOS 7.2 >>> ? >> There may be one but I don't know of any. If you do end up building it >> yourself I'd use 1.0.14, the latest. > > I am not a programmer :-( but I test the build Service from openSUSE but it is > not working :-(. > > Can you help a little bit ;-) > > I have start with your spec file inside the packages source. I include the Log > File from the test? This isn't the log file, it's a link the place you built it (SUSE?). rob > >>> Am Mittwoch, 27. Juli 2016, 09:42:47 schrieb Rob Crittenden: >>>> G?nther J. Niederwimmer wrote: >>>>> Hello, >>>>> >>>>> this is my first installation with CenOS 7 apache and mod_nss ;-) >>>>> >>>>> my Questions are >>>>> >>>>> is it possible to install more VHosts in nss.conf >>>> >>>> mod_nss added SNI support in 1.0.12 and RHEL 7.2 has 1.0.11 so if you're >>>> having problems, that's why. >>>> >>>>> and what is the best way to rewrite / forward to nss >>>> >>>> The same way as with mod_ssl. You can use mod_rewrite or the Redirect >>>> directive. >>> >>> This are my first experiments with apache Server, I have not installed >>> before a HTTP Server ;-). >> >> The Apache docs (and google) will serve you well. Pretty much anything >> generic to Apache will work with mod_nss. >> >> rob > > > > _______________________________________________ > Mod_nss-list mailing list > Mod_nss-list at redhat.com > https://www.redhat.com/mailman/listinfo/mod_nss-list > From rcritten at redhat.com Thu Jul 28 13:36:16 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Jul 2016 09:36:16 -0400 Subject: [Mod_nss-list] nss config In-Reply-To: <2067416.lQ4FRuHoiT@techz> References: <19340377.xkb573VVcF@techz> <2067416.lQ4FRuHoiT@techz> Message-ID: <579A0A50.7030808@redhat.com> G?nther J. Niederwimmer wrote: > Hello Rob, > > Am Mittwoch, 27. Juli 2016, 14:58:12 schrieb G?nther J. Niederwimmer: >> Hello, >> >> this is my first installation with CenOS 7 apache and mod_nss ;-) >> >> my Questions are >> > I mean I have a packet 1.0.14, now the question is, is it working correct ? > > I make it with help from the spec file 1.0.11 > > Please Rob, can you make a short test ? > Sorry, I can't/won't install random binaries. The source has some self tests. If you add this section to your spec file it will execute them as part of the build: %check make check Expect a few failures as there are some SNI tests that require specific configuration and the available ciphers can vary by platform. As long as the majority of tests succeed you are probably safe. rob From albert.l.smith12.ctr at mail.mil Thu Jul 28 13:51:45 2016 From: albert.l.smith12.ctr at mail.mil (Smith, Albert L CTR OSD OUSD ATL (US)) Date: Thu, 28 Jul 2016 13:51:45 +0000 Subject: [Mod_nss-list] Revoc check via CRL and OCSP Message-ID: Hello, I'm running RHEL6 with "httpd-2.2.15-53" and "mod_nss-1.0.10-6". My webserver is currently configured to do revocation checking vi OCSP and is working fine, except when we encounter failures with the OCSP service provider. I would like to configure my webserver to check OCSP first, and in the case of a failure, use CRL files (either local files on disk or CRL files loaded into the NSS database) as a secondary. (If OCSP then CRL isn't possible, is CRL then OCSP possible?) Is this possible, and if it is what are the relevant NSS directives to set? Thank you for your attention, -Albert Smith Infrastructure Team OUSD(AT&L) eBusiness Center 703 571-3015 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5494 bytes Desc: not available URL: From rcritten at redhat.com Thu Jul 28 14:00:08 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Jul 2016 10:00:08 -0400 Subject: [Mod_nss-list] Revoc check via CRL and OCSP In-Reply-To: References: Message-ID: <579A0FE8.1090006@redhat.com> Smith, Albert L CTR OSD OUSD ATL (US) wrote: > Hello, > > I'm running RHEL6 with "httpd-2.2.15-53" and "mod_nss-1.0.10-6". > > My webserver is currently configured to do revocation checking vi OCSP and is working fine, except when we encounter failures with the OCSP service provider. > > I would like to configure my webserver to check OCSP first, and in the case of a failure, use CRL files (either local files on disk or CRL files loaded into the NSS database) as a secondary. (If OCSP then CRL isn't possible, is CRL then OCSP possible?) > > Is this possible, and if it is what are the relevant NSS directives to set? NSS will check a CRL automatically if one has been loaded (see crlutil). It does this before doing an OCSP check. The behavior you're seeing won't really change though. If the OCSP check cannot be made then the request will fail. There is no configuration setting to tune that. For automated CRL handling you might want to look at mod_revocator, another Apache module. This will retrieve and load updated CRLs without requiring a restart of Apache. rob From albert.l.smith12.ctr at mail.mil Thu Jul 28 14:24:16 2016 From: albert.l.smith12.ctr at mail.mil (Smith, Albert L CTR OSD OUSD ATL (US)) Date: Thu, 28 Jul 2016 14:24:16 +0000 Subject: [Mod_nss-list] [Non-DoD Source] Re: Revoc check via CRL and OCSP In-Reply-To: <579A0FE8.1090006@redhat.com> References: <579A0FE8.1090006@redhat.com> Message-ID: Thanks for the quick answer Rob. Also - My website is servicing users spread among 60-ish CA's. Do I understand this correctly to mean that if I load the CRL's into the NSS db nightly, my website will always do a revocation check against the CRL in the NSS DB, and only go to OCSP if the CRL is missing? What is the expected behavior if the CRL exists in the NSS DB but is stale? mod_revocator - I looked at that but decided to write a Perl program to gather all of the CRL's nightly and load them into the NSS DB. This is because I had to do that anyway because of our disconnected dev/test networks. Thank you for your attention, -Albert Smith Infrastructure Team OUSD(AT&L) eBusiness Center 703 571-3015 -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Thursday, July 28, 2016 10:00 AM To: Smith, Albert L CTR OSD OUSD ATL (US); mod_nss-list at redhat.com Subject: [Non-DoD Source] Re: [Mod_nss-list] Revoc check via CRL and OCSP Smith, Albert L CTR OSD OUSD ATL (US) wrote: > Hello, > > I'm running RHEL6 with "httpd-2.2.15-53" and "mod_nss-1.0.10-6". > > My webserver is currently configured to do revocation checking vi OCSP and is working fine, except when we encounter failures with the OCSP service provider. > > I would like to configure my webserver to check OCSP first, and in the > case of a failure, use CRL files (either local files on disk or CRL > files loaded into the NSS database) as a secondary. (If OCSP then CRL > isn't possible, is CRL then OCSP possible?) > > Is this possible, and if it is what are the relevant NSS directives to set? NSS will check a CRL automatically if one has been loaded (see crlutil). It does this before doing an OCSP check. The behavior you're seeing won't really change though. If the OCSP check cannot be made then the request will fail. There is no configuration setting to tune that. For automated CRL handling you might want to look at mod_revocator, another Apache module. This will retrieve and load updated CRLs without requiring a restart of Apache. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5494 bytes Desc: not available URL: From rcritten at redhat.com Thu Jul 28 15:16:41 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Jul 2016 11:16:41 -0400 Subject: [Mod_nss-list] [Non-DoD Source] Re: Revoc check via CRL and OCSP In-Reply-To: References: <579A0FE8.1090006@redhat.com> Message-ID: <579A21D9.7080903@redhat.com> Smith, Albert L CTR OSD OUSD ATL (US) wrote: > Thanks for the quick answer Rob. > > Also - My website is servicing users spread among 60-ish CA's. > > Do I understand this correctly to mean that if I load the CRL's into the NSS db nightly, my website will always do a revocation check against the CRL in the NSS DB, and only go to OCSP if the CRL is missing? What is the expected behavior if the CRL exists in the NSS DB but is stale? Not exactly. NSS will check the CRL for the certificate. If it is not there it will check OCSP. If that is successful the mod_nss will process the request. I'm not 100% sure of this but I believe that NSS will use the CRL it has regardless of the Next Update value. > mod_revocator - I looked at that but decided to write a Perl program to gather all of the CRL's nightly and load them into the NSS DB. This is because I had to do that anyway because of our disconnected dev/test networks. Ok, cool. rob > > Thank you for your attention, > > -Albert Smith > Infrastructure Team > OUSD(AT&L) eBusiness Center > 703 571-3015 > > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Thursday, July 28, 2016 10:00 AM > To: Smith, Albert L CTR OSD OUSD ATL (US); mod_nss-list at redhat.com > Subject: [Non-DoD Source] Re: [Mod_nss-list] Revoc check via CRL and OCSP > > Smith, Albert L CTR OSD OUSD ATL (US) wrote: >> Hello, >> >> I'm running RHEL6 with "httpd-2.2.15-53" and "mod_nss-1.0.10-6". >> >> My webserver is currently configured to do revocation checking vi OCSP and is working fine, except when we encounter failures with the OCSP service provider. >> >> I would like to configure my webserver to check OCSP first, and in the >> case of a failure, use CRL files (either local files on disk or CRL >> files loaded into the NSS database) as a secondary. (If OCSP then CRL >> isn't possible, is CRL then OCSP possible?) >> >> Is this possible, and if it is what are the relevant NSS directives to set? > > NSS will check a CRL automatically if one has been loaded (see crlutil). > It does this before doing an OCSP check. > > The behavior you're seeing won't really change though. If the OCSP check cannot be made then the request will fail. There is no configuration setting to tune that. > > For automated CRL handling you might want to look at mod_revocator, another Apache module. This will retrieve and load updated CRLs without requiring a restart of Apache. > > rob > From albert.l.smith12.ctr at mail.mil Thu Jul 28 15:36:40 2016 From: albert.l.smith12.ctr at mail.mil (Smith, Albert L CTR OSD OUSD ATL (US)) Date: Thu, 28 Jul 2016 15:36:40 +0000 Subject: [Mod_nss-list] [Non-DoD Source] Re: Revoc check via CRL and OCSP In-Reply-To: <579A21D9.7080903@redhat.com> References: <579A0FE8.1090006@redhat.com> <579A21D9.7080903@redhat.com> Message-ID: So on all valid certificates mod_nss will check the CRL and also OCSP, even when the relevant CRL exists in the database? I assumed that if the client cert serial number isn't found in the CRL then mod_nss would accept the cert as "good" and process the request - and only move on to OCSP if the relevant CRL doesn't exist in the nss db? Thank you for your attention, -Albert Smith Infrastructure Team OUSD(AT&L) eBusiness Center 703 571-3015 -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Thursday, July 28, 2016 11:17 AM To: Smith, Albert L CTR OSD OUSD ATL (US); mod_nss-list at redhat.com Subject: Re: [Non-DoD Source] Re: [Mod_nss-list] Revoc check via CRL and OCSP Smith, Albert L CTR OSD OUSD ATL (US) wrote: > Thanks for the quick answer Rob. > > Also - My website is servicing users spread among 60-ish CA's. > > Do I understand this correctly to mean that if I load the CRL's into the NSS db nightly, my website will always do a revocation check against the CRL in the NSS DB, and only go to OCSP if the CRL is missing? What is the expected behavior if the CRL exists in the NSS DB but is stale? Not exactly. NSS will check the CRL for the certificate. If it is not there it will check OCSP. If that is successful the mod_nss will process the request. I'm not 100% sure of this but I believe that NSS will use the CRL it has regardless of the Next Update value. > mod_revocator - I looked at that but decided to write a Perl program to gather all of the CRL's nightly and load them into the NSS DB. This is because I had to do that anyway because of our disconnected dev/test networks. Ok, cool. rob > > Thank you for your attention, > > -Albert Smith > Infrastructure Team > OUSD(AT&L) eBusiness Center > 703 571-3015 > > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Thursday, July 28, 2016 10:00 AM > To: Smith, Albert L CTR OSD OUSD ATL (US); mod_nss-list at redhat.com > Subject: [Non-DoD Source] Re: [Mod_nss-list] Revoc check via CRL and > OCSP > > Smith, Albert L CTR OSD OUSD ATL (US) wrote: >> Hello, >> >> I'm running RHEL6 with "httpd-2.2.15-53" and "mod_nss-1.0.10-6". >> >> My webserver is currently configured to do revocation checking vi OCSP and is working fine, except when we encounter failures with the OCSP service provider. >> >> I would like to configure my webserver to check OCSP first, and in >> the case of a failure, use CRL files (either local files on disk or >> CRL files loaded into the NSS database) as a secondary. (If OCSP >> then CRL isn't possible, is CRL then OCSP possible?) >> >> Is this possible, and if it is what are the relevant NSS directives to set? > > NSS will check a CRL automatically if one has been loaded (see crlutil). > It does this before doing an OCSP check. > > The behavior you're seeing won't really change though. If the OCSP check cannot be made then the request will fail. There is no configuration setting to tune that. > > For automated CRL handling you might want to look at mod_revocator, another Apache module. This will retrieve and load updated CRLs without requiring a restart of Apache. > > rob > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5494 bytes Desc: not available URL: