From oliver.graute at gmail.com Wed Sep 7 14:37:37 2016 From: oliver.graute at gmail.com (Oliver Graute) Date: Wed, 7 Sep 2016 16:37:37 +0200 Subject: [Mod_nss-list] NSS Initialisation and virtual hosts Message-ID: <20160907143737.GA27958@graute-opti> Hello, in our project we tried to use two Virtual Hosts with two different Certificate Chains in two NSS databases. One for local and one for remote connections. After a bit of debuging it seems that this setup is not possible, because NSS _Init is only called once and not called twice for every vhost entry. There is allready a Bug 1256527 concerning this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1256527 Whats needs to be done to fix this Limitation? So how hard can it be to fix this? What alternatives we have to get two certificate chains working with nss? we thought that a alternative could be to start to seperated Apache instances is this an approach to go? or do we get in trouble with nss lib to? Best Regards, Oliver From rcritten at redhat.com Wed Sep 7 16:24:35 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 7 Sep 2016 12:24:35 -0400 Subject: [Mod_nss-list] NSS Initialisation and virtual hosts In-Reply-To: <20160907143737.GA27958@graute-opti> References: <20160907143737.GA27958@graute-opti> Message-ID: <57D03F43.1020901@redhat.com> Oliver Graute wrote: > Hello, > > in our project we tried to use two Virtual Hosts with two different > Certificate Chains in two NSS databases. One for local and one for > remote connections. > > After a bit of debuging it seems that this setup is not possible, because NSS > _Init is only called once and not called twice for every vhost entry. > > There is allready a Bug 1256527 concerning this issue: > > https://bugzilla.redhat.com/show_bug.cgi?id=1256527 > > Whats needs to be done to fix this Limitation? So how hard can it be to > fix this? I haven't scoped it yet so I can't really say how difficult it will be. > What alternatives we have to get two certificate chains working with nss? > > we thought that a alternative could be to start to seperated Apache instances > is this an approach to go? or do we get in trouble with nss lib to? I don't see why you can't have two server certificates and chains in the same NSS database as long as the subjects are unique. Is that not working for you? rob From oliver.graute at gmail.com Thu Sep 8 10:10:13 2016 From: oliver.graute at gmail.com (Oliver Graute) Date: Thu, 8 Sep 2016 12:10:13 +0200 Subject: [Mod_nss-list] Fwd: NSS Initialisation and virtual hosts In-Reply-To: References: <20160907143737.GA27958@graute-opti> <57D03F43.1020901@redhat.com> Message-ID: On Wed, Sep 7, 2016 at 6:24 PM, Rob Crittenden wrote: > Oliver Graute wrote: >> >> Hello, >> >> in our project we tried to use two Virtual Hosts with two different >> Certificate Chains in two NSS databases. One for local and one for >> remote connections. >> >> After a bit of debuging it seems that this setup is not possible, because >> NSS >> _Init is only called once and not called twice for every vhost entry. >> >> There is allready a Bug 1256527 concerning this issue: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1256527 >> >> Whats needs to be done to fix this Limitation? So how hard can it be to >> fix this? > > > I haven't scoped it yet so I can't really say how difficult it will be. > >> What alternatives we have to get two certificate chains working with nss? >> >> we thought that a alternative could be to start to seperated Apache >> instances >> is this an approach to go? or do we get in trouble with nss lib to? > > > I don't see why you can't have two server certificates and chains in the > same NSS database as long as the subjects are unique. Is that not working > for you? > The problem is that we have an requirement for an PKI with a Root CA with seperate Sub CA for LAN (local) and Sub CA for WAN (remote) which will build up two separte chains . An certificate that is verified by one chain shall not be verified by the other chain. Best regards, Oliver From rcritten at redhat.com Thu Sep 8 13:28:05 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 8 Sep 2016 09:28:05 -0400 Subject: [Mod_nss-list] Fwd: NSS Initialisation and virtual hosts In-Reply-To: References: <20160907143737.GA27958@graute-opti> <57D03F43.1020901@redhat.com> Message-ID: <57D16765.7050106@redhat.com> Oliver Graute wrote: > On Wed, Sep 7, 2016 at 6:24 PM, Rob Crittenden wrote: >> Oliver Graute wrote: >>> >>> Hello, >>> >>> in our project we tried to use two Virtual Hosts with two different >>> Certificate Chains in two NSS databases. One for local and one for >>> remote connections. >>> >>> After a bit of debuging it seems that this setup is not possible, because >>> NSS >>> _Init is only called once and not called twice for every vhost entry. >>> >>> There is allready a Bug 1256527 concerning this issue: >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=1256527 >>> >>> Whats needs to be done to fix this Limitation? So how hard can it be to >>> fix this? >> >> >> I haven't scoped it yet so I can't really say how difficult it will be. >> >>> What alternatives we have to get two certificate chains working with nss? >>> >>> we thought that a alternative could be to start to seperated Apache >>> instances >>> is this an approach to go? or do we get in trouble with nss lib to? >> >> >> I don't see why you can't have two server certificates and chains in the >> same NSS database as long as the subjects are unique. Is that not working >> for you? >> > > The problem is that we have an requirement for an PKI with a Root CA > with seperate Sub CA for LAN (local) and Sub CA for WAN (remote) which > will build up two separte chains . An certificate that is verified by > one chain shall not be verified by the other chain. I don't see one validating the other but I understand that your goal is separation. I don't believe there is a way to do this today. rob From vcizek at suse.com Wed Sep 14 16:04:02 2016 From: vcizek at suse.com (Vitezslav Cizek) Date: Wed, 14 Sep 2016 18:04:02 +0200 Subject: [Mod_nss-list] [PATCH 1/3] nss.conf.in: remove deprecated NSSSessionCacheTimeout Message-ID: <20160914160400.GA27452@kolac.suse.cz> Signed-off-by: Vitezslav Cizek --- nss.conf.in | 2 -- 1 file changed, 2 deletions(-) diff --git a/nss.conf.in b/nss.conf.in index 9b9ffc8..09402a8 100644 --- a/nss.conf.in +++ b/nss.conf.in @@ -44,10 +44,8 @@ NSSPassPhraseHelper /usr/libexec/nss_pcache # Configure the SSL Session Cache. # NSSSessionCacheSize is the number of entries in the cache. -# NSSSessionCacheTimeout is the SSL2 session timeout (in seconds). # NSSSession3CacheTimeout is the SSL3/TLS session timeout (in seconds). NSSSessionCacheSize 10000 -NSSSessionCacheTimeout 100 NSSSession3CacheTimeout 86400 # -- 2.6.6 -- Vita Cizek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: From rcritten at redhat.com Wed Sep 14 18:53:25 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 14 Sep 2016 14:53:25 -0400 Subject: [Mod_nss-list] [PATCH 1/3] nss.conf.in: remove deprecated NSSSessionCacheTimeout In-Reply-To: <20160914160400.GA27452@kolac.suse.cz> References: <20160914160400.GA27452@kolac.suse.cz> Message-ID: <57D99CA5.9060009@redhat.com> Vitezslav Cizek wrote: > Signed-off-by: Vitezslav Cizek > --- > nss.conf.in | 2 -- > 1 file changed, 2 deletions(-) > > diff --git a/nss.conf.in b/nss.conf.in > index 9b9ffc8..09402a8 100644 > --- a/nss.conf.in > +++ b/nss.conf.in > @@ -44,10 +44,8 @@ NSSPassPhraseHelper /usr/libexec/nss_pcache > > # Configure the SSL Session Cache. > # NSSSessionCacheSize is the number of entries in the cache. > -# NSSSessionCacheTimeout is the SSL2 session timeout (in seconds). > # NSSSession3CacheTimeout is the SSL3/TLS session timeout (in seconds). > NSSSessionCacheSize 10000 > -NSSSessionCacheTimeout 100 > NSSSession3CacheTimeout 86400 ACK, great idea. Pushed to master. rob From vcizek at suse.com Wed Sep 14 20:03:17 2016 From: vcizek at suse.com (Vitezslav Cizek) Date: Wed, 14 Sep 2016 22:03:17 +0200 Subject: [Mod_nss-list] [PATCH 2/3] mod_nss.c: mention the new exec dialog Message-ID: <20160914200316.GA2760@kolac.suse.cz> Signed-off-by: Vitezslav Cizek --- mod_nss.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mod_nss.c b/mod_nss.c index 38098c8..58e1026 100644 --- a/mod_nss.c +++ b/mod_nss.c @@ -59,7 +59,7 @@ static const command_rec nss_config_cmds[] = { "(`on', `off')") SSL_CMD_SRV(PassPhraseDialog, TAKE1, "SSL dialog mechanism for the pass phrase query " - "(`builtin', `file:/path/to/file`") + "(`builtin', `file:/path/to/file`, `exec:/path/to/script`") SSL_CMD_SRV(PassPhraseHelper, TAKE1, "Process to securely store SSL tokens to handle restarts " "(`/path/to/file`") -- 2.6.6 -- Vita Cizek From vcizek at suse.com Wed Sep 14 20:03:46 2016 From: vcizek at suse.com (Vitezslav Cizek) Date: Wed, 14 Sep 2016 22:03:46 +0200 Subject: [Mod_nss-list] [PATCH 3/3] Balance parenthesis in nss_config_cmds descriptions Message-ID: <20160914200344.GA10822@kolac.suse.cz> Signed-off-by: Vitezslav Cizek --- mod_nss.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/mod_nss.c b/mod_nss.c index 58e1026..d12f785 100644 --- a/mod_nss.c +++ b/mod_nss.c @@ -41,10 +41,10 @@ static const command_rec nss_config_cmds[] = { */ SSL_CMD_SRV(CertificateDatabase, TAKE1, "SSL Server Certificate database " - "(`/path/to/file'") + "(`/path/to/file')") SSL_CMD_SRV(DBPrefix, TAKE1, "NSS Database prefix (optional) " - "(`my-prefix-'") + "(`my-prefix-')") SSL_CMD_SRV(SessionCacheTimeout, TAKE1, "SSL 2 Session Cache object lifetime " "(`N' - number of seconds)") @@ -59,10 +59,10 @@ static const command_rec nss_config_cmds[] = { "(`on', `off')") SSL_CMD_SRV(PassPhraseDialog, TAKE1, "SSL dialog mechanism for the pass phrase query " - "(`builtin', `file:/path/to/file`, `exec:/path/to/script`") + "(`builtin', `file:/path/to/file', `exec:/path/to/script')") SSL_CMD_SRV(PassPhraseHelper, TAKE1, "Process to securely store SSL tokens to handle restarts " - "(`/path/to/file`") + "(`/path/to/file')") SSL_CMD_SRV(OCSP, FLAG, "OCSP (Online Certificate Status Protocol)" "(`on', `off')") @@ -71,10 +71,10 @@ static const command_rec nss_config_cmds[] = { "(`on', `off')") SSL_CMD_SRV(OCSPDefaultURL, TAKE1, "The URL of the OCSP default responder" - "(`http://example.com:80/ocsp") + "(`http://example.com:80/ocsp')") SSL_CMD_SRV(OCSPDefaultName, TAKE1, "The nickname of the certificate to trust to sign the OCSP responses." - "(`OCSP_Cert`") + "(`OCSP_Cert')") SSL_CMD_SRV(RandomSeed, TAKE23, "SSL Pseudo Random Number Generator (PRNG) seeding source " "(`startup builtin|file:/path|exec:/path [bytes]')") @@ -101,10 +101,10 @@ static const command_rec nss_config_cmds[] = { "(`[SSLv2|SSLv3|TLSv1.0|TLSv1.1|TLSv1.2|all] ...' - see manual)") SSL_CMD_ALL(VerifyClient, TAKE1, "SSL Client Authentication " - "(`none', `optional', `require'") + "(`none', `optional', `require')") SSL_CMD_SRV(Nickname, TAKE1, "SSL RSA Server Certificate nickname " - "(`Server-Cert'") + "(`Server-Cert')") #ifdef SSL_ENABLE_RENEGOTIATION SSL_CMD_SRV(Renegotiation, FLAG, "Enable SSL Renegotiation (default off) " @@ -116,11 +116,11 @@ static const command_rec nss_config_cmds[] = { #ifdef NSS_ENABLE_ECC SSL_CMD_SRV(ECCNickname, TAKE1, "SSL ECC Server Certificate nickname " - "(`Server-Cert'") + "(`Server-Cert')") #endif SSL_CMD_SRV(EnforceValidCerts, FLAG, "Require a valid, trust, non-expired server certificate (default on)" - "(`on', `off'") + "(`on', `off')") SSL_CMD_SRV(SessionTickets, FLAG, "Enable or disable TLS session tickets" "(`on', `off')") -- 2.6.6 -- Vita Cizek From rcritten at redhat.com Wed Sep 14 21:25:44 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 14 Sep 2016 17:25:44 -0400 Subject: [Mod_nss-list] [PATCH 2/3] mod_nss.c: mention the new exec dialog In-Reply-To: <20160914200316.GA2760@kolac.suse.cz> References: <20160914200316.GA2760@kolac.suse.cz> Message-ID: <57D9C058.70401@redhat.com> Vitezslav Cizek wrote: > Signed-off-by: Vitezslav Cizek > --- > mod_nss.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/mod_nss.c b/mod_nss.c > index 38098c8..58e1026 100644 > --- a/mod_nss.c > +++ b/mod_nss.c > @@ -59,7 +59,7 @@ static const command_rec nss_config_cmds[] = { > "(`on', `off')") > SSL_CMD_SRV(PassPhraseDialog, TAKE1, > "SSL dialog mechanism for the pass phrase query " > - "(`builtin', `file:/path/to/file`") > + "(`builtin', `file:/path/to/file`, `exec:/path/to/script`") > SSL_CMD_SRV(PassPhraseHelper, TAKE1, > "Process to securely store SSL tokens to handle restarts " > "(`/path/to/file`") > ACK, pushed to master rob From rcritten at redhat.com Wed Sep 14 21:26:20 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 14 Sep 2016 17:26:20 -0400 Subject: [Mod_nss-list] [PATCH 3/3] Balance parenthesis in nss_config_cmds descriptions In-Reply-To: <20160914200344.GA10822@kolac.suse.cz> References: <20160914200344.GA10822@kolac.suse.cz> Message-ID: <57D9C07C.9090903@redhat.com> Vitezslav Cizek wrote: > Signed-off-by: Vitezslav Cizek > --- > mod_nss.c | 20 ++++++++++---------- > 1 file changed, 10 insertions(+), 10 deletions(-) > > diff --git a/mod_nss.c b/mod_nss.c > index 58e1026..d12f785 100644 > --- a/mod_nss.c > +++ b/mod_nss.c > @@ -41,10 +41,10 @@ static const command_rec nss_config_cmds[] = { > */ > SSL_CMD_SRV(CertificateDatabase, TAKE1, > "SSL Server Certificate database " > - "(`/path/to/file'") > + "(`/path/to/file')") > SSL_CMD_SRV(DBPrefix, TAKE1, > "NSS Database prefix (optional) " > - "(`my-prefix-'") > + "(`my-prefix-')") > SSL_CMD_SRV(SessionCacheTimeout, TAKE1, > "SSL 2 Session Cache object lifetime " > "(`N' - number of seconds)") > @@ -59,10 +59,10 @@ static const command_rec nss_config_cmds[] = { > "(`on', `off')") > SSL_CMD_SRV(PassPhraseDialog, TAKE1, > "SSL dialog mechanism for the pass phrase query " > - "(`builtin', `file:/path/to/file`, `exec:/path/to/script`") > + "(`builtin', `file:/path/to/file', `exec:/path/to/script')") > SSL_CMD_SRV(PassPhraseHelper, TAKE1, > "Process to securely store SSL tokens to handle restarts " > - "(`/path/to/file`") > + "(`/path/to/file')") > SSL_CMD_SRV(OCSP, FLAG, > "OCSP (Online Certificate Status Protocol)" > "(`on', `off')") > @@ -71,10 +71,10 @@ static const command_rec nss_config_cmds[] = { > "(`on', `off')") > SSL_CMD_SRV(OCSPDefaultURL, TAKE1, > "The URL of the OCSP default responder" > - "(`http://example.com:80/ocsp") > + "(`http://example.com:80/ocsp')") > SSL_CMD_SRV(OCSPDefaultName, TAKE1, > "The nickname of the certificate to trust to sign the OCSP responses." > - "(`OCSP_Cert`") > + "(`OCSP_Cert')") > SSL_CMD_SRV(RandomSeed, TAKE23, > "SSL Pseudo Random Number Generator (PRNG) seeding source " > "(`startup builtin|file:/path|exec:/path [bytes]')") > @@ -101,10 +101,10 @@ static const command_rec nss_config_cmds[] = { > "(`[SSLv2|SSLv3|TLSv1.0|TLSv1.1|TLSv1.2|all] ...' - see manual)") > SSL_CMD_ALL(VerifyClient, TAKE1, > "SSL Client Authentication " > - "(`none', `optional', `require'") > + "(`none', `optional', `require')") > SSL_CMD_SRV(Nickname, TAKE1, > "SSL RSA Server Certificate nickname " > - "(`Server-Cert'") > + "(`Server-Cert')") > #ifdef SSL_ENABLE_RENEGOTIATION > SSL_CMD_SRV(Renegotiation, FLAG, > "Enable SSL Renegotiation (default off) " > @@ -116,11 +116,11 @@ static const command_rec nss_config_cmds[] = { > #ifdef NSS_ENABLE_ECC > SSL_CMD_SRV(ECCNickname, TAKE1, > "SSL ECC Server Certificate nickname " > - "(`Server-Cert'") > + "(`Server-Cert')") > #endif > SSL_CMD_SRV(EnforceValidCerts, FLAG, > "Require a valid, trust, non-expired server certificate (default on)" > - "(`on', `off'") > + "(`on', `off')") > SSL_CMD_SRV(SessionTickets, FLAG, > "Enable or disable TLS session tickets" > "(`on', `off')") > ACK, pushed to master. Thanks for the patch set. rob