From georgewash87 at gmail.com Wed Jun 21 01:22:48 2017 From: georgewash87 at gmail.com (George Wash) Date: Tue, 20 Jun 2017 21:22:48 -0400 Subject: [Mod_nss-list] Some clients can't complete TLS handshake when OS is in FIPS mode Message-ID: The Server: OS: RHEL 7.3 Kernel FIPS module is enabled HTTPD: httpd-2.4.6-45.el7.x86_64 httpd-tools-2.4.6-45.el7.x86_64 MOD_NSS: mod_nss-1.0.14-7.el7.x86_64 FIPS mode enabled on the NSS Keystore via modutil NSS: nss-softokn-3.16.2.3-14.4.el7.x86_64 nss-softokn-freebl-3.16.2.3-14.4.el7.x86_64 nss-3.21.3-2.el7_3.x86_64 libsss_nss_idmap-1.14.0-43.el7.x86_64 nss-util-3.21.3-1.1.el7_3.x86_64 nss-sysinit-3.21.3-2.el7_3.x86_64 nss-tools-3.21.3-2.el7_3.x86_64 Hardware Token: Server Cert private key is in an nCipher netHSM 6000 Clients using some versions OpenSSL and Windows based java clients using java.security socket libraries cannot complete the TLS handshake. However, Firefox, Internet Explorer, and Microsoft edge can all successfully complete the handshake. error logs from failure case: [Mon Jun 19 14:09:02.954556 2017] [:error] [pid 2737] SSL Library Error: -8152 The key does not support the requested operation Then I tried turning off all the ecdhe_rsa_* ciphers in nss.conf and we just switched to this error: [Mon Jun 19 17:05:00.776737 2017] [:error] [pid 30517] SSL Library Error: -12273 SSL has received a record with an incorrect Message Authentication Code If FIPS mode is disabled in the OS and on the NSS Keystore, the OpenSSL and Windows based java clients using java.security libraries can complete the handshake. Any thoughts on what's going on? Thanks GW -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Jun 21 13:49:12 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 21 Jun 2017 09:49:12 -0400 Subject: [Mod_nss-list] Some clients can't complete TLS handshake when OS is in FIPS mode In-Reply-To: References: Message-ID: <83bfa210-9d33-ac64-f74c-197ac183b933@redhat.com> George Wash wrote: > The Server: > > OS: > RHEL 7.3 > Kernel FIPS module is enabled > > HTTPD: > httpd-2.4.6-45.el7.x86_64 > httpd-tools-2.4.6-45.el7.x86_64 > > MOD_NSS: > mod_nss-1.0.14-7.el7.x86_64 > FIPS mode enabled on the NSS Keystore via modutil > > NSS: > nss-softokn-3.16.2.3-14.4.el7.x86_64 > nss-softokn-freebl-3.16.2.3-14.4.el7.x86_64 > nss-3.21.3-2.el7_3.x86_64 > libsss_nss_idmap-1.14.0-43.el7.x86_64 > nss-util-3.21.3-1.1.el7_3.x86_64 > nss-sysinit-3.21.3-2.el7_3.x86_64 > nss-tools-3.21.3-2.el7_3.x86_64 Not saying this is the problem but that's a relatively old version of nss. > > Hardware Token: > Server Cert private key is in an nCipher netHSM 6000 > > Clients using some versions OpenSSL and Windows based java clients using > java.security socket libraries cannot complete the TLS handshake. > However, Firefox, Internet Explorer, and Microsoft edge can all > successfully complete the handshake. What versions of OpenSSL fail? > error logs from failure case: > [Mon Jun 19 14:09:02.954556 2017] [:error] [pid 2737] SSL Library Error: > -8152 The key does not support the requested operation > > __ __ > > Then I tried turning off all the ecdhe_rsa_* ciphers in nss.conf and we > just switched to this error:____ > > __ > > [Mon Jun 19 17:05:00.776737 2017] [:error] [pid 30517] SSL Library > Error: -12273 SSL has received a record with an incorrect Message > Authentication Code One thing you can try is the ssltap utility. It is a proxy that will display the SSL handshake. You run it something like: # ssltap -slx `hostname`:443 Then point your client at port 1924 (or use -p to specify your own). It would be interesting to see a working and a non-working connection for comparison. You may want to re-enable the ciphers too. I'm curious what operation the key won't do. If the nCipher has any logging you may want to enable that as well to see what PKCS#11 commands are being executed. rob > If FIPS mode is disabled in the OS and on the NSS Keystore, the OpenSSL > and Windows based java clients using java.security libraries can > complete the handshake. > > > Any thoughts on what's going on?