From pemanek at gmail.com Wed Sep 12 12:47:38 2018 From: pemanek at gmail.com (=?UTF-8?B?UGV0ciBIZcWZbcOhbmVr?=) Date: Wed, 12 Sep 2018 14:47:38 +0200 Subject: [Mod_nss-list] TLSv1.3 request header read timeout Message-ID: Hello list, unfortunately I have encountered some issues while trying to implement TLSv1.3 using mod_nss on my machine. Every attempt to reach the listening port is shut down with ?Request header read timeout? and gives back an empty reply from server. I have described the issue in more detail below. Any advice that would eventually lead to a functioning TLSv1.3 Apache web server is greatly appreciated. My web server is running Fedora 28, Apache/2.4.34, NSS 3.38.0 and NSPR 4.19.0. I have built the latest version of mod_nss using the README stored in the cloned repository. Configuration of mod_nss is based mostly on Apache logs and the mod_nss.html file (config pasted below). Different Linux distributions report the same results. As far as certificates are concerned, the gencert utility did not help. Gencert server certificate caused warnings of unexpected virtual names and kept timing out. For that reason, I decided to generate my own self-signed certificate to silence the warnings and hopefully get a response. At this point, I have tried various ways to generate and install a server certificate with no success. The current certificate does not raise any warnings but at the same time does not work with NSSEnforceValidCerts on. I can provide logs for both Apache and mod_nss with debug error level enabled but they only show useless information except for enabled/disabled ciphers and the previously mentioned ?Request header read timeout?. Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl NSSPassPhraseDialog file:/usr/local/mod_nss/password.conf NSSPassPhraseHelper /usr/sbin/nss_pcache NSSSessionCacheSize 10000 NSSSession3CacheTimeout 86400 NSSRandomSeed startup builtin NSSRenegotiation off NSSRequireSafeNegotiation off DocumentRoot ?/var/www/html? ServerName www.example.com:443 ErrorLog /etc/httpd/logs/nss_error_log TransferLog /etc/httpd/logs/access_log LogLevel debug NSSEngine on NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha,+aes_128_gcm_sha_256,+aes_256_gcm_sha_384,+chacha20_poly1305_sha_256 NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2,TLSv1.3 NSSNickname example NSSEnforceValidCerts off NSSCertificateDatabase /etc/httpd/alias NSSVerifyClient none NSSOCSP off NSSOptions +StdEnvVars NSSOptions +StdEnvVars What am I missing? Thank you kindly for your time. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Sep 12 14:40:45 2018 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Sep 2018 10:40:45 -0400 Subject: [Mod_nss-list] TLSv1.3 request header read timeout In-Reply-To: References: Message-ID: <0adbe284-ff99-d0bc-0e77-1d3556a3a7f2@redhat.com> Petr He?m?nek wrote: > Hello list, > > unfortunately I have encountered some issues while trying to implement > TLSv1.3 using mod_nss on my machine. Every attempt to reach the > listening port is shut down with ?Request header read timeout? and gives > back an empty reply from server. I have described the issue in more > detail below. Any advice that would eventually lead to a functioning > TLSv1.3 Apache web server is greatly appreciated. > > My web server is running Fedora 28, Apache/2.4.34, NSS 3.38.0 and NSPR > 4.19.0. I have built the latest version of mod_nss using the README > stored in the cloned repository. Configuration of mod_nss is based > mostly on Apache logs and the mod_nss.html file (config pasted below). > Different Linux distributions report the same results. > > As far as certificates are concerned, the gencert utility did not help. > Gencert server certificate caused warnings of unexpected virtual names > and kept timing out. For that reason, I decided to generate my own > self-signed certificate to silence the warnings and hopefully get a > response. At this point, I have tried various ways to generate and > install a server certificate with no success. The current certificate > does not raise any warnings but at the same time does not work with > NSSEnforceValidCerts on. I can provide logs for both Apache and mod_nss > with debug error level enabled but they only show useless information > except for enabled/disabled ciphers and the previously mentioned > ?Request header read timeout?. > > > > Listen 443 > AddType application/x-x509-ca-cert .crt > AddType application/x-pkcs7-crl? ? .crl > NSSPassPhraseDialog? file:/usr/local/mod_nss/password.conf > NSSPassPhraseHelper /usr/sbin/nss_pcache > NSSSessionCacheSize 10000 > NSSSession3CacheTimeout 86400 > NSSRandomSeed startup builtin > NSSRenegotiation off > NSSRequireSafeNegotiation off > > > DocumentRoot ?/var/www/html? > ServerName www.example.com:443 > ErrorLog /etc/httpd/logs/nss_error_log > TransferLog /etc/httpd/logs/access_log > LogLevel debug > NSSEngine on > NSSCipherSuite > +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha,+aes_128_gcm_sha_256,+aes_256_gcm_sha_384,+chacha20_poly1305_sha_256 > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2,TLSv1.3 > NSSNickname example > NSSEnforceValidCerts off > NSSCertificateDatabase /etc/httpd/alias > NSSVerifyClient none > NSSOCSP off > > ? ? NSSOptions +StdEnvVars > > > ? ? NSSOptions +StdEnvVars > > > > What am I missing? > Thank you kindly for your time. Need more information on exactly what it is you tried including: - the options you passed to the mod_nss configure - how you executed /usr/bin/gencert and what the output was - how you told apache to load the updated module. If you also have the mod_nss package installed you need to override the module location in /etc/httpd/conf.modules.d/10-nss.conf - what client you are using - does the server work if you disable 1.3? - does a client work if you force say tls 1.2? - the nss_error_log and the corresponding output from the client rob