From reichert at numachi.com Thu Mar 19 16:13:58 2020 From: reichert at numachi.com (Brian Reichert) Date: Thu, 19 Mar 2020 12:13:58 -0400 Subject: [Mod_nss-list] configuring SSL_ENABLE_EXTENDED_MASTER_SECRET in apache2-mod_nss-1.0.14 Message-ID: <20200319161358.GA60872@numachi.com> Hello, folks; hopefully this is the correct form for this question. I'm running an Apache server under SLES21 SP3, and I'm trying to get mod_nss to utilize the 'extended_master_secret' extension described by RFC 7627. Misc versions of packages on this platform: foo:~ # rpm -qa | grep nss libopenssl1_0_0-1.0.2j-60.55.1.x86_64 mozilla-nss-certs-3.45-58.31.1.x86_64 mozilla-nss-3.45-58.31.1.x86_64 mozilla-nss-tools-3.45-58.31.1.x86_64 libopenssl1_0_0-32bit-1.0.2j-60.55.1.x86_64 apache2-mod_nss-1.0.14-19.6.3.x86_64 insserv-compat-0.1-13.1.noarch openssh-7.2p2-74.54.1.x86_64 openssh-helpers-7.2p2-74.54.1.x86_64 openssl-1.0.2j-60.55.1.x86_64 openssh-askpass-1.2.4.1-7.5.x86_64 I've confirmed the underlying mozilla-nss version does support this extension. But, I can't seem to get a mod_nss config file to do so. My understanding is the underlying NSS SSL_OptionSet macro is SSL_ENABLE_EXTENDED_MASTER_SECRET, but I can't find a config file directive to engage this. Does apache2-mod_nss-1.0.14 allow for some means of supporting this extension? -- Brian Reichert BSD admin/developer at large From rcritten at redhat.com Thu Mar 19 17:09:14 2020 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 Mar 2020 13:09:14 -0400 Subject: [Mod_nss-list] configuring SSL_ENABLE_EXTENDED_MASTER_SECRET in apache2-mod_nss-1.0.14 In-Reply-To: <20200319161358.GA60872@numachi.com> References: <20200319161358.GA60872@numachi.com> Message-ID: <4dc85d32-7666-e40f-0c51-b05108f5be63@redhat.com> Brian Reichert wrote: > Hello, folks; hopefully this is the correct form for this question. > > I'm running an Apache server under SLES21 SP3, and I'm trying to > get mod_nss to utilize the 'extended_master_secret' extension > described by RFC 7627. > > Misc versions of packages on this platform: > > foo:~ # rpm -qa | grep nss > libopenssl1_0_0-1.0.2j-60.55.1.x86_64 > mozilla-nss-certs-3.45-58.31.1.x86_64 > mozilla-nss-3.45-58.31.1.x86_64 > mozilla-nss-tools-3.45-58.31.1.x86_64 > libopenssl1_0_0-32bit-1.0.2j-60.55.1.x86_64 > apache2-mod_nss-1.0.14-19.6.3.x86_64 > insserv-compat-0.1-13.1.noarch > openssh-7.2p2-74.54.1.x86_64 > openssh-helpers-7.2p2-74.54.1.x86_64 > openssl-1.0.2j-60.55.1.x86_64 > openssh-askpass-1.2.4.1-7.5.x86_64 > > I've confirmed the underlying mozilla-nss version does support this > extension. > > But, I can't seem to get a mod_nss config file to do so. > > My understanding is the underlying NSS SSL_OptionSet macro is > SSL_ENABLE_EXTENDED_MASTER_SECRET, but I can't find a config file > directive to engage this. > > Does apache2-mod_nss-1.0.14 allow for some means of supporting this > extension? > There is no config setting for this option. The only way to enable it if the underlying nss does not enable it by default would be to modify and rebuild the package. rob From reichert at numachi.com Thu Mar 19 19:28:49 2020 From: reichert at numachi.com (Brian Reichert) Date: Thu, 19 Mar 2020 15:28:49 -0400 Subject: [Mod_nss-list] configuring SSL_ENABLE_EXTENDED_MASTER_SECRET in apache2-mod_nss-1.0.14 In-Reply-To: <4dc85d32-7666-e40f-0c51-b05108f5be63@redhat.com> References: <20200319161358.GA60872@numachi.com> <4dc85d32-7666-e40f-0c51-b05108f5be63@redhat.com> Message-ID: <20200319192849.GB43966@numachi.com> On Thu, Mar 19, 2020 at 01:09:14PM -0400, Rob Crittenden wrote: > There is no config setting for this option. The only way to enable it if > the underlying nss does not enable it by default would be to modify and > rebuild the package. Ok, clears up that mystery. Thanks for the feedback! > > rob > -- Brian Reichert BSD admin/developer at large