<html> <head> <style></style> </head> <body class='hmmessage'> In the link provided by Rob <h6 id="Clientinitiated_renegotiations_disabled_in_mod_ssl">Client-initiated renegotiations disabled in mod_ssl</h6>Updated httpd packages were released that change mod_ssl to reject all client-initiated renegotiations, which mitigates this flaw for the majority of configurations using mod_ssl to provide HTTPS service. However, an attack is still possible in configurations where server-initiated renegotiations are required. Configurations still affected by the issue are typically where: <ul><li>Client certificates authentication is used for some part of the site, but is not required by default. This happens when "SSLVerifyClient require" is configured in a <Location> or <Directory> context section, but not in the corresponding <VirtualHost> for the SSL server.</li><li>Different cipher suites are required for different parts of the web site. Cipher suite requirements can be configured per-server or per-directory context using the <code>SSLCipherSuite directive.</code></li></ul> Server-initiated renegotiations can be avoided by: <ul><li>Changing the site layout so that a client certificate authentication is required for the whole site, rather than only a part. In other words, so that "SSLVerifyClient" is used only when directly inside a <VirtualHost> section.</li><li>Using the same cipher suite for the whole site. The highest cipher strength requirement of all directories and locations should be set in the <VirtualHost> section.</li></ul> <hr id="stopSpelling">From: luisneves@hotmail.com To: ttormo@indenova.com; mod_nss-list@redhat.com Date: Thu, 2 Sep 2010 08:15:45 +0000 Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication <meta http-equiv="Content-Type" content="text/html; charset=unicode"> <meta name="Generator" content="Microsoft SafeHTML"> <style> .ExternalClass .ecxhmmessage P {padding:0px;} .ExternalClass body.ecxhmmessage {font-size:10pt;font-family:Tahoma;} </style> Tomas, Here is the same, and the problem is this: (It happens also in SSL) SSLVerifyClient fails when inside <Location> http://www.linode.com/forums/viewtopic.php?t=5115 Will try to post in ssl list as well to see if someone helps on this Luis <hr id="ecxstopSpelling">Date: Tue, 31 Aug 2010 11:35:42 +0200 From: ttormo@indenova.com To: mod_nss-list@redhat.com Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication Thank you very much for your help Luis I changed the directive to <Location> again. I realized I did really bad copy-paste, cause <Location> directive needs a url (in this case /files) instead of a directory. So, if I let the configuration just like before, Apache let me go to the webpage without asking for the certificate. This was because i didn't request a location "/var/www/testmodnss/files" (what's more, it doesn't exist). So I changed location to "/files" and I get the error again... I also tried all you told me but I still get the error... :( This is how my configuration looks like now (I didn't put the NSSRenegotiation off and NSSRequireSafeNegotiation off directives cause Apache is giving me an error at startup saying that are not recognized :S) <VirtualHost *:443> ServerName amsterdam LogLevel debug ErrorLog /var/log/apache2/testmodnss/error.log CustomLog /var/log/apache2/testmodnss/access.log combined DocumentRoot /var/www/testmodnss # ssl NSSEngine on RewriteEngine on NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha #NSSProtocol All NSSProtocol SSLv3,TLSv1 ## Certificate database. It contains both public and private key of the ssl server. It also contains the CA certificate of the allowed client certificates NSSCertificateDatabase /etc/apache2/certs/nss/ NSSNickName Server-Cert # ssl client <Location "/files"> NSSVerifyClient require NSSOptions +ExportCertData NSSOptions +StdEnvVars </Location> </VirtualHost> NSSPassPhraseHelper /usr/sbin/nss_pcache On 31/08/10 11:26, Luis Neves wrote: <blockquote cite="mid:COL110-W17DA3CBBC7E34D4F2CE2B0A78A0@phx.gbl"> <style> .ExternalClass .ecxhmmessage P {padding:0px;} .ExternalClass body.ecxhmmessage {font-size:10pt;font-family:Tahoma;} </style>or NSSProtocol SSLv3,TLSv1 Iam unable to test location today as I forgot my card at home...... But I think location has to work, your error seems something related to a "protocol re-negotiation error"..... Luis <hr id="ecxstopSpelling">From: <a class="ecxmoz-txt-link-abbreviated" href="mailto:luisneves@hotmail.com">luisneves@hotmail.com</a> To: <a class="ecxmoz-txt-link-abbreviated" href="mailto:ttormo@indenova.com">ttormo@indenova.com</a> Date: Tue, 31 Aug 2010 09:16:46 +0000 CC: <a class="ecxmoz-txt-link-abbreviated" href="mailto:mod_nss-list@redhat.com">mod_nss-list@redhat.com</a> Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication <style> .ExternalClass .ecxhmmessage P {padding:0px;} .ExternalClass body.ecxhmmessage {font-size:10pt;font-family:Tahoma;} </style> try this! # Only renegotiate if the peer's hello bears the TLS renegotiation_info # extension. Default off. NSSRenegotiation off # Peer must send Signaling Cipher Suite Value (SCSV) or # Renegotiation Info (RI) extension in ALL handshakes. Default: off NSSRequireSafeNegotiation off <hr id="ecxstopSpelling">Date: Tue, 31 Aug 2010 10:41:13 +0200 From: <a class="ecxmoz-txt-link-abbreviated" href="mailto:ttormo@indenova.com">ttormo@indenova.com</a> CC: <a class="ecxmoz-txt-link-abbreviated" href="mailto:mod_nss-list@redhat.com">mod_nss-list@redhat.com</a> Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication No... It didn't work with location neither.. But maybe if I follow your aproach It could work for me as well... On 31/08/10 10:36, Luis Neves wrote: <blockquote cite="mid:COL110-W420B4FF0D9A51651E93BEDA78A0@phx.gbl"> <style> .ExternalClass .ecxhmmessage P {padding:0px;} .ExternalClass body.ecxhmmessage {font-size:10pt;font-family:Tahoma;} </style>But after fixing "location" it worked?? no, for now I really didnt need that, I am trying to make a reverse proxy to protect internal pages and give them access via some smartcards, But boy had so many problem so far that I was almost quitting on this.....! Luis <hr id="ecxstopSpelling">Date: Tue, 31 Aug 2010 10:17:02 +0200 From: <a class="ecxmoz-txt-link-abbreviated" href="mailto:ttormo@indenova.com">ttormo@indenova.com</a> CC: <a class="ecxmoz-txt-link-abbreviated" href="mailto:mod_nss-list@redhat.com">mod_nss-list@redhat.com</a> Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication Wow!! Actually I had directory directive instead of location at that moment (I was just trying that). I made a copy-paste and changed it on-the-fly but I guess I didn't realize about the first <Location>... hehehe sorry So... do you do something similar in your virtualhost? I mean, do you need users to use a client certificate only in some parts of the website? Thank you very much On 31/08/10 10:11, Luis Neves wrote: <blockquote cite="mid:COL110-W43BC3ECD13EF8D0DDF798DA78A0@phx.gbl"> <style> .ExternalClass .ecxhmmessage P {padding:0px;} .ExternalClass body.ecxhmmessage {font-size:10pt;font-family:Tahoma;} </style>Hi Tomas, Its missing something on your post, like the first location, etc, but anyway, is when using the "location" tag that is giving the problem? I dont use it but will make a test to see what happens here Luis <hr id="ecxstopSpelling">Date: Mon, 30 Aug 2010 14:24:00 +0200 From: <a class="ecxmoz-txt-link-abbreviated" href="mailto:ttormo@indenova.com">ttormo@indenova.com</a> To: <a class="ecxmoz-txt-link-abbreviated" href="mailto:mod_nss-list@redhat.com">mod_nss-list@redhat.com</a> Subject: [Mod_nss-list] Problem configuring Client certificate Authentication Greetings I'm trying to configure mod_nss in Apache in order to use it as my client certificate authentication mechanism, but I'm having problems with it.. I'd like to use client authentication in some parts of a website... so I tried to do it as with mod_ssl, using the Location directive with the NSSVerifyClient require directive inside, but I never works... I always get this error... Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): Performing full renegotiation: complete handshake protocol [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting re-negotiation handshake [Mon Aug 30 14:17:34 2010] [info] Read error -12176 [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake failed: Not accepted by client!? [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer: <a class="ecxmoz-txt-link-freetext" href="https://amsterdam/" target="_blank">https://amsterdam/</a> [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input filter read failed. [Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed (server amsterdam:443, client 192.168.125.53) After this, I checked the documentation and it says I can work per-server or per-directory context... So I tried to do it per-server and It works perfectly.. but, as I told you, this is not the solution I'm looking for.. so I tried to configure it per-directory... but it doesn't work neither... Here I attach my per-directory configuration... Is just a test but this is more or less how it should look at the end: <VirtualHost *:443> ServerName amsterdam LogLevel debug ErrorLog /var/log/apache2/testmodnss/error.log CustomLog /var/log/apache2/testmodnss/access.log combined DocumentRoot /var/www/testmodnss # ssl NSSEngine on RewriteEngine on NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol All ## Certificate database. It contains both public and private key of the ssl server. It also contains the CA certificate of the allowed client certificates NSSCertificateDatabase /etc/apache2/certs/nss/ NSSNickName Server-Cert # ssl client <Directive "/var/www/testmodnss/files/"> AllowOverride all NSSVerifyClient require NSSOptions +ExportCertData NSSOptions +StdEnvVars </Location> </VirtualHost> NSSPassPhraseHelper /usr/sbin/nss_pcache Could you please help me? Thank you very much <pre class="ecxmoz-signature">-- Un saludo, Tom�s Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2� B Pol�gono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 <a class="ecxmoz-txt-link-abbreviated" href="mailto:ttormo@indenova.com">ttormo@indenova.com</a> <a class="ecxmoz-txt-link-freetext" href="http://www.indenova.com" target="_blank">http://www.indenova.com</a> Desc�rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr�nicamente: <a class="ecxmoz-txt-link-freetext" href="http://www.indenova.com/eSignaViewer.php" target="_blank">http://www.indenova.com/eSignaViewer.php</a> </pre> _______________________________________________ Mod_nss-list mailing list <a class="ecxmoz-txt-link-abbreviated" href="mailto:Mod_nss-list@redhat.com">Mod_nss-list@redhat.com</a> <a class="ecxmoz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/mod_nss-list" target="_blank">https://www.redhat.com/mailman/listinfo/mod_nss-list</a> </blockquote> <pre class="ecxmoz-signature">-- Un saludo, Tom�s Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2� B Pol�gono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 <a class="ecxmoz-txt-link-abbreviated" href="mailto:ttormo@indenova.com">ttormo@indenova.com</a> <a class="ecxmoz-txt-link-freetext" href="http://www.indenova.com" target="_blank">http://www.indenova.com</a> Desc�rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr�nicamente: <a class="ecxmoz-txt-link-freetext" href="http://www.indenova.com/eSignaViewer.php" target="_blank">http://www.indenova.com/eSignaViewer.php</a> </pre> _______________________________________________ Mod_nss-list mailing list <a class="ecxmoz-txt-link-abbreviated" href="mailto:Mod_nss-list@redhat.com">Mod_nss-list@redhat.com</a> <a class="ecxmoz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/mod_nss-list" target="_blank">https://www.redhat.com/mailman/listinfo/mod_nss-list</a> </blockquote> <pre class="ecxmoz-signature">-- Un saludo, Tom�s Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2� B Pol�gono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 <a class="ecxmoz-txt-link-abbreviated" href="mailto:ttormo@indenova.com">ttormo@indenova.com</a> <a class="ecxmoz-txt-link-freetext" href="http://www.indenova.com" target="_blank">http://www.indenova.com</a> Desc�rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr�nicamente: <a class="ecxmoz-txt-link-freetext" href="http://www.indenova.com/eSignaViewer.php" target="_blank">http://www.indenova.com/eSignaViewer.php</a> </pre> _______________________________________________ Mod_nss-list mailing list <a class="ecxmoz-txt-link-abbreviated" href="mailto:Mod_nss-list@redhat.com">Mod_nss-list@redhat.com</a> <a class="ecxmoz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/mod_nss-list" target="_blank">https://www.redhat.com/mailman/listinfo/mod_nss-list</a> _______________________________________________ Mod_nss-list mailing list <a class="ecxmoz-txt-link-abbreviated" href="mailto:Mod_nss-list@redhat.com">Mod_nss-list@redhat.com</a> <a class="ecxmoz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/mod_nss-list" target="_blank">https://www.redhat.com/mailman/listinfo/mod_nss-list</a> </blockquote> <pre class="ecxmoz-signature">-- Un saludo, Tom�s Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2� B Pol�gono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 <a class="ecxmoz-txt-link-abbreviated" href="mailto:ttormo@indenova.com">ttormo@indenova.com</a> <a class="ecxmoz-txt-link-freetext" href="http://www.indenova.com" target="_blank">http://www.indenova.com</a> Desc�rguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electr�nicamente: <a class="ecxmoz-txt-link-freetext" href="http://www.indenova.com/eSignaViewer.php" target="_blank">http://www.indenova.com/eSignaViewer.php</a> </pre> _______________________________________________ Mod_nss-list mailing list Mod_nss-list@redhat.com https://www.redhat.com/mailman/listinfo/mod_nss-list _______________________________________________ Mod_nss-list mailing list Mod_nss-list@redhat.com https://www.redhat.com/mailman/listinfo/mod_nss-list </body> </html>