<html> <head> <style></style> </head> <body class='hmmessage'> Nice! But tell me, what fixed the problem, the mod_nss compilation or the apache variables in the init script?? Luis <hr id="stopSpelling">Date: Fri, 3 Sep 2010 09:33:57 +0200 From: ttormo@indenova.com To: ttormo@indenova.com CC: luisneves@hotmail.com; rcritten@redhat.com; mod_nss-list@redhat.com Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication <meta http-equiv="Content-Type" content="text/html; charset=unicode"> <meta name="Generator" content="Microsoft SafeHTML"> Well... I made it work!!! I didn't try Robe solution yet... but when I tried it it worked like a charm. The problem is that in Ubuntu you don't have /etc/sysconfig/httpd directory (it is supposed to be /etc/default/apache, but it doesn't work there...), so I had to set the environmental variable in the init script (/etc/init.d/apache2). So now, my test virtualhost looks like this <VirtualHost *:443> ServerName amsterdam LogLevel debug ErrorLog /var/log/apache2/testmodnss/error.log CustomLog /var/log/apache2/testmodnss/access.log combined DocumentRoot /var/www/testmodnss # ssl NSSEngine on RewriteEngine on NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol SSLv3,TLSv1 ## Certificate database. It contains both public and private key of the ssl server. It also contains the CA certificate of the allowed client certificates NSSCertificateDatabase /etc/apache2/certs/nss/ NSSNickName Server-Cert # ssl client <Location "/files"> NSSRequireSSL NSSVerifyClient require </Location> </VirtualHost> NSSPassPhraseHelper /usr/sbin/nss_pcache quite simple now.. isn't it? And, what's more, the certificates that weren't working with mod_ssl (Luis knows what I'm talking about ;) ) now work. Thank you very much once more!!! On 03/09/10 08:33, Tomás Tormo wrote: <blockquote cite="mid:4C8096CC.6060203@indenova.com"> <title>Message body</title> First of all, thank you very much to both of you for your help. Yesterday I had a meeting the whole day, that's why I couldn't answer the emails... Currently, I'm doind all my tests with a Ubuntu Linux 10.04, using Apache 2.2.14 with mod_nss 1.0.8. I downloaded the source from <a class="ecxmoz-txt-link-freetext" href="http://directory.fedoraproject.org/wiki/Mod_nss" target="_blank">http://directory.fedoraproject.org/wiki/Mod_nss</a> and compiled it. The SSL connection is working... but I have the problem I told you with SSL client. After all the emails, I'm trying the last solution, the one whi Luis told me. I tried to use the directive NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ and %{SSL_CLIENT_VERIFY} eq "SUCCESS" ) and it works... but it also asks for the certificate the first time you connect... I would like it to ask for the certificate just when the user clicks some link (I got it working with mod_ssl). Do you know any solution for this? By the way.. wich language is the one _NSSRequire is using for the conditions? Thank you very much. I'll continue with the research On 02/09/10 12:07, Luis Neves wrote: <blockquote cite="mid:COL110-W54B56E3787CCEA97F6E89EA78C0@phx.gbl"> <style> .ExternalClass .ecxhmmessage P {padding:0px;} .ExternalClass body.ecxhmmessage {font-size:10pt;font-family:Tahoma;} </style>Hi again! Sorry everybody for so much posts Hola Tomas, What seems the best practices on this case is Putting the NSSverifyclient optional outside location and then playing with the SSLRequire (or NSSRequire in mod_nss case) like for ex: <Location /> NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ and %{SSL_CLIENT_S_DN_O} eq "mycompany" \ and %{SSL_CLIENT_S_DN_OU} in {"myrole"}) </Location> or: NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ and %{SSL_CLIENT_VERIFY} eq "SUCCESS" ) or using a virtualhost just for the authenticated part of the site Um abraço Luis <hr id="ecxstopSpelling">From: <a class="ecxmoz-txt-link-abbreviated" href="mailto:luisneves@hotmail.com">luisneves@hotmail.com</a> To: <a class="ecxmoz-txt-link-abbreviated" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>; <a class="ecxmoz-txt-link-abbreviated" href="mailto:ttormo@indenova.com">ttormo@indenova.com</a> Date: Thu, 2 Sep 2010 08:36:20 +0000 CC: <a class="ecxmoz-txt-link-abbreviated" href="mailto:mod_nss-list@redhat.com">mod_nss-list@redhat.com</a> Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication <style> .ExternalClass .ecxhmmessage P {padding:0px;} .ExternalClass body.ecxhmmessage {font-size:10pt;font-family:Tahoma;} </style>Hi Robe, indeed Ive tested by myself and have the same renegotiation error as well Played with the settings Ive told to Tomas but still got the problem Played with the Apache env variables you mentioned but to no avail, same problem. Will read carefully your link but it looks the only solution is avoiding at all costs using verifyclient inside location tags... :( Luis > Date: Wed, 1 Sep 2010 08:59:01 -0400 > From: <a class="ecxmoz-txt-link-abbreviated" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> > To: <a class="ecxmoz-txt-link-abbreviated" href="mailto:ttormo@indenova.com">ttormo@indenova.com</a> > CC: <a class="ecxmoz-txt-link-abbreviated" href="mailto:mod_nss-list@redhat.com">mod_nss-list@redhat.com</a> > Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication > > Tomás Tormo wrote: > > Greetings > > > > I'm trying to configure mod_nss in Apache in order to use it as my > > client certificate authentication mechanism, but I'm having problems > > with it.. > > > > I'd like to use client authentication in some parts of a website... so I > > tried to do it as with mod_ssl, using the Location directive with the > > NSSVerifyClient require directive inside, but I never works... I always > > get this error... > > > > Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation > > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): Performing > > full renegotiation: complete handshake protocol > > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting > > re-negotiation handshake > > *[Mon Aug 30 14:17:34 2010] [info] Read error -12176 > > [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake failed: Not > > accepted by client!?* > > [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client > > 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer: > > <a class="ecxmoz-txt-link-freetext" href="https://amsterdam/" target="_blank">https://amsterdam/</a> > > [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input > > filter read failed. > > [Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed (server > > amsterdam:443, client 192.168.125.53) > > > > After this, I checked the documentation and it says I can work > > per-server or per-directory context... So I tried to do it per-server > > and It works perfectly.. but, as I told you, this is not the solution > > I'm looking for.. so I tried to configure it per-directory... but it > > doesn't work neither... > > > > Here I attach my per-directory configuration... Is just a test but this > > is more or less how it should look at the end: > > > > > > > > /<VirtualHost *:443> > > > > ServerName amsterdam > > > > LogLevel debug > > ErrorLog /var/log/apache2/testmodnss/error.log > > CustomLog /var/log/apache2/testmodnss/access.log combined > > DocumentRoot /var/www/testmodnss > > > > # ssl > > NSSEngine on > > RewriteEngine on > > NSSCipherSuite > > -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha > > > > NSSProtocol All > > > > ## Certificate database. It contains both public and private key of the > > ssl server. It also contains the CA certificate of the allowed client > > certificates > > NSSCertificateDatabase /etc/apache2/certs/nss/ > > > > NSSNickName Server-Cert > > > > > > # ssl client > > > > <Directive "/var/www/testmodnss/files/"> > > > > AllowOverride all > > NSSVerifyClient require > > NSSOptions +ExportCertData > > NSSOptions +StdEnvVars > > > > </Location> > > > > </VirtualHost> > > > > NSSPassPhraseHelper /usr/sbin/nss_pcache > > > > / > > > > Could you please help me? > > > > Thank you very much > > Sorry for the delayed response. > > What version of mod_nss and which browser (and version) are you using? I > wonder if you have a newer browser and an older mod_nss and are bumping > into the SSL renegotiation changes that went into the NSS crypto system > to handle <a class="ecxmoz-txt-link-freetext" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555" target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555</a>. > This KB article includes some tuning information for NSS in general: > <a class="ecxmoz-txt-link-freetext" href="https://access.redhat.com/kb/docs/DOC-20491" target="_blank">https://access.redhat.com/kb/docs/DOC-20491</a> > > The latest mod_nss provides some tuning knobs for this as mentioned by > Luid (NSSRenegotiation and NSSRequireSafeNegotiation) that are > equivalent to the environment variables in the KB article, just more > convenient. mod_nss defaults to SSL_RENEGOTIATE_NEVER and setting > NSSRenegotiation is the equivalent of SSL_RENEGOTIATE_REQUIRES_XTN. > > So this is a long way of saying, try adding export > NSS_SSL_ENABLE_RENEGOTIATION=u or NSS_SSL_ENABLE_RENEGOTIATION=r to your > Apache environment (/etc/sysconfig/httpd on Red Hat and Fedora systems). > > I'll be away again until next week in case you have any follow-up questions. > > rob > > _______________________________________________ > Mod_nss-list mailing list > <a class="ecxmoz-txt-link-abbreviated" href="mailto:Mod_nss-list@redhat.com">Mod_nss-list@redhat.com</a> > <a class="ecxmoz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/mod_nss-list" target="_blank">https://www.redhat.com/mailman/listinfo/mod_nss-list</a> _______________________________________________ Mod_nss-list mailing list <a class="ecxmoz-txt-link-abbreviated" href="mailto:Mod_nss-list@redhat.com">Mod_nss-list@redhat.com</a> <a class="ecxmoz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/mod_nss-list" target="_blank">https://www.redhat.com/mailman/listinfo/mod_nss-list</a> </blockquote> <pre class="ecxmoz-signature">-- Un saludo, Tomás Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2ş B Polígono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 <a class="ecxmoz-txt-link-abbreviated" href="mailto:ttormo@indenova.com">ttormo@indenova.com</a> <a class="ecxmoz-txt-link-freetext" href="http://www.indenova.com" target="_blank">http://www.indenova.com</a> Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: <a class="ecxmoz-txt-link-freetext" href="http://www.indenova.com/eSignaViewer.php" target="_blank">http://www.indenova.com/eSignaViewer.php</a> </pre> </blockquote> <pre class="ecxmoz-signature">-- Un saludo, Tomás Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2ş B Polígono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 <a class="ecxmoz-txt-link-abbreviated" href="mailto:ttormo@indenova.com">ttormo@indenova.com</a> <a class="ecxmoz-txt-link-freetext" href="http://www.indenova.com" target="_blank">http://www.indenova.com</a> Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: <a class="ecxmoz-txt-link-freetext" href="http://www.indenova.com/eSignaViewer.php" target="_blank">http://www.indenova.com/eSignaViewer.php</a> </pre> </body> </html>