<div dir="ltr"><div><div><div>Thank you Standa, </div>Option number 2 isn't possible at our site. Would you be able to explain number 1 to me? I'm very green with mod_nss so I don't know how to set this up. </div>Thanks, </div>Larry C. </div><div class="gmail_extra"> <div class="gmail_quote">On Mon, Aug 31, 2015 at 3:14 AM, <a href="mailto:stokos@suse.de">stokos@suse.de</a> <<a href="mailto:stokos@suse.de" target="_blank">stokos@suse.de</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Thu, 27 Aug 2015 14:36:06 -0400 "Cohen, Laurence" <<a href="mailto:lcohen@novetta.com">lcohen@novetta.com</a>> wrote: Hi Laurence, <div><div class="h5"> > Hi, > > I'm trying to set up an nss.conf to use while we are doing maintenance > which will point all ssl traffic to a file called maintenance.html > which simply states that we are doing maintenance on the server. The > rewrite.conf we have set up is working fine for port 80 traffic, but > the nss.conf is not working. > > Here are the errors I'm getting. BTW, we are using a self signed cert > because this is our test system. I figured this would cause an info > or at most a warning message, but not an error message. > > [Thu Aug 27 13:38:00 2015] [info] Connection to child 0 established > (server jamie-web1:443, client "Server IP") > [Thu Aug 27 13:38:00 2015] [info] Connection to child 7 established > (server jamie-web1:443, client "Server IP") > [Thu Aug 27 13:38:00 2015] [info] SSL input filter read failed. > [Thu Aug 27 13:38:00 2015] [error] SSL Library Error: -12195 Peer > does not recognize and trust the CA that issued your certificate > [Thu Aug 27 13:38:00 2015] [info] Connection to child 7 closed (server > <a href="http://jamie-web1.novetta.com:443" rel="noreferrer" target="_blank">jamie-web1.novetta.com:443</a>, client Server IP) > [Thu Aug 27 13:38:00 2015] [info] SSL library error -8172 writing data > [Thu Aug 27 13:38:00 2015] [info] SSL Library Error: -8172 > Certificate is signed by an untrusted issuer > [Thu Aug 27 13:38:00 2015] [error] (20014)Internal error: proxy: pass > request body failed to <a href="http://10.3.238.21:443" rel="noreferrer" target="_blank">10.3.238.21:443</a> (jamie-web1) > [Thu Aug 27 13:38:00 2015] [error] proxy: pass request body failed to > Server IP:443 (jamie-web1) from Server IP () > [Thu Aug 27 13:38:00 2015] [info] Connection to child 1 closed (server > jamie-web1:443, client "Workstation IP") > </div></div>I suppose that this problem is with CA certificate on remote server: You have two possible solution: 1. add CA from remote server to your certificate database at PROXY server 2. build mod_nss with a patch from this email PS: I have already worked on a similar problem for our customer. Have nice day Standa <div class="HOEnZb"><div class="h5"> > This is the nss.conf I'm using. > > Listen 443 > > AddType application/x-x509-ca-cert .crt > AddType application/x-pkcs7-crl .crl > > NSSPassPhraseDialog file:/etc/httpd/.password.conf > #NSSPassPhraseDialog builtin > > NSSPassPhraseHelper /usr/sbin/nss_pcache > > NSSSessionCacheSize 10000 > NSSSessionCacheTimeout 100 > NSSSession3CacheTimeout 86400 > > > NSSRandomSeed startup builtin > > > <VirtualHost _default_:443> > > DocumentRoot "/var/www/docroot" > NSSProxyCheckPeerCN Off > NSSEngine on > NSSProxyEngine on > NSSEnforceValidCerts off > NSSRenegotiation on > NSSRequireSafeNegotiation on > > NSSCipherSuite > +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha > > NSSProxyCipherSuite > +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha > > NSSProtocol TLSv1 > NSSNickname Server-Cert > NSSCertificateDatabase /etc/httpd/alias > NSSFIPS on > NSSOCSP off > > ProxyPreserveHost On > > > <Location /> > #SSLRenegBufferSize 52430000 > NSSVerifyClient optional > NSSOptions +ExportCertData +StdEnvVars > ProxyPass <a href="https://jamie-web1/maintenance.html" rel="noreferrer" target="_blank">https://jamie-web1/maintenance.html</a> > ProxyPassReverse <a href="https://jamie-web1/maintenance.html" rel="noreferrer" target="_blank">https://jamie-web1/maintenance.html</a> > </Location> > > <Files ~ "\.(cgi|shtml|phtml|php3?)$"> > NSSOptions +StdEnvVars > </Files> > <Directory "/var/www/cgi-bin"> > NSSOptions +StdEnvVars > </Directory> > > > # initialize the SSL headers to a blank value to avoid http header > forgeries RequestHeader set SSL_CLIENT_CERT "" > RequestHeader set SSL_CIPHER "" > RequestHeader set SSL_SESSION_ID "" > RequestHeader set SSL_CIPHER_USEKEYSIZE "" > > RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" > RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s" > RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s" > RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s" > > CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_CLIENT_CERT}x > %{SSL_CLIENT_S_DN}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > > ErrorLog /etc/httpd/logs/error_log > TransferLog /etc/httpd/logs/access_log > LogLevel info > > </VirtualHost> > > If anyone can help I'd appreciate it. > > Thanks, > > Larry Cohen </div></div> _______________________________________________ Mod_nss-list mailing list <a href="mailto:Mod_nss-list@redhat.com">Mod_nss-list@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/mod_nss-list" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/mod_nss-list</a> </blockquote></div> -- <div class="gmail_signature"><div dir="ltr"><img alt="www.novetta.com" src="https://p2.zdassets.com/hc/theme_assets/236109/200035260/novetta-email.png" style="border:currentcolor" height="56" width="211">Larry CohenSystem Administrator 12021 Sunset Hills Road, Suite 400Reston, VA 20190Email lcohen@<a href="http://novetta.com" target="_blank">novetta.com</a> Office 703-885-1064<table style="color:rgb(147,149,152);font-family:sans-serif;font-size:medium"><tbody><tr></tr><tr></tr><tr></tr></tbody></table> </div></div> </div>