[Fedora-directory-users] mod_nss and FIPS mode

Rob Crittenden rcritten at redhat.com
Fri May 16 14:06:41 UTC 2008


Rob Crittenden wrote:
> Mark Price wrote:
>> Hello,
>>
>> I am having trouble getting mod_nss to work in FIPS mode.  Summary of
>> the problem:  mod_nss works fine before FIPS mode is enabled, then
>> cannot find the certificate after enabling it.
> 
> Your configuration looks ok.
> 
>>
>> This is using the /etc/httpd/alias cert database, that the mod_nss RPM
>> created with a default certificate named Server-Cert.
>>
>> Using that default configuration, the Apache server starts fine and
>> loads mod_nss.
>>
>> However, when I enable FIPS mode in mod_nss (By adding "NSSFIPS on" to
>> Apache config), I can't get it to find the same server certificate
>>
>>
>> [Thu May 15 13:41:21 2008] [info] Init: Initializing NSS library
>> [Thu May 15 13:41:21 2008] [info] Initializing SSL Session Cache of
>> size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400.
>> [Thu May 15 13:41:21 2008] [error] The server key database has not
>> been initialized.
>> [Thu May 15 13:41:21 2008] [info] Init: Initializing (virtual) servers 
>> for SSL
>> [Thu May 15 13:41:21 2008] [error] Certificate not found: 'Server-Cert'
> 
> I think part of the problem is "The server key database has not been 
> initialized." I'm not sure what would cause this.
> 
>> I also tried using modutil to enable FIPS mode on the cert database,
>> but that did not help:
>>
>> # modutil -fips true -dbdir /etc/httpd/alias
>> <snipped warning>
>> Using database directory /etc/httpd/alias...
>> FIPS mode enabled.
>>
>>
>> # modutil -chkfips true -dbdir /etc/httpd/alias
>> Using database directory /etc/httpd/alias...
>> FIPS mode enabled.
> 
> You need to let mod_nss set FIPS mode for it to work properly.
> 
>> Could someone please clue me in here.  Is there some more extensive
>> process I need to go through in converting the certificate database to
>> FIPS mode?  I have searched for more relevant info with certutil and
>> modutil but haven't been able to find anything.
> 
> It should be as simple as setting NSSFIPS on.
> 
> I'm not sure what the problem is. Let me try to duplicate this locally 
> and see what I can find out.

Mark and I did a fair bit of follow-up off-list and I created bug 
https://bugzilla.redhat.com/show_bug.cgi?id=446851 as a result.

This appears to be a bug in NSS 3.11 (I'm not sure if it affects 
3.11.99/3.12 yet). In the bug I filed is a patch to mod_nss that will 
work around the problem.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20080516/8c9d372a/attachment.bin>


More information about the Fedora-directory-users mailing list