[Fedora-directory-users] mod_nss and FIPS mode
Rob Crittenden
rcritten at redhat.com
Fri May 16 14:06:41 UTC 2008
Rob Crittenden wrote:
> Mark Price wrote:
>> Hello,
>>
>> I am having trouble getting mod_nss to work in FIPS mode. Summary of
>> the problem: mod_nss works fine before FIPS mode is enabled, then
>> cannot find the certificate after enabling it.
>
> Your configuration looks ok.
>
>>
>> This is using the /etc/httpd/alias cert database, that the mod_nss RPM
>> created with a default certificate named Server-Cert.
>>
>> Using that default configuration, the Apache server starts fine and
>> loads mod_nss.
>>
>> However, when I enable FIPS mode in mod_nss (By adding "NSSFIPS on" to
>> Apache config), I can't get it to find the same server certificate
>>
>>
>> [Thu May 15 13:41:21 2008] [info] Init: Initializing NSS library
>> [Thu May 15 13:41:21 2008] [info] Initializing SSL Session Cache of
>> size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400.
>> [Thu May 15 13:41:21 2008] [error] The server key database has not
>> been initialized.
>> [Thu May 15 13:41:21 2008] [info] Init: Initializing (virtual) servers
>> for SSL
>> [Thu May 15 13:41:21 2008] [error] Certificate not found: 'Server-Cert'
>
> I think part of the problem is "The server key database has not been
> initialized." I'm not sure what would cause this.
>
>> I also tried using modutil to enable FIPS mode on the cert database,
>> but that did not help:
>>
>> # modutil -fips true -dbdir /etc/httpd/alias
>> <snipped warning>
>> Using database directory /etc/httpd/alias...
>> FIPS mode enabled.
>>
>>
>> # modutil -chkfips true -dbdir /etc/httpd/alias
>> Using database directory /etc/httpd/alias...
>> FIPS mode enabled.
>
> You need to let mod_nss set FIPS mode for it to work properly.
>
>> Could someone please clue me in here. Is there some more extensive
>> process I need to go through in converting the certificate database to
>> FIPS mode? I have searched for more relevant info with certutil and
>> modutil but haven't been able to find anything.
>
> It should be as simple as setting NSSFIPS on.
>
> I'm not sure what the problem is. Let me try to duplicate this locally
> and see what I can find out.
Mark and I did a fair bit of follow-up off-list and I created bug
https://bugzilla.redhat.com/show_bug.cgi?id=446851 as a result.
This appears to be a bug in NSS 3.11 (I'm not sure if it affects
3.11.99/3.12 yet). In the bug I filed is a patch to mod_nss that will
work around the problem.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20080516/8c9d372a/attachment.bin>
More information about the Fedora-directory-users
mailing list