[Freeipa-users] mod_nss issue.

Alexander Bokovoy abokovoy at redhat.com
Mon Oct 8 12:30:01 UTC 2012 

On Mon, 08 Oct 2012, Simon Williams wrote:
>I have found a problem with mod_nss that appears to have been reported in
>2010, but I cannot find any further reference to it.  The 2010 reference
>contains a comment saying that it is an issue and needs to be fixed.  I
>have not been able to find any issue tracking system for mod_nss and so
>haven't been able to check on the status.
>
>The problem is that mod_nss does not appear to respond with the correct
>certificate when multiple name virtual servers are configured on an
>instance of Apache.  It always responds with the certificate of the first
>name virtual server defined.  It does process the other sites'
>configurations because it complains if certificates with the aliases used
>are not in the database.  This would not be an issue (for me) if mod_ssl
>could be used for virtual servers other than the IPA server, but they
>cannot co-exist.  If you try to mix them, mod_ssl complains that port 443
>is being used for the IPA server, but it is not SSL aware.  I suppose it
>would be possible to reconfigure the IPA name virtual server to use mod_ssl
>bu exporting the certificate, but I really don't like to muck around with
>the directory server configuration more than is necessary as it is vital
>that it remains stable and secure.
>
>Could anyone enlighten me as to whether this issue is being looked at or
>even if it is fixed and the CentOS people (CentOS 6.3 standard repositories
>all packages up to date as of yesterday) just aren't supplying a new enough
>version of mod_nss.  At the moment, I can use my SSL secured sites as the
>encryption works okay, but I cannot open them up as they report the wrong
>host name in the certificate.
I assume all this comes because you run these virtual servers on the
same instance as FreeIPA master itself, thus conflicting mod_ssl and
mod_nss.

Here is description how to make name-based SSL virtual hosts working in
FreeIPA environment using mod_ssl. This howto assumes you are using a
separate server than FreeIPA master to provide actual hosting for
the virtual hosts which also makes sense because one would need to apply
greater security protection to the KDC which runs on the same FreeIPA
host.

http://freeipa.org/page/Apache_SNI_With_Kerberos


-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list