[Freeipa-users] mod_nss issue.

Rob Crittenden rcritten at redhat.com
Mon Oct 8 12:45:20 UTC 2012 

Alexander Bokovoy wrote:
> On Mon, 08 Oct 2012, Simon Williams wrote:
>> I have found a problem with mod_nss that appears to have been reported in
>> 2010, but I cannot find any further reference to it.  The 2010 reference
>> contains a comment saying that it is an issue and needs to be fixed.  I
>> have not been able to find any issue tracking system for mod_nss and so
>> haven't been able to check on the status.
>>
>> The problem is that mod_nss does not appear to respond with the correct
>> certificate when multiple name virtual servers are configured on an
>> instance of Apache.  It always responds with the certificate of the first
>> name virtual server defined.  It does process the other sites'
>> configurations because it complains if certificates with the aliases used
>> are not in the database.  This would not be an issue (for me) if mod_ssl
>> could be used for virtual servers other than the IPA server, but they
>> cannot co-exist.  If you try to mix them, mod_ssl complains that port 443
>> is being used for the IPA server, but it is not SSL aware.  I suppose it
>> would be possible to reconfigure the IPA name virtual server to use
>> mod_ssl
>> bu exporting the certificate, but I really don't like to muck around with
>> the directory server configuration more than is necessary as it is vital
>> that it remains stable and secure.
>>
>> Could anyone enlighten me as to whether this issue is being looked at or
>> even if it is fixed and the CentOS people (CentOS 6.3 standard
>> repositories
>> all packages up to date as of yesterday) just aren't supplying a new
>> enough
>> version of mod_nss.  At the moment, I can use my SSL secured sites as the
>> encryption works okay, but I cannot open them up as they report the wrong
>> host name in the certificate.
> I assume all this comes because you run these virtual servers on the
> same instance as FreeIPA master itself, thus conflicting mod_ssl and
> mod_nss.
>
> Here is description how to make name-based SSL virtual hosts working in
> FreeIPA environment using mod_ssl. This howto assumes you are using a
> separate server than FreeIPA master to provide actual hosting for
> the virtual hosts which also makes sense because one would need to apply
> greater security protection to the KDC which runs on the same FreeIPA
> host.
>
> http://freeipa.org/page/Apache_SNI_With_Kerberos
>
>

mod_nss doesn't support SNI because NSS doesn't support SNI server-side 
yet (https://bugzilla.mozilla.org/show_bug.cgi?id=360421).

The mod_nss bug tracker is bugzilla.redhat.com.

mod_ssl and mod_nss can co-exist but not on the same port (which is true 
of any two servers). mod_ssl and mod_nss cannot co-exist on an IPA 
server though, because mod_proxy only provides a single SSL interface 
and mod_ssl always registers it, locking mod_nss out. This is being 
worked on in mod_proxy.

Switching to mod_ssl wouldn't require any changes to the directory server.

rob

More information about the Freeipa-users mailing list