[Mod_nss-list] Problem configuring Client certificate Authentication

Luis Neves luisneves at hotmail.com
Tue Aug 31 09:26:12 UTC 2010

NSSProtocol SSLv3,TLSv1

Iam unable to test location today as I forgot my card at home......
But I think location has to work, your error seems something related to a "protocol re-negotiation error".....


From: luisneves at hotmail.com
To: ttormo at indenova.com
Date: Tue, 31 Aug 2010 09:16:46 +0000
CC: mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication

try this!

# Only renegotiate if the peer's hello bears the TLS renegotiation_info
# extension. Default off.
NSSRenegotiation off

# Peer must send Signaling Cipher Suite Value (SCSV) or
# Renegotiation Info (RI) extension in ALL handshakes.  Default: off
NSSRequireSafeNegotiation off

Date: Tue, 31 Aug 2010 10:41:13 +0200
From: ttormo at indenova.com
CC: mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate	Authentication


No... It didn't work with location neither..

But maybe if I follow your aproach It could work for me as well...

On 31/08/10 10:36, Luis Neves wrote:

after fixing "location"  it worked??


no, for now I really didnt need that, 

I am trying to make a reverse proxy to protect internal pages and give
them access via some smartcards, But boy had so many problem so far
that I was almost quitting on this.....!




  Date: Tue, 31 Aug 2010 10:17:02 +0200

From: ttormo at indenova.com

CC: mod_nss-list at redhat.com

Subject: Re: [Mod_nss-list] Problem configuring Client certificate


Wow!! Actually I had directory directive instead of location at that
moment (I was just trying that). I made a copy-paste and changed it
on-the-fly but I guess I didn't realize about the first
<Location>... hehehe sorry


So... do you do something similar in your virtualhost? I mean, do you
need users to use a client certificate only in some parts of the


Thank you very much




On 31/08/10 10:11, Luis Neves wrote:


Its missing something on your post, like the first location, etc, but
anyway, is when using the "location" tag that is giving the problem? I
dont use it but will make a test to see what happens here






    Date: Mon, 30 Aug 2010 14:24:00 +0200

From: ttormo at indenova.com

To: mod_nss-list at redhat.com

Subject: [Mod_nss-list] Problem configuring Client certificate




I'm trying to configure mod_nss in Apache in order to use it as my
client certificate authentication mechanism, but I'm having problems
with it..


I'd like to use client authentication in some parts of a website... so
I tried to do it as with mod_ssl, using the Location directive with the
NSSVerifyClient require directive inside, but I never works... I always
get this error...


Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation

[Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): Performing
full renegotiation: complete handshake protocol

[Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting
re-negotiation handshake

    [Mon Aug 30 14:17:34 2010] [info] Read error -12176

[Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake failed: Not
accepted by client!?

[Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client] Zlib: Compressed 283 to 216 : URL /files, referer: https://amsterdam/

[Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input
filter read failed.

[Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed (server
amsterdam:443, client


After this, I checked the documentation and it says I can work
per-server or per-directory context... So I tried to do it per-server
and It works perfectly.. but, as I told you, this is not the solution
I'm looking for.. so I tried to configure it per-directory... but it
doesn't work neither...


Here I attach my per-directory configuration... Is just a test but this
is more or less how it should look at the end:




    <VirtualHost *:443>


    ServerName amsterdam


    LogLevel debug

    ErrorLog /var/log/apache2/testmodnss/error.log

    CustomLog /var/log/apache2/testmodnss/access.log combined

    DocumentRoot /var/www/testmodnss


    # ssl

    NSSEngine on

    RewriteEngine on



  NSSProtocol All


## Certificate database. It contains both public and private key of the
ssl server. It also contains the CA certificate of the allowed client

NSSCertificateDatabase /etc/apache2/certs/nss/


NSSNickName Server-Cert



# ssl client


    <Directive "/var/www/testmodnss/files/">


        AllowOverride all

        NSSVerifyClient require

        NSSOptions +ExportCertData

        NSSOptions +StdEnvVars






NSSPassPhraseHelper /usr/sbin/nss_pcache




Could you please help me?


Thank you very much



Un saludo,

Tomás Tormo Franco
Area de sistemas

C/ Dels Traginers 14, 2º B
Polígono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48

ttormo at indenova.com

Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: http://www.indenova.com/eSignaViewer.php

Mod_nss-list mailing list
    Mod_nss-list at redhat.com


Un saludo,

Tomás Tormo Franco
Area de sistemas

C/ Dels Traginers 14, 2º B
Polígono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48

ttormo at indenova.com

Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: http://www.indenova.com/eSignaViewer.php

Mod_nss-list mailing list
Mod_nss-list at redhat.com

Un saludo,

Tomás Tormo Franco
Area de sistemas

C/ Dels Traginers 14, 2º B
Polígono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48

ttormo at indenova.com

Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: http://www.indenova.com/eSignaViewer.php

Mod_nss-list mailing list
Mod_nss-list at redhat.com

Mod_nss-list mailing list
Mod_nss-list at redhat.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20100831/2fc638e1/attachment.htm>

More information about the Mod_nss-list mailing list