[Mod_nss-list] hello, and problem 1

Rob Crittenden rcritten at redhat.com
Fri May 6 13:31:18 UTC 2011 

Jennings, Jared L CTR USAF AFMC 46 SK/CCI wrote:
> Hello, mod_nss-list! I'm having interesting adventures in authenticating
> clients using certificates, but I don't understand everything I'm
> seeing.
>
> I've got httpd 2.2.15 and mod_nss 1.0.8, as on RHEL6. I have a website
> where I want to authorize people for some areas by groups I define, so
> I'm using FakeBasicAuth. Well and good, but when I reload my page
> several times in Firefox, it's fairly easy to get to a username and
> password prompt, which I should never get: who the user is is strictly a
> function of the certificate he presents.
>
> After adding a few debug logging statements, I see that when the browser
> shows the username and password box, the FakeBasicAuth has declined to
> fake, because sslconn->client_cert is false in nss_hook_UserCheck
> (nss_engine_kernel.c, line 641 +/- 40, "We decline operation in various
> situations").
>
> My question is this: As you'll see below, I set NSSVerifyClient require
> at the top level. How is it possible that there is no client certificate
> associated with a connection?

Right, I'll have to take a look to see whether we aren't configuring the 
SSL socket to require a client cert or we are somehow not storing a copy 
of it in the request. I believe NSS should reject the connection if a 
client cert is required and one is not presented.

In this case did you provide a valid client cert?

thanks

rob

>
> All NSS-related configuration follows; about 60 lines.
>
> LoadModule nss_module modules/libmodnss.so
> Listen 192.168.122.187:443
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl    .crl
> NSSPassPhraseDialog  file:/etc/pki/mod_nss/pwfile
> NSSPassPhraseHelper /usr/sbin/nss_pcache
> NSSSessionCacheSize 10000
> NSSSessionCacheTimeout 100
> NSSSession3CacheTimeout 86400
>
> NSSRandomSeed startup builtin
> #NSSRandomSeed startup file:/dev/random  512
> #NSSRandomSeed startup file:/dev/urandom 512
>
> NSSRenegotiation off
> NSSRequireSafeNegotiation off
>
> NSSVerifyClient require
> #NSSUserName SSL_CLIENT_S_DN_CN
> NSSUserName SSL_CLIENT_S_DN
> <VirtualHost _default_:443>
> DocumentRoot "/var/www/html"
> ServerName mumble.mumble
> ServerAdmin mumble at mumble
> ErrorLog logs/ssl_error_log
> CustomLog logs/ssl_access_log common
> LogLevel debug
>
> NSSEngine on
> NSSProtocol TLSv1
> NSSCipherSuite
> +rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
> NSSFIPS on
> NSSCertificateDatabase /etc/pki/mod_nss
> NSSNickname mumble
> NSSOCSP off
>
> <Location />
>          NSSOptions +FakeBasicAuth
>          AuthName "mumble website"
>          AuthType Basic
>          AuthUserFile "userfile"
>          AuthGroupFile "groupfile"
> </Location>
>
> <Directory /var/www/html>
>          AuthName "mumble Website root"
>          Require group admins
> </Directory>
>
> ScriptAlias /cgi-bin/ /var/www/cgi-bin/
> <Directory "/var/www/cgi-bin">
>      NSSOptions +StdEnvVars
>      Require group admins
> </Directory>
>
> </VirtualHost>
>
> _______________________________________________
> Mod_nss-list mailing list
> Mod_nss-list at redhat.com
> https://www.redhat.com/mailman/listinfo/mod_nss-list

More information about the Mod_nss-list mailing list