[Mod_nss-list] Alternative for optional_no_ca in mod nss
Mohanavelu Subramanian
mhnvelu at gmail.com
Tue Aug 11 19:44:50 UTC 2015
Hi All,
Good Morning.
I am to new mod nss mailing list. I have described the issue I am facing to
support TLSv1.2
Currently, our product use Apache 2.2.12 provided by SLES 11sp3.
We are doing a securing hardening now by enabling only TLSv1.2 protocol and
disabling other protocols. I tried to configure "SSLProtocol TLSv1.2". But
after apache restart, it throws an error "invalid protocol". I came to know
that mod_ssl refers openssl 0.9.8 version, though we have latest openssl
1.0.1(which supports TLSv1.2). The mod_ssl loads openssl0.9.8 always.
It seems the latest Apache version 2.4.x supports TLSv1.2. But this apache
version is available in SLES 12 only which wont be available for us for
another 6 months.So, we dropped this option.
So, the procurement team advised us to use mod_nss which can support
TLSv1.2 with Apache 2.2.12. We started the migration from mod_ssl to
mod_nss and everything went well, but the directive "SSLVerifyClient
optional_no_ca" is not available with mod_nss. It provides only
none,optional,require.So, we are blocked on this and could not migrate to
mod_nss.
If I configure optional, the handshake fails.
But in case of none option , I understood from the doc's available from
Internet that server won't request or require client certificate. But we
have clients who send their certificate and we verify those certificate for
authenticity at application level instead of in apache server(no ca at
apache server ). So this scenario also fails when the application looks for
certificate but not sent by client because of none option .
Can you please suggest how to overcome this issue, any other alternatives.
Thanks in advance.
Regards,
Mohan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20150812/bc7236dc/attachment.htm>
More information about the Mod_nss-list
mailing list