[Mod_nss-list] Alternative for optional_no_ca in mod nss
Rob Crittenden
rcritten at redhat.com
Tue Aug 11 19:58:33 UTC 2015
Mohanavelu Subramanian wrote:
> Hi All,
>
> Good Morning.
>
> I am to new mod nss mailing list. I have described the issue I am facing
> to support TLSv1.2
>
> Currently, our product use Apache 2.2.12 provided by SLES 11sp3.
> We are doing a securing hardening now by enabling only TLSv1.2 protocol
> and disabling other protocols. I tried to configure "SSLProtocol
> TLSv1.2". But after apache restart, it throws an error "invalid
> protocol". I came to know that mod_ssl refers openssl 0.9.8 version,
> though we have latest openssl 1.0.1(which supports TLSv1.2). The mod_ssl
> loads openssl0.9.8 always.
>
> It seems the latest Apache version 2.4.x supports TLSv1.2. But this
> apache version is available in SLES 12 only which wont be available for
> us for another 6 months.So, we dropped this option.
>
> So, the procurement team advised us to use mod_nss which can support
> TLSv1.2 with Apache 2.2.12. We started the migration from mod_ssl to
> mod_nss and everything went well, but the directive "SSLVerifyClient
> optional_no_ca" is not available with mod_nss. It provides only
> none,optional,require.So, we are blocked on this and could not migrate
> to mod_nss.
> If I configure optional, the handshake fails.
> But in case of none option , I understood from the doc's available from
> Internet that server won't request or require client certificate. But we
> have clients who send their certificate and we verify those certificate
> for authenticity at application level instead of in apache server(no ca
> at apache server ). So this scenario also fails when the application
> looks for certificate but not sent by client because of none option .
> Can you please suggest how to overcome this issue, any other alternatives.
Why can't you add the issuing CA's on the mod_nss side so optional works?
optional_no_ca might be possible but it would be an ugly hack due to the
way NSS callbacks work. Accepting unknown client certificates seems like
a bad idea.
rob
More information about the Mod_nss-list
mailing list