[Mod_nss-list] Alternative for optional_no_ca in mod nss

[Mohanavelu Subramanian]

Hi Rob,

Thanks a lot for your mail.

 I added my root certificate into mod_nss db and configured NSSVerifyClient
optional.

Server-Cert                                                  u,u,u
server-ca                                                     C,,

When I send a request to the server with client certificate, i got an
exception:

javax.net.ssl.SSLException: Connection has been shutdown:
javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca.


Do I need to do any configuration changes in mod_nss.conf file after
adding CA's certificate into mod_nss db?

Please provide your inputs.


Thanks & Regards,

Mohan



On Wed, Aug 12, 2015 at 1:28 AM, Rob Crittenden <rcritten at redhat.com> wrote:

> Mohanavelu Subramanian wrote:
>
>> Hi All,
>>
>> Good Morning.
>>
>> I am to new mod nss mailing list. I have described the issue I am facing
>> to support TLSv1.2
>>
>> Currently, our product use Apache 2.2.12 provided by SLES 11sp3.
>> We are doing a securing hardening now by enabling only TLSv1.2 protocol
>> and disabling other protocols. I tried to configure "SSLProtocol
>>   TLSv1.2". But after apache restart, it throws an error "invalid
>> protocol". I came to know that mod_ssl refers openssl 0.9.8 version,
>> though we have latest openssl 1.0.1(which supports TLSv1.2). The mod_ssl
>> loads openssl0.9.8 always.
>>
>> It seems the latest Apache version 2.4.x supports TLSv1.2. But this
>> apache version is available in SLES 12 only which wont be available for
>> us for another 6 months.So, we dropped this option.
>>
>> So, the procurement team advised us to use mod_nss which can support
>> TLSv1.2 with Apache 2.2.12. We started the migration from mod_ssl to
>> mod_nss and everything went well, but the directive "SSLVerifyClient
>> optional_no_ca" is not available with mod_nss. It provides only
>> none,optional,require.So, we are blocked on this and could not migrate
>> to mod_nss.
>> If I configure optional, the handshake fails.
>> But in case of none option , I understood from the doc's available from
>> Internet that server won't request or require client certificate. But we
>> have clients who send their certificate and we verify those certificate
>> for authenticity at application level instead of in apache server(no ca
>> at apache server ). So this scenario also fails when the application
>> looks for certificate but not sent by client because of none option .
>> Can you please suggest how to overcome this issue, any other alternatives.
>>
>
> Why can't you add the issuing CA's on the mod_nss side so optional works?
>
> optional_no_ca might be possible but it would be an ugly hack due to the
> way NSS callbacks work. Accepting unknown client certificates seems like a
> bad idea.
>
> rob
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20150812/dd36fc9d/attachment.htm>