[Mod_nss-list] Alternative for optional_no_ca in mod nss

Rob Crittenden rcritten at redhat.com
Wed Aug 12 17:54:06 UTC 2015 

Mohanavelu Subramanian wrote:
> Hi Rob,
>
> Thanks a lot for your mail.
>
>   I added my root certificate into mod_nss db and configured
> NSSVerifyClient optional.
>
> Server-Cert                                                  u,u,u
> server-ca                                                     C,,
>
> When I send a request to the server with client certificate, i got an
> exception:
>
> javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca.
>
>
> Do I need to do any configuration changes in mod_nss.conf file after adding CA's certificate into mod_nss db?
>
> Please provide your inputs.

Try setting the CA trust to CT,,. The T is "trusted CA to issue client 
certs".

This should do it:
# certutil -M -d /etc/httpd/alias -n server-ca -t CT,,

rob

>
>
> Thanks & Regards,
>
> Mohan
>
>
>
> On Wed, Aug 12, 2015 at 1:28 AM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
>     Mohanavelu Subramanian wrote:
>
>         Hi All,
>
>         Good Morning.
>
>         I am to new mod nss mailing list. I have described the issue I
>         am facing
>         to support TLSv1.2
>
>         Currently, our product use Apache 2.2.12 provided by SLES 11sp3.
>         We are doing a securing hardening now by enabling only TLSv1.2
>         protocol
>         and disabling other protocols. I tried to configure "SSLProtocol
>            TLSv1.2". But after apache restart, it throws an error "invalid
>         protocol". I came to know that mod_ssl refers openssl 0.9.8 version,
>         though we have latest openssl 1.0.1(which supports TLSv1.2). The
>         mod_ssl
>         loads openssl0.9.8 always.
>
>         It seems the latest Apache version 2.4.x supports TLSv1.2. But this
>         apache version is available in SLES 12 only which wont be
>         available for
>         us for another 6 months.So, we dropped this option.
>
>         So, the procurement team advised us to use mod_nss which can support
>         TLSv1.2 with Apache 2.2.12. We started the migration from mod_ssl to
>         mod_nss and everything went well, but the directive "SSLVerifyClient
>         optional_no_ca" is not available with mod_nss. It provides only
>         none,optional,require.So, we are blocked on this and could not
>         migrate
>         to mod_nss.
>         If I configure optional, the handshake fails.
>         But in case of none option , I understood from the doc's
>         available from
>         Internet that server won't request or require client
>         certificate. But we
>         have clients who send their certificate and we verify those
>         certificate
>         for authenticity at application level instead of in apache
>         server(no ca
>         at apache server ). So this scenario also fails when the application
>         looks for certificate but not sent by client because of none
>         option .
>         Can you please suggest how to overcome this issue, any other
>         alternatives.
>
>
>     Why can't you add the issuing CA's on the mod_nss side so optional
>     works?
>
>     optional_no_ca might be possible but it would be an ugly hack due to
>     the way NSS callbacks work. Accepting unknown client certificates
>     seems like a bad idea.
>
>     rob
>
>

More information about the Mod_nss-list mailing list