[Mod_nss-list] Alternative for optional_no_ca in mod nss
Rob Crittenden
rcritten at redhat.com
Wed Aug 12 17:54:06 UTC 2015
Mohanavelu Subramanian wrote:
> Hi Rob,
>
> Thanks a lot for your mail.
>
> I added my root certificate into mod_nss db and configured
> NSSVerifyClient optional.
>
> Server-Cert u,u,u
> server-ca C,,
>
> When I send a request to the server with client certificate, i got an
> exception:
>
> javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca.
>
>
> Do I need to do any configuration changes in mod_nss.conf file after adding CA's certificate into mod_nss db?
>
> Please provide your inputs.
Try setting the CA trust to CT,,. The T is "trusted CA to issue client
certs".
This should do it:
# certutil -M -d /etc/httpd/alias -n server-ca -t CT,,
rob
>
>
> Thanks & Regards,
>
> Mohan
>
>
>
> On Wed, Aug 12, 2015 at 1:28 AM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Mohanavelu Subramanian wrote:
>
> Hi All,
>
> Good Morning.
>
> I am to new mod nss mailing list. I have described the issue I
> am facing
> to support TLSv1.2
>
> Currently, our product use Apache 2.2.12 provided by SLES 11sp3.
> We are doing a securing hardening now by enabling only TLSv1.2
> protocol
> and disabling other protocols. I tried to configure "SSLProtocol
> TLSv1.2". But after apache restart, it throws an error "invalid
> protocol". I came to know that mod_ssl refers openssl 0.9.8 version,
> though we have latest openssl 1.0.1(which supports TLSv1.2). The
> mod_ssl
> loads openssl0.9.8 always.
>
> It seems the latest Apache version 2.4.x supports TLSv1.2. But this
> apache version is available in SLES 12 only which wont be
> available for
> us for another 6 months.So, we dropped this option.
>
> So, the procurement team advised us to use mod_nss which can support
> TLSv1.2 with Apache 2.2.12. We started the migration from mod_ssl to
> mod_nss and everything went well, but the directive "SSLVerifyClient
> optional_no_ca" is not available with mod_nss. It provides only
> none,optional,require.So, we are blocked on this and could not
> migrate
> to mod_nss.
> If I configure optional, the handshake fails.
> But in case of none option , I understood from the doc's
> available from
> Internet that server won't request or require client
> certificate. But we
> have clients who send their certificate and we verify those
> certificate
> for authenticity at application level instead of in apache
> server(no ca
> at apache server ). So this scenario also fails when the application
> looks for certificate but not sent by client because of none
> option .
> Can you please suggest how to overcome this issue, any other
> alternatives.
>
>
> Why can't you add the issuing CA's on the mod_nss side so optional
> works?
>
> optional_no_ca might be possible but it would be an ugly hack due to
> the way NSS callbacks work. Accepting unknown client certificates
> seems like a bad idea.
>
> rob
>
>
More information about the Mod_nss-list
mailing list