[Mod_nss-list] nss.conf for doing maintenance
Cohen, Laurence
lcohen at novetta.com
Thu Aug 27 18:36:06 UTC 2015
Hi,
I'm trying to set up an nss.conf to use while we are doing maintenance
which will point all ssl traffic to a file called maintenance.html which
simply states that we are doing maintenance on the server. The
rewrite.conf we have set up is working fine for port 80 traffic, but the
nss.conf is not working.
Here are the errors I'm getting. BTW, we are using a self signed cert
because this is our test system. I figured this would cause an info or at
most a warning message, but not an error message.
[Thu Aug 27 13:38:00 2015] [info] Connection to child 0 established (server
jamie-web1:443, client "Server IP")
[Thu Aug 27 13:38:00 2015] [info] Connection to child 7 established (server
jamie-web1:443, client "Server IP")
[Thu Aug 27 13:38:00 2015] [info] SSL input filter read failed.
[Thu Aug 27 13:38:00 2015] [error] SSL Library Error: -12195 Peer does not
recognize and trust the CA that issued your certificate
[Thu Aug 27 13:38:00 2015] [info] Connection to child 7 closed (server
jamie-web1.novetta.com:443, client Server IP)
[Thu Aug 27 13:38:00 2015] [info] SSL library error -8172 writing data
[Thu Aug 27 13:38:00 2015] [info] SSL Library Error: -8172 Certificate is
signed by an untrusted issuer
[Thu Aug 27 13:38:00 2015] [error] (20014)Internal error: proxy: pass
request body failed to 10.3.238.21:443 (jamie-web1)
[Thu Aug 27 13:38:00 2015] [error] proxy: pass request body failed to
Server IP:443 (jamie-web1) from Server IP ()
[Thu Aug 27 13:38:00 2015] [info] Connection to child 1 closed (server
jamie-web1:443, client "Workstation IP")
This is the nss.conf I'm using.
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
NSSPassPhraseDialog file:/etc/httpd/.password.conf
#NSSPassPhraseDialog builtin
NSSPassPhraseHelper /usr/sbin/nss_pcache
NSSSessionCacheSize 10000
NSSSessionCacheTimeout 100
NSSSession3CacheTimeout 86400
NSSRandomSeed startup builtin
<VirtualHost _default_:443>
DocumentRoot "/var/www/docroot"
NSSProxyCheckPeerCN Off
NSSEngine on
NSSProxyEngine on
NSSEnforceValidCerts off
NSSRenegotiation on
NSSRequireSafeNegotiation on
NSSCipherSuite
+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
NSSProxyCipherSuite
+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
NSSProtocol TLSv1
NSSNickname Server-Cert
NSSCertificateDatabase /etc/httpd/alias
NSSFIPS on
NSSOCSP off
ProxyPreserveHost On
<Location />
#SSLRenegBufferSize 52430000
NSSVerifyClient optional
NSSOptions +ExportCertData +StdEnvVars
ProxyPass https://jamie-web1/maintenance.html
ProxyPassReverse https://jamie-web1/maintenance.html
</Location>
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
NSSOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
NSSOptions +StdEnvVars
</Directory>
# initialize the SSL headers to a blank value to avoid http header forgeries
RequestHeader set SSL_CLIENT_CERT ""
RequestHeader set SSL_CIPHER ""
RequestHeader set SSL_SESSION_ID ""
RequestHeader set SSL_CIPHER_USEKEYSIZE ""
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s"
RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s"
RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s"
CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_CLIENT_CERT}x
%{SSL_CLIENT_S_DN}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ErrorLog /etc/httpd/logs/error_log
TransferLog /etc/httpd/logs/access_log
LogLevel info
</VirtualHost>
If anyone can help I'd appreciate it.
Thanks,
Larry Cohen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20150827/9487a08c/attachment.htm>
More information about the Mod_nss-list
mailing list