[Mod_nss-list] nss.conf for doing maintenance
stokos at suse.de
stokos at suse.de
Mon Aug 31 07:14:28 UTC 2015
On Thu, 27 Aug 2015 14:36:06 -0400
"Cohen, Laurence" <lcohen at novetta.com> wrote:
Hi Laurence,
> Hi,
>
> I'm trying to set up an nss.conf to use while we are doing maintenance
> which will point all ssl traffic to a file called maintenance.html
> which simply states that we are doing maintenance on the server. The
> rewrite.conf we have set up is working fine for port 80 traffic, but
> the nss.conf is not working.
>
> Here are the errors I'm getting. BTW, we are using a self signed cert
> because this is our test system. I figured this would cause an info
> or at most a warning message, but not an error message.
>
> [Thu Aug 27 13:38:00 2015] [info] Connection to child 0 established
> (server jamie-web1:443, client "Server IP")
> [Thu Aug 27 13:38:00 2015] [info] Connection to child 7 established
> (server jamie-web1:443, client "Server IP")
> [Thu Aug 27 13:38:00 2015] [info] SSL input filter read failed.
> [Thu Aug 27 13:38:00 2015] [error] SSL Library Error: -12195 Peer
> does not recognize and trust the CA that issued your certificate
> [Thu Aug 27 13:38:00 2015] [info] Connection to child 7 closed (server
> jamie-web1.novetta.com:443, client Server IP)
> [Thu Aug 27 13:38:00 2015] [info] SSL library error -8172 writing data
> [Thu Aug 27 13:38:00 2015] [info] SSL Library Error: -8172
> Certificate is signed by an untrusted issuer
> [Thu Aug 27 13:38:00 2015] [error] (20014)Internal error: proxy: pass
> request body failed to 10.3.238.21:443 (jamie-web1)
> [Thu Aug 27 13:38:00 2015] [error] proxy: pass request body failed to
> Server IP:443 (jamie-web1) from Server IP ()
> [Thu Aug 27 13:38:00 2015] [info] Connection to child 1 closed (server
> jamie-web1:443, client "Workstation IP")
>
I suppose that this problem is with CA certificate on remote server:
You have two possible solution:
1. add CA from remote server to your certificate database at PROXY
server
2. build mod_nss with a patch from this email
PS: I have already worked on a similar problem for our customer.
Have nice day
Standa
> This is the nss.conf I'm using.
>
> Listen 443
>
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl .crl
>
> NSSPassPhraseDialog file:/etc/httpd/.password.conf
> #NSSPassPhraseDialog builtin
>
> NSSPassPhraseHelper /usr/sbin/nss_pcache
>
> NSSSessionCacheSize 10000
> NSSSessionCacheTimeout 100
> NSSSession3CacheTimeout 86400
>
>
> NSSRandomSeed startup builtin
>
>
> <VirtualHost _default_:443>
>
> DocumentRoot "/var/www/docroot"
> NSSProxyCheckPeerCN Off
> NSSEngine on
> NSSProxyEngine on
> NSSEnforceValidCerts off
> NSSRenegotiation on
> NSSRequireSafeNegotiation on
>
> NSSCipherSuite
> +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
>
> NSSProxyCipherSuite
> +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
>
> NSSProtocol TLSv1
> NSSNickname Server-Cert
> NSSCertificateDatabase /etc/httpd/alias
> NSSFIPS on
> NSSOCSP off
>
> ProxyPreserveHost On
>
>
> <Location />
> #SSLRenegBufferSize 52430000
> NSSVerifyClient optional
> NSSOptions +ExportCertData +StdEnvVars
> ProxyPass https://jamie-web1/maintenance.html
> ProxyPassReverse https://jamie-web1/maintenance.html
> </Location>
>
> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
> NSSOptions +StdEnvVars
> </Files>
> <Directory "/var/www/cgi-bin">
> NSSOptions +StdEnvVars
> </Directory>
>
>
> # initialize the SSL headers to a blank value to avoid http header
> forgeries RequestHeader set SSL_CLIENT_CERT ""
> RequestHeader set SSL_CIPHER ""
> RequestHeader set SSL_SESSION_ID ""
> RequestHeader set SSL_CIPHER_USEKEYSIZE ""
>
> RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
> RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s"
> RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s"
> RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s"
>
> CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_CLIENT_CERT}x
> %{SSL_CLIENT_S_DN}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>
> ErrorLog /etc/httpd/logs/error_log
> TransferLog /etc/httpd/logs/access_log
> LogLevel info
>
> </VirtualHost>
>
> If anyone can help I'd appreciate it.
>
> Thanks,
>
> Larry Cohen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: proxy-NSSProxyCheckPeerCA-off.patch
Type: text/x-patch
Size: 10324 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20150831/d1c8ec32/attachment.bin>
More information about the Mod_nss-list
mailing list