[Mod_nss-list] nss.conf for doing maintenance

Cohen, Laurence lcohen at novetta.com
Mon Aug 31 14:47:52 UTC 2015 

Thank you Standa,

Option number 2 isn't possible at our site.  Would you be able to explain
number 1 to me?  I'm very green with mod_nss so I don't know how to set
this up.

Thanks,

Larry C.

On Mon, Aug 31, 2015 at 3:14 AM, stokos at suse.de <stokos at suse.de> wrote:

> On Thu, 27 Aug 2015 14:36:06 -0400
> "Cohen, Laurence" <lcohen at novetta.com> wrote:
>
> Hi Laurence,
>
> > Hi,
> >
> > I'm trying to set up an nss.conf to use while we are doing maintenance
> > which will point all ssl traffic to a file called maintenance.html
> > which simply states that we are doing maintenance on the server.  The
> > rewrite.conf we have set up is working fine for port 80 traffic, but
> > the nss.conf is not working.
> >
> > Here are the errors I'm getting.  BTW, we are using a self signed cert
> > because this is our test system.  I figured this would cause an info
> > or at most a warning message, but not an error message.
> >
> > [Thu Aug 27 13:38:00 2015] [info] Connection to child 0 established
> > (server jamie-web1:443, client "Server IP")
> > [Thu Aug 27 13:38:00 2015] [info] Connection to child 7 established
> > (server jamie-web1:443, client "Server IP")
> > [Thu Aug 27 13:38:00 2015] [info] SSL input filter read failed.
> > [Thu Aug 27 13:38:00 2015] [error] SSL Library Error: -12195 Peer
> > does not recognize and trust the CA that issued your certificate
> > [Thu Aug 27 13:38:00 2015] [info] Connection to child 7 closed (server
> > jamie-web1.novetta.com:443, client Server IP)
> > [Thu Aug 27 13:38:00 2015] [info] SSL library error -8172 writing data
> > [Thu Aug 27 13:38:00 2015] [info] SSL Library Error: -8172
> > Certificate is signed by an untrusted issuer
> > [Thu Aug 27 13:38:00 2015] [error] (20014)Internal error: proxy: pass
> > request body failed to 10.3.238.21:443 (jamie-web1)
> > [Thu Aug 27 13:38:00 2015] [error] proxy: pass request body failed to
> > Server IP:443 (jamie-web1) from Server IP ()
> > [Thu Aug 27 13:38:00 2015] [info] Connection to child 1 closed (server
> > jamie-web1:443, client "Workstation IP")
> >
>
> I suppose that this problem is with CA certificate on remote server:
>
> You have two possible solution:
>
> 1. add CA from remote server to your certificate database at PROXY
> server
> 2. build mod_nss with a patch from this email
>
>
> PS: I have already worked on a similar problem for our customer.
>
> Have nice day
>
> Standa
>
> > This is the nss.conf I'm using.
> >
> > Listen 443
> >
> > AddType application/x-x509-ca-cert .crt
> > AddType application/x-pkcs7-crl    .crl
> >
> > NSSPassPhraseDialog file:/etc/httpd/.password.conf
> > #NSSPassPhraseDialog  builtin
> >
> > NSSPassPhraseHelper /usr/sbin/nss_pcache
> >
> > NSSSessionCacheSize 10000
> > NSSSessionCacheTimeout 100
> > NSSSession3CacheTimeout 86400
> >
> >
> > NSSRandomSeed startup builtin
> >
> >
> > <VirtualHost _default_:443>
> >
> > DocumentRoot "/var/www/docroot"
> > NSSProxyCheckPeerCN Off
> > NSSEngine on
> > NSSProxyEngine on
> > NSSEnforceValidCerts off
> > NSSRenegotiation on
> > NSSRequireSafeNegotiation on
> >
> > NSSCipherSuite
> >
> +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
> >
> > NSSProxyCipherSuite
> >
> +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
> >
> > NSSProtocol TLSv1
> > NSSNickname Server-Cert
> > NSSCertificateDatabase /etc/httpd/alias
> > NSSFIPS on
> > NSSOCSP off
> >
> > ProxyPreserveHost On
> >
> >
> > <Location />
> > #SSLRenegBufferSize 52430000
> >       NSSVerifyClient optional
> >       NSSOptions +ExportCertData +StdEnvVars
> >       ProxyPass https://jamie-web1/maintenance.html
> >       ProxyPassReverse https://jamie-web1/maintenance.html
> > </Location>
> >
> > <Files ~ "\.(cgi|shtml|phtml|php3?)$">
> >     NSSOptions +StdEnvVars
> > </Files>
> > <Directory "/var/www/cgi-bin">
> >     NSSOptions +StdEnvVars
> > </Directory>
> >
> >
> > # initialize the SSL headers to a blank value to avoid http header
> > forgeries RequestHeader set SSL_CLIENT_CERT ""
> > RequestHeader set SSL_CIPHER ""
> > RequestHeader set SSL_SESSION_ID ""
> > RequestHeader set SSL_CIPHER_USEKEYSIZE ""
> >
> > RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
> > RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s"
> > RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s"
> > RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s"
> >
> > CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_CLIENT_CERT}x
> > %{SSL_CLIENT_S_DN}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> >
> >
> > ErrorLog /etc/httpd/logs/error_log
> > TransferLog /etc/httpd/logs/access_log
> > LogLevel info
> >
> > </VirtualHost>
> >
> > If anyone can help I'd appreciate it.
> >
> > Thanks,
> >
> > Larry Cohen
>
>
> _______________________________________________
> Mod_nss-list mailing list
> Mod_nss-list at redhat.com
> https://www.redhat.com/mailman/listinfo/mod_nss-list
>



-- 

[image: www.novetta.com]

Larry Cohen

System Administrator


12021 Sunset Hills Road, Suite 400

Reston, VA 20190

Email  lcohen at novetta.com

Office  703-885-1064
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20150831/75ddad93/attachment.htm>

More information about the Mod_nss-list mailing list