[Mod_nss-list] nss.conf for doing maintenance

Cohen, Laurence lcohen at novetta.com
Mon Aug 31 14:59:17 UTC 2015 

Ok, I'll give this a shot.  Thank you for your help.

On Mon, Aug 31, 2015 at 10:56 AM, Rob Crittenden <rcritten at redhat.com>
wrote:

> Cohen, Laurence wrote:
>
>> Thank you Standa,
>>
>> Option number 2 isn't possible at our site.  Would you be able to
>> explain number 1 to me?  I'm very green with mod_nss so I don't know how
>> to set this up.
>>
>
> The problem you're seeing is that in proxy mode, mod_nss is acting as a
> client and it doesn't trust or know the issuer of the server certificate it
> is contacting. So you need to get that CA cert (or chain) and add it to the
> mod_nss NSS database.
>
> You can add it ala:
>
> # certutil -A -d /etc/httpd/alias -n <some useful unique nickname> -t CT,,
> -a -i /path/to/ca.pem
>
> rob
>
>
>> Thanks,
>>
>> Larry C.
>>
>> On Mon, Aug 31, 2015 at 3:14 AM, stokos at suse.de <mailto:stokos at suse.de>
>> <stokos at suse.de <mailto:stokos at suse.de>> wrote:
>>
>>     On Thu, 27 Aug 2015 14:36:06 -0400
>>     "Cohen, Laurence" <lcohen at novetta.com <mailto:lcohen at novetta.com>>
>>     wrote:
>>
>>     Hi Laurence,
>>
>>      > Hi,
>>      >
>>      > I'm trying to set up an nss.conf to use while we are doing
>>     maintenance
>>      > which will point all ssl traffic to a file called maintenance.html
>>      > which simply states that we are doing maintenance on the server.
>> The
>>      > rewrite.conf we have set up is working fine for port 80 traffic,
>> but
>>      > the nss.conf is not working.
>>      >
>>      > Here are the errors I'm getting.  BTW, we are using a self signed
>>     cert
>>      > because this is our test system.  I figured this would cause an
>> info
>>      > or at most a warning message, but not an error message.
>>      >
>>      > [Thu Aug 27 13:38:00 2015] [info] Connection to child 0 established
>>      > (server jamie-web1:443, client "Server IP")
>>      > [Thu Aug 27 13:38:00 2015] [info] Connection to child 7 established
>>      > (server jamie-web1:443, client "Server IP")
>>      > [Thu Aug 27 13:38:00 2015] [info] SSL input filter read failed.
>>      > [Thu Aug 27 13:38:00 2015] [error] SSL Library Error: -12195 Peer
>>      > does not recognize and trust the CA that issued your certificate
>>      > [Thu Aug 27 13:38:00 2015] [info] Connection to child 7 closed
>>     (server
>>      > jamie-web1.novetta.com:443 <http://jamie-web1.novetta.com:443>,
>>     client Server IP)
>>      > [Thu Aug 27 13:38:00 2015] [info] SSL library error -8172 writing
>>     data
>>      > [Thu Aug 27 13:38:00 2015] [info] SSL Library Error: -8172
>>      > Certificate is signed by an untrusted issuer
>>      > [Thu Aug 27 13:38:00 2015] [error] (20014)Internal error: proxy:
>> pass
>>      > request body failed to 10.3.238.21:443 <http://10.3.238.21:443>
>>
>>     (jamie-web1)
>>      > [Thu Aug 27 13:38:00 2015] [error] proxy: pass request body failed
>> to
>>      > Server IP:443 (jamie-web1) from Server IP ()
>>      > [Thu Aug 27 13:38:00 2015] [info] Connection to child 1 closed
>>     (server
>>      > jamie-web1:443, client "Workstation IP")
>>      >
>>
>>     I suppose that this problem is with CA certificate on remote server:
>>
>>     You have two possible solution:
>>
>>     1. add CA from remote server to your certificate database at PROXY
>>     server
>>     2. build mod_nss with a patch from this email
>>
>>
>>     PS: I have already worked on a similar problem for our customer.
>>
>>     Have nice day
>>
>>     Standa
>>
>>      > This is the nss.conf I'm using.
>>      >
>>      > Listen 443
>>      >
>>      > AddType application/x-x509-ca-cert .crt
>>      > AddType application/x-pkcs7-crl    .crl
>>      >
>>      > NSSPassPhraseDialog file:/etc/httpd/.password.conf
>>      > #NSSPassPhraseDialog  builtin
>>      >
>>      > NSSPassPhraseHelper /usr/sbin/nss_pcache
>>      >
>>      > NSSSessionCacheSize 10000
>>      > NSSSessionCacheTimeout 100
>>      > NSSSession3CacheTimeout 86400
>>      >
>>      >
>>      > NSSRandomSeed startup builtin
>>      >
>>      >
>>      > <VirtualHost _default_:443>
>>      >
>>      > DocumentRoot "/var/www/docroot"
>>      > NSSProxyCheckPeerCN Off
>>      > NSSEngine on
>>      > NSSProxyEngine on
>>      > NSSEnforceValidCerts off
>>      > NSSRenegotiation on
>>      > NSSRequireSafeNegotiation on
>>      >
>>      > NSSCipherSuite
>>      >
>>
>> +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
>>      >
>>      > NSSProxyCipherSuite
>>      >
>>
>> +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
>>      >
>>      > NSSProtocol TLSv1
>>      > NSSNickname Server-Cert
>>      > NSSCertificateDatabase /etc/httpd/alias
>>      > NSSFIPS on
>>      > NSSOCSP off
>>      >
>>      > ProxyPreserveHost On
>>      >
>>      >
>>      > <Location />
>>      > #SSLRenegBufferSize 52430000
>>      >       NSSVerifyClient optional
>>      >       NSSOptions +ExportCertData +StdEnvVars
>>      >       ProxyPass https://jamie-web1/maintenance.html
>>      >       ProxyPassReverse https://jamie-web1/maintenance.html
>>      > </Location>
>>      >
>>      > <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>>      >     NSSOptions +StdEnvVars
>>      > </Files>
>>      > <Directory "/var/www/cgi-bin">
>>      >     NSSOptions +StdEnvVars
>>      > </Directory>
>>      >
>>      >
>>      > # initialize the SSL headers to a blank value to avoid http header
>>      > forgeries RequestHeader set SSL_CLIENT_CERT ""
>>      > RequestHeader set SSL_CIPHER ""
>>      > RequestHeader set SSL_SESSION_ID ""
>>      > RequestHeader set SSL_CIPHER_USEKEYSIZE ""
>>      >
>>      > RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
>>      > RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s"
>>      > RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s"
>>      > RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s"
>>      >
>>      > CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_CLIENT_CERT}x
>>      > %{SSL_CLIENT_S_DN}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>>      >
>>      >
>>      > ErrorLog /etc/httpd/logs/error_log
>>      > TransferLog /etc/httpd/logs/access_log
>>      > LogLevel info
>>      >
>>      > </VirtualHost>
>>      >
>>      > If anyone can help I'd appreciate it.
>>      >
>>      > Thanks,
>>      >
>>      > Larry Cohen
>>
>>
>>     _______________________________________________
>>     Mod_nss-list mailing list
>>     Mod_nss-list at redhat.com <mailto:Mod_nss-list at redhat.com>
>>     https://www.redhat.com/mailman/listinfo/mod_nss-list
>>
>>
>>
>>
>> --
>>
>> www.novetta.com
>>
>> Larry Cohen
>>
>> System Administrator
>>
>>
>> 12021 Sunset Hills Road, Suite 400
>>
>> Reston, VA 20190
>>
>> Email lcohen at novetta.com <http://novetta.com>
>>
>> Office 703-885-1064
>>
>>
>>
>> _______________________________________________
>> Mod_nss-list mailing list
>> Mod_nss-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/mod_nss-list
>>
>>
>


-- 

[image: www.novetta.com]

Larry Cohen

System Administrator


12021 Sunset Hills Road, Suite 400

Reston, VA 20190

Email  lcohen at novetta.com

Office  703-885-1064
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20150831/509799da/attachment.htm>

More information about the Mod_nss-list mailing list