<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
Thank you very much for your help Luis<br>
<br>
I changed the directive to <Location> again. I realized I did
really bad copy-paste, cause <Location> directive needs a url (in
this case /files) instead of a directory. So, if I let the
configuration just like before, Apache let me go to the webpage without
asking for the certificate. This was because i didn't request a
location "/var/www/testmodnss/files" (what's more, it doesn't exist).
So I changed location to "/files" and I get the error again...<br>
<br>
I also tried all you told me but I still get the error... :(<br>
<br>
This is how my configuration looks like now (I didn't put the <b>NSSRenegotiation
off</b> and <b>NSSRequireSafeNegotiation off</b> directives cause
Apache is giving me an error at startup saying that are not recognized
:S)<br>
<br>
<br>
<br>
<i><VirtualHost *:443><br>
<br>
ServerName amsterdam<br>
<br>
LogLevel debug<br>
ErrorLog /var/log/apache2/testmodnss/error.log<br>
CustomLog /var/log/apache2/testmodnss/access.log combined<br>
DocumentRoot /var/www/testmodnss<br>
<br>
# ssl<br>
NSSEngine on<br>
RewriteEngine on<br>
NSSCipherSuite
-des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha<br>
<br>
#NSSProtocol All<br>
NSSProtocol SSLv3,TLSv1<br>
<br>
## Certificate database. It contains both public and private key of the
ssl server. It also contains the CA certificate of the allowed client
certificates<br>
NSSCertificateDatabase /etc/apache2/certs/nss/<br>
<br>
NSSNickName Server-Cert<br>
<br>
<br>
# ssl client<br>
<br>
<Location "/files"><br>
<br>
NSSVerifyClient require<br>
NSSOptions +ExportCertData<br>
NSSOptions +StdEnvVars<br>
<br>
</Location><br>
<br>
</VirtualHost><br>
<br>
NSSPassPhraseHelper /usr/sbin/nss_pcache</i><br>
<br>
<br>
<br>
<br>
On 31/08/10 11:26, Luis Neves wrote:
<blockquote cite="mid:COL110-W17DA3CBBC7E34D4F2CE2B0A78A0@phx.gbl"
type="cite">
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>or
<br>
NSSProtocol SSLv3,TLSv1<br>
<br>
Iam unable to test location today as I forgot my card at home......<br>
But I think location has to work, your error seems something related to
a "protocol re-negotiation error".....<br>
<br>
Luis<br>
<br>
<hr id="stopSpelling">From: <a class="moz-txt-link-abbreviated" href="mailto:luisneves@hotmail.com">luisneves@hotmail.com</a><br>
To: <a class="moz-txt-link-abbreviated" href="mailto:ttormo@indenova.com">ttormo@indenova.com</a><br>
Date: Tue, 31 Aug 2010 09:16:46 +0000<br>
CC: <a class="moz-txt-link-abbreviated" href="mailto:mod_nss-list@redhat.com">mod_nss-list@redhat.com</a><br>
Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication<br>
<br>
<meta http-equiv="Content-Type"
content="text/html; charset=ISO-8859-1">
<meta name="Generator" content="Microsoft SafeHTML">
<style>
.ExternalClass .ecxhmmessage P
{padding:0px;}
.ExternalClass body.ecxhmmessage
{font-size:10pt;font-family:Tahoma;}
</style>
try this!<br>
<br>
# Only renegotiate if the peer's hello bears the TLS renegotiation_info<br>
# extension. Default off.<br>
NSSRenegotiation off<br>
<br>
# Peer must send Signaling Cipher Suite Value (SCSV) or<br>
# Renegotiation Info (RI) extension in ALL handshakes. Default: off<br>
NSSRequireSafeNegotiation off<br>
<br>
<br>
<hr id="ecxstopSpelling">Date: Tue, 31 Aug 2010 10:41:13 +0200<br>
From: <a class="moz-txt-link-abbreviated" href="mailto:ttormo@indenova.com">ttormo@indenova.com</a><br>
CC: <a class="moz-txt-link-abbreviated" href="mailto:mod_nss-list@redhat.com">mod_nss-list@redhat.com</a><br>
Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication<br>
<br>
No... It didn't work with location neither..<br>
<br>
But maybe if I follow your aproach It could work for me as well...<br>
<br>
<br>
<br>
On 31/08/10 10:36, Luis Neves wrote:
<blockquote cite="mid:COL110-W420B4FF0D9A51651E93BEDA78A0@phx.gbl">
<style>
.ExternalClass .ecxhmmessage P
{padding:0px;}
.ExternalClass body.ecxhmmessage
{font-size:10pt;font-family:Tahoma;}
</style>But
after fixing "location" it worked??<br>
<br>
no, for now I really didnt need that, <br>
I am trying to make a reverse proxy to protect internal pages and give
them access via some smartcards, But boy had so many problem so far
that I was almost quitting on this.....!<br>
<br>
Luis<br>
<br>
<hr id="ecxstopSpelling">Date: Tue, 31 Aug 2010 10:17:02 +0200<br>
From: <a moz-do-not-send="true" class="ecxmoz-txt-link-abbreviated"
href="mailto:ttormo@indenova.com">ttormo@indenova.com</a><br>
CC: <a moz-do-not-send="true" class="ecxmoz-txt-link-abbreviated"
href="mailto:mod_nss-list@redhat.com">mod_nss-list@redhat.com</a><br>
Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication<br>
<br>
Wow!! Actually I had directory directive instead of location at that
moment (I was just trying that). I made a copy-paste and changed it
on-the-fly but I guess I didn't realize about the first
<Location>... hehehe sorry<br>
<br>
So... do you do something similar in your virtualhost? I mean, do you
need users to use a client certificate only in some parts of the
website?<br>
<br>
Thank you very much<br>
<br>
<br>
<br>
On 31/08/10 10:11, Luis Neves wrote:
<blockquote cite="mid:COL110-W43BC3ECD13EF8D0DDF798DA78A0@phx.gbl">
<style>
.ExternalClass .ecxhmmessage P
{padding:0px;}
.ExternalClass body.ecxhmmessage
{font-size:10pt;font-family:Tahoma;}
</style>Hi
Tomas,<br>
<br>
Its missing something on your post, like the first location, etc, but
anyway, is when using the "location" tag that is giving the problem? I
dont use it but will make a test to see what happens here<br>
<br>
Luis<br>
<br>
<br>
<br>
<hr id="ecxstopSpelling">Date: Mon, 30 Aug 2010 14:24:00 +0200<br>
From: <a moz-do-not-send="true" class="ecxmoz-txt-link-abbreviated"
href="mailto:ttormo@indenova.com">ttormo@indenova.com</a><br>
To: <a moz-do-not-send="true" class="ecxmoz-txt-link-abbreviated"
href="mailto:mod_nss-list@redhat.com">mod_nss-list@redhat.com</a><br>
Subject: [Mod_nss-list] Problem configuring Client certificate
Authentication<br>
<br>
Greetings<br>
<br>
I'm trying to configure mod_nss in Apache in order to use it as my
client certificate authentication mechanism, but I'm having problems
with it..<br>
<br>
I'd like to use client authentication in some parts of a website... so
I tried to do it as with mod_ssl, using the Location directive with the
NSSVerifyClient require directive inside, but I never works... I always
get this error...<br>
<br>
Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation<br>
[Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): Performing
full renegotiation: complete handshake protocol<br>
[Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting
re-negotiation handshake<br>
<b>[Mon Aug 30 14:17:34 2010] [info] Read error -12176<br>
[Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake failed: Not
accepted by client!?</b><br>
[Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client
192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer: <a
moz-do-not-send="true" class="ecxmoz-txt-link-freetext"
href="https://amsterdam/" target="_blank">https://amsterdam/</a><br>
[Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input
filter read failed.<br>
[Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed (server
amsterdam:443, client 192.168.125.53)<br>
<br>
After this, I checked the documentation and it says I can work
per-server or per-directory context... So I tried to do it per-server
and It works perfectly.. but, as I told you, this is not the solution
I'm looking for.. so I tried to configure it per-directory... but it
doesn't work neither...<br>
<br>
Here I attach my per-directory configuration... Is just a test but this
is more or less how it should look at the end:<br>
<br>
<br>
<br>
<i><VirtualHost *:443><br>
<br>
ServerName amsterdam<br>
<br>
LogLevel debug<br>
ErrorLog /var/log/apache2/testmodnss/error.log<br>
CustomLog /var/log/apache2/testmodnss/access.log combined<br>
DocumentRoot /var/www/testmodnss<br>
<br>
# ssl<br>
NSSEngine on<br>
RewriteEngine on<br>
NSSCipherSuite
-des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha<br>
<br>
NSSProtocol All<br>
<br>
## Certificate database. It contains both public and private key of the
ssl server. It also contains the CA certificate of the allowed client
certificates<br>
NSSCertificateDatabase /etc/apache2/certs/nss/<br>
<br>
NSSNickName Server-Cert<br>
<br>
<br>
# ssl client<br>
<br>
<Directive "/var/www/testmodnss/files/"><br>
<br>
AllowOverride all<br>
NSSVerifyClient require<br>
NSSOptions +ExportCertData<br>
NSSOptions +StdEnvVars<br>
<br>
</Location><br>
<br>
</VirtualHost><br>
<br>
NSSPassPhraseHelper /usr/sbin/nss_pcache<br>
<br>
</i><br>
<br>
Could you please help me?<br>
<br>
Thank you very much<br>
<br>
<br>
<pre class="ecxmoz-signature">--
Un saludo,
Tomás Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2º B
Polígono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
<a moz-do-not-send="true" class="ecxmoz-txt-link-abbreviated"
href="mailto:ttormo@indenova.com">ttormo@indenova.com</a>
<a moz-do-not-send="true" class="ecxmoz-txt-link-freetext"
href="http://www.indenova.com" target="_blank">http://www.indenova.com</a>
Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: <a
moz-do-not-send="true" class="ecxmoz-txt-link-freetext"
href="http://www.indenova.com/eSignaViewer.php" target="_blank">http://www.indenova.com/eSignaViewer.php</a>
</pre>
<br>
_______________________________________________
Mod_nss-list mailing list <a moz-do-not-send="true"
class="ecxmoz-txt-link-abbreviated"
href="mailto:Mod_nss-list@redhat.com">Mod_nss-list@redhat.com</a> <a
moz-do-not-send="true" class="ecxmoz-txt-link-freetext"
href="https://www.redhat.com/mailman/listinfo/mod_nss-list"
target="_blank">https://www.redhat.com/mailman/listinfo/mod_nss-list</a>
</blockquote>
<br>
<br>
<pre class="ecxmoz-signature">--
Un saludo,
Tomás Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2º B
Polígono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
<a moz-do-not-send="true" class="ecxmoz-txt-link-abbreviated"
href="mailto:ttormo@indenova.com">ttormo@indenova.com</a>
<a moz-do-not-send="true" class="ecxmoz-txt-link-freetext"
href="http://www.indenova.com" target="_blank">http://www.indenova.com</a>
Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: <a
moz-do-not-send="true" class="ecxmoz-txt-link-freetext"
href="http://www.indenova.com/eSignaViewer.php" target="_blank">http://www.indenova.com/eSignaViewer.php</a>
</pre>
<br>
_______________________________________________
Mod_nss-list mailing list
<a moz-do-not-send="true" class="ecxmoz-txt-link-abbreviated"
href="mailto:Mod_nss-list@redhat.com">Mod_nss-list@redhat.com</a>
<a moz-do-not-send="true" class="ecxmoz-txt-link-freetext"
href="https://www.redhat.com/mailman/listinfo/mod_nss-list"
target="_blank">https://www.redhat.com/mailman/listinfo/mod_nss-list</a>
</blockquote>
<br>
<br>
<pre class="ecxmoz-signature">--
Un saludo,
Tomás Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2º B
Polígono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
<a moz-do-not-send="true" class="ecxmoz-txt-link-abbreviated"
href="mailto:ttormo@indenova.com">ttormo@indenova.com</a>
<a moz-do-not-send="true" class="ecxmoz-txt-link-freetext"
href="http://www.indenova.com" target="_blank">http://www.indenova.com</a>
Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: <a
moz-do-not-send="true" class="ecxmoz-txt-link-freetext"
href="http://www.indenova.com/eSignaViewer.php" target="_blank">http://www.indenova.com/eSignaViewer.php</a>
</pre>
<br>
_______________________________________________
Mod_nss-list mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Mod_nss-list@redhat.com">Mod_nss-list@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/mod_nss-list">https://www.redhat.com/mailman/listinfo/mod_nss-list</a> <br>
_______________________________________________
Mod_nss-list mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Mod_nss-list@redhat.com">Mod_nss-list@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/mod_nss-list">https://www.redhat.com/mailman/listinfo/mod_nss-list</a> </blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Un saludo,
Tomás Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2º B
Polígono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
<a class="moz-txt-link-abbreviated" href="mailto:ttormo@indenova.com">ttormo@indenova.com</a>
<a class="moz-txt-link-freetext" href="http://www.indenova.com">http://www.indenova.com</a>
Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: <a class="moz-txt-link-freetext" href="http://www.indenova.com/eSignaViewer.php">http://www.indenova.com/eSignaViewer.php</a>
</pre>
</body>
</html>