<html> <head> <style></style> </head> <body class='hmmessage'> Hi again! Sorry everybody for so much posts Hola Tomas, What seems the best practices on this case is Putting the NSSverifyclient optional outside location and then playing with the SSLRequire (or NSSRequire in mod_nss case) like for ex: <Location /> NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ and %{SSL_CLIENT_S_DN_O} eq "mycompany" \ and %{SSL_CLIENT_S_DN_OU} in {"myrole"}) </Location> or: NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ and %{SSL_CLIENT_VERIFY} eq "SUCCESS" ) or using a virtualhost just for the authenticated part of the site Um abraço Luis <hr id="stopSpelling">From: luisneves@hotmail.com To: rcritten@redhat.com; ttormo@indenova.com Date: Thu, 2 Sep 2010 08:36:20 +0000 CC: mod_nss-list@redhat.com Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication <meta http-equiv="Content-Type" content="text/html; charset=unicode"> <meta name="Generator" content="Microsoft SafeHTML"> <style> .ExternalClass .ecxhmmessage P {padding:0px;} .ExternalClass body.ecxhmmessage {font-size:10pt;font-family:Tahoma;} </style> Hi Robe, indeed Ive tested by myself and have the same renegotiation error as well Played with the settings Ive told to Tomas but still got the problem Played with the Apache env variables you mentioned but to no avail, same problem. Will read carefully your link but it looks the only solution is avoiding at all costs using verifyclient inside location tags... :( Luis > Date: Wed, 1 Sep 2010 08:59:01 -0400 > From: rcritten@redhat.com > To: ttormo@indenova.com > CC: mod_nss-list@redhat.com > Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication > > Tomás Tormo wrote: > > Greetings > > > > I'm trying to configure mod_nss in Apache in order to use it as my > > client certificate authentication mechanism, but I'm having problems > > with it.. > > > > I'd like to use client authentication in some parts of a website... so I > > tried to do it as with mod_ssl, using the Location directive with the > > NSSVerifyClient require directive inside, but I never works... I always > > get this error... > > > > Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation > > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): Performing > > full renegotiation: complete handshake protocol > > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting > > re-negotiation handshake > > *[Mon Aug 30 14:17:34 2010] [info] Read error -12176 > > [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake failed: Not > > accepted by client!?* > > [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client > > 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer: > > https://amsterdam/ > > [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input > > filter read failed. > > [Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed (server > > amsterdam:443, client 192.168.125.53) > > > > After this, I checked the documentation and it says I can work > > per-server or per-directory context... So I tried to do it per-server > > and It works perfectly.. but, as I told you, this is not the solution > > I'm looking for.. so I tried to configure it per-directory... but it > > doesn't work neither... > > > > Here I attach my per-directory configuration... Is just a test but this > > is more or less how it should look at the end: > > > > > > > > /<VirtualHost *:443> > > > > ServerName amsterdam > > > > LogLevel debug > > ErrorLog /var/log/apache2/testmodnss/error.log > > CustomLog /var/log/apache2/testmodnss/access.log combined > > DocumentRoot /var/www/testmodnss > > > > # ssl > > NSSEngine on > > RewriteEngine on > > NSSCipherSuite > > -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha > > > > NSSProtocol All > > > > ## Certificate database. It contains both public and private key of the > > ssl server. It also contains the CA certificate of the allowed client > > certificates > > NSSCertificateDatabase /etc/apache2/certs/nss/ > > > > NSSNickName Server-Cert > > > > > > # ssl client > > > > <Directive "/var/www/testmodnss/files/"> > > > > AllowOverride all > > NSSVerifyClient require > > NSSOptions +ExportCertData > > NSSOptions +StdEnvVars > > > > </Location> > > > > </VirtualHost> > > > > NSSPassPhraseHelper /usr/sbin/nss_pcache > > > > / > > > > Could you please help me? > > > > Thank you very much > > Sorry for the delayed response. > > What version of mod_nss and which browser (and version) are you using? I > wonder if you have a newer browser and an older mod_nss and are bumping > into the SSL renegotiation changes that went into the NSS crypto system > to handle http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555. > This KB article includes some tuning information for NSS in general: > https://access.redhat.com/kb/docs/DOC-20491 > > The latest mod_nss provides some tuning knobs for this as mentioned by > Luid (NSSRenegotiation and NSSRequireSafeNegotiation) that are > equivalent to the environment variables in the KB article, just more > convenient. mod_nss defaults to SSL_RENEGOTIATE_NEVER and setting > NSSRenegotiation is the equivalent of SSL_RENEGOTIATE_REQUIRES_XTN. > > So this is a long way of saying, try adding export > NSS_SSL_ENABLE_RENEGOTIATION=u or NSS_SSL_ENABLE_RENEGOTIATION=r to your > Apache environment (/etc/sysconfig/httpd on Red Hat and Fedora systems). > > I'll be away again until next week in case you have any follow-up questions. > > rob > > _______________________________________________ > Mod_nss-list mailing list > Mod_nss-list@redhat.com > https://www.redhat.com/mailman/listinfo/mod_nss-list _______________________________________________ Mod_nss-list mailing list Mod_nss-list@redhat.com https://www.redhat.com/mailman/listinfo/mod_nss-list </body> </html>