I built mod_nss 1.0.8 from source (<a href="http://directory.fedoraproject.org/sources/mod_nss-1.0.8.tar.gz">http://directory.fedoraproject.org/sources/mod_nss-1.0.8.tar.gz</a> as mentioned on <a href="http://www.directory.fedora.redhat.com/wiki/Mod_nss#What_can_I_get_the_source.3F">http://www.directory.fedora.redhat.com/wiki/Mod_nss#What_can_I_get_the_source.3F</a>) but I have the same behavior. This archive is dated July 2008 - any ideas where I can get something newer to test with? What I built also complains about nss.conf entries NSSRenegotiation and NSSRequireSafeNegotiation, which I am guessing a new recent entries to handle recent SSL exploits. Given that the Fedora-provided 1.0.8 and source-built 1.0.8 give me the same basic behavior - perhaps I am actually chasing a config or permission issue, not a software one? I did a "chmod 777" to my Certificate Database files and the same behavior remained. Any ideas for next steps? Chris <div class="gmail_quote">On Tue, Nov 9, 2010 at 8:52 AM, Christopher Glidden <<a href="mailto:cglidden@gmail.com">cglidden@gmail.com</a>> wrote: <blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Hi All, Just looking for a little more help getting mod_nss to work. After moving to Fedora 14 and getting recent updates, I am still having issues on the SSL Server side - my clients are giving me "bad mac alert" errors and terminating the SSL connection. I am running everything I can in FIPS mode - NSS, mod_nss, and my PKCS#11 hardware.<div class="im"> I am currently re-re-testing with Fedora 14 and the built-in mod_nss: </div><div style="margin-left: 40px;"><div class="im"> Name : httpd Arch : i686 Version : 2.2.16 Release : 1.fc14 </div>Size : 2.7 M -- Name : mod_nss<div><div></div><div class="h5"> Arch : i686 Version : 1.0.8 Release : 7.fc14 Size : 215 k -- Name : nspr Arch : i686 Version : 4.8.6 Release : 1.fc14 Size : 258 k -- Name : nss Arch : i686 Version : 3.12.8 Release : 2.fc14 Size : 2.3 M </div></div></div> <div><div></div><div class="h5"> I am still getting an "bad record mac" error from my client, which is currently just openssl: <div style="margin-left: 40px; font-family: courier new,monospace;"># openssl s_client -state -showcerts -connect <a href="http://10.1.1.220:345/" target="_blank">10.1.1.220:345</a> CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=local/O=cglidden/CN=optiplex745 verify error:num=19:self signed certificate in certificate chain verify return:0 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL3 alert read:fatal:bad record mac SSL_connect:failed in SSLv3 read finished A 6000:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1102:SSL alert number 20 6000:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: </div> The ssltap server side looks like: <div style="margin-left: 40px;">[cglidden@f14-apache-nssmod ~]$ sudo ssltap -sl -p 345 <a href="http://10.1.1.220:8443/" target="_blank">10.1.1.220:8443</a> Looking up "10.1.1.220"... Proxy socket ready and listening Connection #1 [Mon Nov 8 17:49:27 2010] Connected to <a href="http://10.1.1.220:8443/" target="_blank">10.1.1.220:8443</a> --> [ recordLen = 121 bytes (121 bytes of 121) [Mon Nov 8 17:49:27 2010] [ssl2] ClientHelloV2 { version = {0x03, 0x01} cipher-specs-length = 78 (0x4e) sid-length = 0 (0x00) challenge-length = 32 (0x20) cipher-suites = { (0x000039) TLS/DHE-RSA/AES256-CBC/SHA (0x000038) TLS/DHE-DSS/AES256-CBC/SHA (0x000035) TLS/RSA/AES256-CBC/SHA (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 (0x000033) TLS/DHE-RSA/AES128-CBC/SHA (0x000032) TLS/DHE-DSS/AES128-CBC/SHA (0x00002f) TLS/RSA/AES128-CBC/SHA (0x030080) SSL2/RSA/RC2CBC128/MD5 (0x000005) SSL3/RSA/RC4-128/SHA (0x000004) SSL3/RSA/RC4-128/MD5 (0x010080) SSL2/RSA/RC4-128/MD5 (0x000015) SSL3/DHE-RSA/DES56-CBC/SHA (0x000012) SSL3/DHE-DSS/DES56-CBC/SHA (0x000009) SSL3/RSA/DES56-CBC/SHA (0x060040) SSL2/RSA/DES56-CBC/MD5 (0x000014) SSL3/DHE-RSA/DES40-CBC/SHA (0x000011) SSL3/DHE-DSS/DES40-CBC/SHA (0x000008) SSL3/RSA/DES40-CBC/SHA (0x000006) SSL3/RSA/RC2CBC40/MD5 (0x040080) SSL2/RSA/RC2CBC40/MD5 (0x000003) SSL3/RSA/RC4-40/MD5 (0x020080) SSL2/RSA/RC4-40/MD5 (0x0000ff) TLS_EMPTY_RENEGOTIATION_INFO_SCSV } session-id = { } challenge = { 0xce62 0x904b 0x15d4 0x2915 0x0028 0x54e5 0xec2f 0x6eeb 0x9da4 0x3458 0xa686 0x6178 0xebd5 0x3924 0x7c6d 0x2435 } } ] <-- [ (2481 bytes of 2476) SSLRecord { [Mon Nov 8 17:49:27 2010] type = 22 (handshake) version = { 3,1 } length = 2476 (0x9ac) handshake { type = 2 (server_hello) length = 77 (0x00004d) ServerHello { server_version = {3, 1} random = {...} session ID = { length = 32 contents = {...} } cipher_suite = (0x0035) TLS/RSA/AES256-CBC/SHA compression method = (00) NULL extensions[5] = { extension type renegotiation_info, length [1] = { 0: 00 | . } } } type = 11 (certificate) length = 2387 (0x000953) CertificateChain { chainlength = 2384 (0x0950) Certificate { size = 1354 (0x054a) data = { saved in file 'cert.001' } } Certificate { size = 1024 (0x0400) data = { saved in file 'cert.002' } } } type = 14 (server_hello_done) length = 0 (0x000000) } } ] --> [ (326 bytes of 262, with 59 left over) SSLRecord { [Mon Nov 8 17:49:27 2010] type = 22 (handshake) version = { 3,1 } length = 262 (0x106) handshake { type = 16 (client_key_exchange) length = 258 (0x000102) ClientKeyExchange { message = {...} } } } (326 bytes of 1, with 53 left over) SSLRecord { [Mon Nov 8 17:49:27 2010] type = 20 (change_cipher_spec) version = { 3,1 } length = 1 (0x1) } (326 bytes of 48) SSLRecord { [Mon Nov 8 17:49:27 2010] type = 22 (handshake) version = { 3,1 } length = 48 (0x30) < encrypted > } ] <-- [ (7 bytes of 2) SSLRecord { [Mon Nov 8 17:49:27 2010] type = 21 (alert) version = { 3,1 } length = 2 (0x2) fatal: bad_record_mac } ] Read EOF on Client socket. [Mon Nov 8 17:49:27 2010] Read EOF on Server socket. [Mon Nov 8 17:49:27 2010] Connection 1 Complete [Mon Nov 8 17:49:27 2010] </div> And my debug output contains (with nss and httpd set to debug to same file): </div></div><div style="margin-left: 40px;"><div><div></div><div class="h5">[Mon Nov 08 17:47:02 2010] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 [Mon Nov 08 17:47:02 2010] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Mon Nov 08 17:47:02 2010] [info] Initializing SSL Session Cache of size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. [Mon Nov 08 17:47:13 2010] [info] Init: Seeding PRNG with 136 bytes of entropy [Mon Nov 08 17:47:13 2010] [info] Init: Initializing (virtual) servers for SSL [Mon Nov 08 17:47:13 2010] [info] Configuring server for SSL protocol [Mon Nov 08 17:47:13 2010] [info] In FIPS mode, enabling TLSv1 [Mon Nov 08 17:47:13 2010] [debug] nss_engine_init.c(783): FIPS mode enabled, permitted SSL ciphers are: [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:13 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:13 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:13 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:13 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. [Mon Nov 08 17:47:13 2010] [info] Server: Apache/2.2.15, Interface: mod_nss/2.2.15, Library: NSS/<a href="http://3.12.6.2/" target="_blank">3.12.6.2</a> [Mon Nov 08 17:47:13 2010] [info] Shutting down SSL Session ID Cache [Mon Nov 08 17:47:13 2010] [notice] Digest: generating secret for digest authentication ... [Mon Nov 08 17:47:13 2010] [notice] Digest: done [Mon Nov 08 17:47:13 2010] [debug] util_ldap.c(1990): LDAP merging Shared Cache conf: shm=0xb75a9b08 rmm=0xb75a9b38 for VHOST: f14-apache-nssmod.cglidden.local [Mon Nov 08 17:47:13 2010] [info] APR LDAP: Built with OpenLDAP LDAP SDK [Mon Nov 08 17:47:13 2010] [info] LDAP: SSL support available [Mon Nov 08 17:47:13 2010] [info] Initializing SSL Session Cache of size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. [Mon Nov 08 17:47:14 2010] [info] Server: Apache/2.2.15, Interface: mod_nss/2.2.15, Library: NSS/<a href="http://3.12.6.2/" target="_blank">3.12.6.2</a> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 2863 for worker proxy:reverse [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 2863 for (*) [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 2866 for worker proxy:reverse [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 2867 for worker proxy:reverse [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 2868 for worker proxy:reverse [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 2865 for worker proxy:reverse [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 2865 for (*) [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 2864 for worker proxy:reverse [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized </div></div><div class="im"> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 2864 for (*) [Mon Nov 08 17:47:14 2010] [notice] Apache/2.2.16 (Unix) DAV/2 mod_nss/2.2.15 NSS/<a href="http://3.12.6.2/" target="_blank">3.12.6.2</a> configured -- resuming normal operations [Mon Nov 08 17:47:14 2010] [info] Server built: Jul 26 2010 09:13:08 [Mon Nov 08 17:47:14 2010] [debug] prefork.c(1013): AcceptMutex: sysvsem (default: sysvsem) </div><div class="im">[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized </div><div class="im">[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 2866 for (*) </div><div class="im">[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized </div><div class="im">[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 2867 for (*) </div><div class="im">[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized </div><div class="im">[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 2868 for (*) [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 2870 for worker proxy:reverse [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 2869 for worker proxy:reverse </div><div class="im">[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized </div><div class="im">[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 2869 for (*) </div><div class="im">[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized </div><div><div></div><div class="h5">[Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 2870 for (*) [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of entropy [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode enabled, permitted SSL ciphers are: [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of entropy [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode enabled, permitted SSL ciphers are: [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of entropy [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode enabled, permitted SSL ciphers are: [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of entropy [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode enabled, permitted SSL ciphers are: [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of entropy [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode enabled, permitted SSL ciphers are: [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of entropy [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode enabled, permitted SSL ciphers are: [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. [Mon Nov 08 17:47:16 2010] [info] Init: Seeding PRNG with 136 bytes of entropy [Mon Nov 08 17:47:16 2010] [info] Configuring server for SSL protocol [Mon Nov 08 17:47:16 2010] [info] In FIPS mode, enabling TLSv1 [Mon Nov 08 17:47:16 2010] [debug] nss_engine_init.c(783): FIPS mode enabled, permitted SSL ciphers are: [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:16 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:16 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:16 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:16 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. [Mon Nov 08 17:47:46 2010] [error] Unable to read from pin store for slot: NSSOCS APR err: 70007 [Mon Nov 08 17:48:18 2010] [info] Connection to child 2 established (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199) [Mon Nov 08 17:48:18 2010] [info] SSL input filter read failed. [Mon Nov 08 17:48:18 2010] [error] SSL Library Error: -12273 SSL has received a record with an incorrect Message Authentication Code [Mon Nov 08 17:48:18 2010] [info] Connection to child 2 closed (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199) [Mon Nov 08 17:49:22 2010] [info] Connection to child 0 established (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199) [Mon Nov 08 17:49:22 2010] [info] SSL input filter read failed. [Mon Nov 08 17:49:22 2010] [error] SSL Library Error: -12273 SSL has received a record with an incorrect Message Authentication Code [Mon Nov 08 17:49:22 2010] [info] Connection to child 0 closed (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199) [Mon Nov 08 17:49:27 2010] [info] Connection to child 3 established (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.220) [Mon Nov 08 17:49:27 2010] [info] SSL input filter read failed. [Mon Nov 08 17:49:27 2010] [error] SSL Library Error: -12273 SSL has received a record with an incorrect Message Authentication Code [Mon Nov 08 17:49:27 2010] [info] Connection to child 3 closed (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.220) </div></div></div><div><div></div><div class="h5"> A reference to Unable to read from pin store for slot: NSSOCS APR err: 70007 jumps out at me. Maybe nss_pcache is having problems? I am not sure - any time or help that you can offer would be appreciated. Any additional debug that would help you should be easy for me to collect. Thank you, Chris </div></div><div><div></div><div class="h5"><div class="gmail_quote">On Thu, Nov 4, 2010 at 5:29 PM, Christopher Glidden <<a href="mailto:cglidden@gmail.com" target="_blank">cglidden@gmail.com</a>> wrote: <blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Hi All, I am having some trouble getting mod_nss in fips mode to work with my hardware pkcs#11 token. I actually think I am having more of a nss.conf issue than anything between nss and my token. Private key and certificate fulfillment/import from my CA seem to be just fine. What is the best way to go about getting a little help? What information (config, logs, ssltap output, etc.) should I provide? Also, I am currently using the NSS components that shipped with Red Hat 5 (although I must admit I using CentOS right now - I hope that doesn't affect the likelihood of receiving a response). [cglidden@el55-apache-nssmod ~]$ sudo yum info nss nss-tools mod_nss nspr httpd | grep -C2 Version Name : httpd Arch : i386 Version : 2.2.3 Release : 43.el5.centos Size : 3.1 M -- Name : mod_nss Arch : i386 Version : 1.0.3 Release : 8.el5 Size : 197 k -- Name : nspr Arch : i386 Version : 4.7.6 Release : 1.el5_4 Size : 245 k -- Name : nss Arch : i386 Version : 3.12.3.99.3 Release : 1.el5.centos.2 Size : 2.6 M -- Name : nss-tools Arch : i386 Version : 3.12.3.99.3 Release : 1.el5.centos.2 Size : 2.9 M Are there any known issues with these version that I should avoid right away? I am using these versions because my customer has indicated a preference. If I have a good argument for it, we'll upgrade to better versions. Thanks, Chris -- ~~~~~~~~~~~~~~~~~~ Christopher Glidden <a href="mailto:cglidden@gmail.com" target="_blank">cglidden@gmail.com</a> ~~~~~~~~~~~~~~~~~~ </blockquote></div> </div></div>-- <div class="im">~~~~~~~~~~~~~~~~~~ Christopher Glidden <a href="mailto:cglidden@gmail.com" target="_blank">cglidden@gmail.com</a> </div> P: 857-222-4269 ~~~~~~~~~~~~~~~~~~ </blockquote></div> -- ~~~~~~~~~~~~~~~~~~ Christopher Glidden <a href="mailto:cglidden@gmail.com">cglidden@gmail.com</a> P: 857-222-4269 ~~~~~~~~~~~~~~~~~~