Yes, I have had this working (with mod_nss 1.0.8 on CentOS) with non-FIPS components. However, I need this to run in all FIPS mode: <ul><li>tokens initialized with "modutil -fips true"</li><li>"NSSFIPS on" in nss.conf</li> <li>and the hardware token running in FIPS mode</li></ul>I may be able to get away with running the hardware token in FIPS mode and adjusting the ciphersuites to be FIPS-compliant and leave the other components non-FIPS, which should be OK because all the crypto/key stuff have FIPS enforced by the hardware token. And I think that is what is important. I did download the latest source via CVS, built mod_nss, and I am seeing the same behavior. I think it may actually be the hardware token and am focusing there. I think that the session key might be created on the token, which is something I can account for - I have seen other SSL apps want to create ephemeral keys in the token. I am still curious about "Unable to read from pin store for slot:" error that I am seeing. Chris <div class="gmail_quote">On Tue, Nov 9, 2010 at 10:47 AM, Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div class="im">Christopher Glidden wrote: <blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> I built mod_nss 1.0.8 from source (<a href="http://directory.fedoraproject.org/sources/mod_nss-1.0.8.tar.gz" target="_blank">http://directory.fedoraproject.org/sources/mod_nss-1.0.8.tar.gz</a> as mentioned on <a href="http://www.directory.fedora.redhat.com/wiki/Mod_nss#What_can_I_get_the_source.3F" target="_blank">http://www.directory.fedora.redhat.com/wiki/Mod_nss#What_can_I_get_the_source.3F</a>) but I have the same behavior. This archive is dated July 2008 - any ideas where I can get something newer to test with? </blockquote> </div> Those are only in the source tip. I haven't done a release recently (been trying to find time to add a couple new features first). You'd need to pull the source from CVS.<div class="im"> <blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> What I built also complains about nss.conf entries NSSRenegotiation and NSSRequireSafeNegotiation, which I am guessing a new recent entries to handle recent SSL exploits. Given that the Fedora-provided 1.0.8 and source-built 1.0.8 give me the same basic behavior - perhaps I am actually chasing a config or permission issue, not a software one? I did a "chmod 777" to my Certificate Database files and the same behavior remained. </blockquote> </div> The bad mac are SSL errors. I haven't had a chance to look at your ssltap output in detail yet but nothing jumped out at me. Does it work in non-FIPS mode and only fail in FIPS? Does the software token work an only the hardware token fail? rob <blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div class="im"> Any ideas for next steps? Chris On Tue, Nov 9, 2010 at 8:52 AM, Christopher Glidden <<a href="mailto:cglidden@gmail.com" target="_blank">cglidden@gmail.com</a> </div><div><div></div><div class="h5"> <mailto:<a href="mailto:cglidden@gmail.com" target="_blank">cglidden@gmail.com</a>>> wrote: Hi All, Just looking for a little more help getting mod_nss to work. After moving to Fedora 14 and getting recent updates, I am still having issues on the SSL Server side - my clients are giving me "bad mac alert" errors and terminating the SSL connection. I am running everything I can in FIPS mode - NSS, mod_nss, and my PKCS#11 hardware. I am currently re-re-testing with Fedora 14 and the built-in mod_nss: Name : httpd Arch : i686 Version : 2.2.16 Release : 1.fc14 Size : 2.7 M -- Name : mod_nss Arch : i686 Version : 1.0.8 Release : 7.fc14 Size : 215 k -- Name : nspr Arch : i686 Version : 4.8.6 Release : 1.fc14 Size : 258 k -- Name : nss Arch : i686 Version : 3.12.8 Release : 2.fc14 Size : 2.3 M I am still getting an "bad record mac" error from my client, which is currently just openssl: # openssl s_client -state -showcerts -connect <a href="http://10.1.1.220:345" target="_blank">10.1.1.220:345</a> </div></div> <<a href="http://10.1.1.220:345/" target="_blank">http://10.1.1.220:345/</a>><div class="im"> CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=local/O=cglidden/CN=optiplex745 verify error:num=19:self signed certificate in certificate chain verify return:0 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL3 alert read:fatal:bad record mac SSL_connect:failed in SSLv3 read finished A 6000:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1102:SSL alert number 20 6000:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: The ssltap server side looks like: [cglidden@f14-apache-nssmod ~]$ sudo ssltap -sl -p 345 </div> <a href="http://10.1.1.220:8443" target="_blank">10.1.1.220:8443</a> <<a href="http://10.1.1.220:8443/" target="_blank">http://10.1.1.220:8443/</a>><div class="im"> Looking up "10.1.1.220"... Proxy socket ready and listening Connection #1 [Mon Nov 8 17:49:27 2010] </div> Connected to <a href="http://10.1.1.220:8443" target="_blank">10.1.1.220:8443</a> <<a href="http://10.1.1.220:8443/" target="_blank">http://10.1.1.220:8443/</a>><div><div></div><div class="h5"> --> [ recordLen = 121 bytes (121 bytes of 121) [Mon Nov 8 17:49:27 2010] [ssl2] ClientHelloV2 { version = {0x03, 0x01} cipher-specs-length = 78 (0x4e) sid-length = 0 (0x00) challenge-length = 32 (0x20) cipher-suites = { (0x000039) TLS/DHE-RSA/AES256-CBC/SHA (0x000038) TLS/DHE-DSS/AES256-CBC/SHA (0x000035) TLS/RSA/AES256-CBC/SHA (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 (0x000033) TLS/DHE-RSA/AES128-CBC/SHA (0x000032) TLS/DHE-DSS/AES128-CBC/SHA (0x00002f) TLS/RSA/AES128-CBC/SHA (0x030080) SSL2/RSA/RC2CBC128/MD5 (0x000005) SSL3/RSA/RC4-128/SHA (0x000004) SSL3/RSA/RC4-128/MD5 (0x010080) SSL2/RSA/RC4-128/MD5 (0x000015) SSL3/DHE-RSA/DES56-CBC/SHA (0x000012) SSL3/DHE-DSS/DES56-CBC/SHA (0x000009) SSL3/RSA/DES56-CBC/SHA (0x060040) SSL2/RSA/DES56-CBC/MD5 (0x000014) SSL3/DHE-RSA/DES40-CBC/SHA (0x000011) SSL3/DHE-DSS/DES40-CBC/SHA (0x000008) SSL3/RSA/DES40-CBC/SHA (0x000006) SSL3/RSA/RC2CBC40/MD5 (0x040080) SSL2/RSA/RC2CBC40/MD5 (0x000003) SSL3/RSA/RC4-40/MD5 (0x020080) SSL2/RSA/RC4-40/MD5 (0x0000ff) TLS_EMPTY_RENEGOTIATION_INFO_SCSV } session-id = { } challenge = { 0xce62 0x904b 0x15d4 0x2915 0x0028 0x54e5 0xec2f 0x6eeb 0x9da4 0x3458 0xa686 0x6178 0xebd5 0x3924 0x7c6d 0x2435 } } ] <-- [ (2481 bytes of 2476) SSLRecord { [Mon Nov 8 17:49:27 2010] type = 22 (handshake) version = { 3,1 } length = 2476 (0x9ac) handshake { type = 2 (server_hello) length = 77 (0x00004d) ServerHello { server_version = {3, 1} random = {...} session ID = { length = 32 contents = {...} } cipher_suite = (0x0035) TLS/RSA/AES256-CBC/SHA compression method = (00) NULL extensions[5] = { extension type renegotiation_info, length [1] = { 0: 00 | . } } } type = 11 (certificate) length = 2387 (0x000953) CertificateChain { chainlength = 2384 (0x0950) Certificate { size = 1354 (0x054a) data = { saved in file 'cert.001' } } Certificate { size = 1024 (0x0400) data = { saved in file 'cert.002' } } } type = 14 (server_hello_done) length = 0 (0x000000) } } ] --> [ (326 bytes of 262, with 59 left over) SSLRecord { [Mon Nov 8 17:49:27 2010] type = 22 (handshake) version = { 3,1 } length = 262 (0x106) handshake { type = 16 (client_key_exchange) length = 258 (0x000102) ClientKeyExchange { message = {...} } } } (326 bytes of 1, with 53 left over) SSLRecord { [Mon Nov 8 17:49:27 2010] type = 20 (change_cipher_spec) version = { 3,1 } length = 1 (0x1) } (326 bytes of 48) SSLRecord { [Mon Nov 8 17:49:27 2010] type = 22 (handshake) version = { 3,1 } length = 48 (0x30) < encrypted > } ] <-- [ (7 bytes of 2) SSLRecord { [Mon Nov 8 17:49:27 2010] type = 21 (alert) version = { 3,1 } length = 2 (0x2) fatal: bad_record_mac } ] Read EOF on Client socket. [Mon Nov 8 17:49:27 2010] Read EOF on Server socket. [Mon Nov 8 17:49:27 2010] Connection 1 Complete [Mon Nov 8 17:49:27 2010] And my debug output contains (with nss and httpd set to debug to same file): [Mon Nov 08 17:47:02 2010] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 [Mon Nov 08 17:47:02 2010] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Mon Nov 08 17:47:02 2010] [info] Initializing SSL Session Cache of size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. [Mon Nov 08 17:47:13 2010] [info] Init: Seeding PRNG with 136 bytes of entropy [Mon Nov 08 17:47:13 2010] [info] Init: Initializing (virtual) servers for SSL [Mon Nov 08 17:47:13 2010] [info] Configuring server for SSL protocol [Mon Nov 08 17:47:13 2010] [info] In FIPS mode, enabling TLSv1 [Mon Nov 08 17:47:13 2010] [debug] nss_engine_init.c(783): FIPS mode enabled, permitted SSL ciphers are: [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:13 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:13 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:13 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:13 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. [Mon Nov 08 17:47:13 2010] [info] Server: Apache/2.2.15, Interface: </div></div> mod_nss/2.2.15, Library: NSS/<a href="http://3.12.6.2" target="_blank">3.12.6.2</a> <<a href="http://3.12.6.2/" target="_blank">http://3.12.6.2/</a>><div class="im"> [Mon Nov 08 17:47:13 2010] [info] Shutting down SSL Session ID Cache [Mon Nov 08 17:47:13 2010] [notice] Digest: generating secret for digest authentication ... [Mon Nov 08 17:47:13 2010] [notice] Digest: done [Mon Nov 08 17:47:13 2010] [debug] util_ldap.c(1990): LDAP merging Shared Cache conf: shm=0xb75a9b08 rmm=0xb75a9b38 for VHOST: f14-apache-nssmod.cglidden.local [Mon Nov 08 17:47:13 2010] [info] APR LDAP: Built with OpenLDAP LDAP SDK [Mon Nov 08 17:47:13 2010] [info] LDAP: SSL support available [Mon Nov 08 17:47:13 2010] [info] Initializing SSL Session Cache of size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. [Mon Nov 08 17:47:14 2010] [info] Server: Apache/2.2.15, Interface: </div> mod_nss/2.2.15, Library: NSS/<a href="http://3.12.6.2" target="_blank">3.12.6.2</a> <<a href="http://3.12.6.2/" target="_blank">http://3.12.6.2/</a>><div class="im"> [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 2863 for worker proxy:reverse [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 2863 for (*) [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 2866 for worker proxy:reverse [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 2867 for worker proxy:reverse [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 2868 for worker proxy:reverse [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 2865 for worker proxy:reverse [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 2865 for (*) [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 2864 for worker proxy:reverse [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 2864 for (*) [Mon Nov 08 17:47:14 2010] [notice] Apache/2.2.16 (Unix) DAV/2 </div> mod_nss/2.2.15 NSS/<a href="http://3.12.6.2" target="_blank">3.12.6.2</a> <<a href="http://3.12.6.2/" target="_blank">http://3.12.6.2/</a>> configured --<div><div></div><div class="h5"> resuming normal operations [Mon Nov 08 17:47:14 2010] [info] Server built: Jul 26 2010 09:13:08 [Mon Nov 08 17:47:14 2010] [debug] prefork.c(1013): AcceptMutex: sysvsem (default: sysvsem) [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 2866 for (*) [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 2867 for (*) [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 2868 for (*) [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 2870 for worker proxy:reverse [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 2869 for worker proxy:reverse [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 2869 for (*) [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Mon Nov 08 17:47:14 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 2870 for (*) [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of entropy [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode enabled, permitted SSL ciphers are: [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of entropy [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode enabled, permitted SSL ciphers are: [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of entropy [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode enabled, permitted SSL ciphers are: [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of entropy [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode enabled, permitted SSL ciphers are: [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of entropy [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode enabled, permitted SSL ciphers are: [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. [Mon Nov 08 17:47:15 2010] [info] Init: Seeding PRNG with 136 bytes of entropy [Mon Nov 08 17:47:15 2010] [info] Configuring server for SSL protocol [Mon Nov 08 17:47:15 2010] [info] In FIPS mode, enabling TLSv1 [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(783): FIPS mode enabled, permitted SSL ciphers are: [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:15 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. [Mon Nov 08 17:47:16 2010] [info] Init: Seeding PRNG with 136 bytes of entropy [Mon Nov 08 17:47:16 2010] [info] Configuring server for SSL protocol [Mon Nov 08 17:47:16 2010] [info] In FIPS mode, enabling TLSv1 [Mon Nov 08 17:47:16 2010] [debug] nss_engine_init.c(783): FIPS mode enabled, permitted SSL ciphers are: [+rsa_3des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:16 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Mon Nov 08 17:47:16 2010] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:16 2010] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Mon Nov 08 17:47:16 2010] [info] Using nickname NSSOCS:f14-apache-nssmod. [Mon Nov 08 17:47:46 2010] [error] Unable to read from pin store for slot: NSSOCS APR err: 70007 [Mon Nov 08 17:48:18 2010] [info] Connection to child 2 established (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199) [Mon Nov 08 17:48:18 2010] [info] SSL input filter read failed. [Mon Nov 08 17:48:18 2010] [error] SSL Library Error: -12273 SSL has received a record with an incorrect Message Authentication Code [Mon Nov 08 17:48:18 2010] [info] Connection to child 2 closed (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199) [Mon Nov 08 17:49:22 2010] [info] Connection to child 0 established (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199) [Mon Nov 08 17:49:22 2010] [info] SSL input filter read failed. [Mon Nov 08 17:49:22 2010] [error] SSL Library Error: -12273 SSL has received a record with an incorrect Message Authentication Code [Mon Nov 08 17:49:22 2010] [info] Connection to child 0 closed (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.199) [Mon Nov 08 17:49:27 2010] [info] Connection to child 3 established (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.220) [Mon Nov 08 17:49:27 2010] [info] SSL input filter read failed. [Mon Nov 08 17:49:27 2010] [error] SSL Library Error: -12273 SSL has received a record with an incorrect Message Authentication Code [Mon Nov 08 17:49:27 2010] [info] Connection to child 3 closed (server f14-apache-nssmod.cglidden.local:8443, client 10.1.1.220) A reference to Unable to read from pin store for slot: NSSOCS APR err: 70007 jumps out at me. Maybe nss_pcache is having problems? I am not sure - any time or help that you can offer would be appreciated. Any additional debug that would help you should be easy for me to collect. Thank you, Chris On Thu, Nov 4, 2010 at 5:29 PM, Christopher Glidden </div></div><div><div></div><div class="h5"> <<a href="mailto:cglidden@gmail.com" target="_blank">cglidden@gmail.com</a> <mailto:<a href="mailto:cglidden@gmail.com" target="_blank">cglidden@gmail.com</a>>> wrote: Hi All, I am having some trouble getting mod_nss in fips mode to work with my hardware pkcs#11 token. I actually think I am having more of a nss.conf issue than anything between nss and my token. Private key and certificate fulfillment/import from my CA seem to be just fine. What is the best way to go about getting a little help? What information (config, logs, ssltap output, etc.) should I provide? Also, I am currently using the NSS components that shipped with Red Hat 5 (although I must admit I using CentOS right now - I hope that doesn't affect the likelihood of receiving a response). [cglidden@el55-apache-nssmod ~]$ sudo yum info nss nss-tools mod_nss nspr httpd | grep -C2 Version Name : httpd Arch : i386 Version : 2.2.3 Release : 43.el5.centos Size : 3.1 M -- Name : mod_nss Arch : i386 Version : 1.0.3 Release : 8.el5 Size : 197 k -- Name : nspr Arch : i386 Version : 4.7.6 Release : 1.el5_4 Size : 245 k -- Name : nss Arch : i386 Version : 3.12.3.99.3 Release : 1.el5.centos.2 Size : 2.6 M -- Name : nss-tools Arch : i386 Version : 3.12.3.99.3 Release : 1.el5.centos.2 Size : 2.9 M Are there any known issues with these version that I should avoid right away? I am using these versions because my customer has indicated a preference. If I have a good argument for it, we'll upgrade to better versions. Thanks, Chris -- ~~~~~~~~~~~~~~~~~~ Christopher Glidden </div></div> <a href="mailto:cglidden@gmail.com" target="_blank">cglidden@gmail.com</a> <mailto:<a href="mailto:cglidden@gmail.com" target="_blank">cglidden@gmail.com</a>> ~~~~~~~~~~~~~~~~~~ -- ~~~~~~~~~~~~~~~~~~ Christopher Glidden <a href="mailto:cglidden@gmail.com" target="_blank">cglidden@gmail.com</a> <mailto:<a href="mailto:cglidden@gmail.com" target="_blank">cglidden@gmail.com</a>><div class="im"> P: 857-222-4269 ~~~~~~~~~~~~~~~~~~ -- ~~~~~~~~~~~~~~~~~~ Christopher Glidden </div><a href="mailto:cglidden@gmail.com" target="_blank">cglidden@gmail.com</a> <mailto:<a href="mailto:cglidden@gmail.com" target="_blank">cglidden@gmail.com</a>> P: 857-222-4269 ~~~~~~~~~~~~~~~~~~ _______________________________________________ Mod_nss-list mailing list <a href="mailto:Mod_nss-list@redhat.com" target="_blank">Mod_nss-list@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/mod_nss-list" target="_blank">https://www.redhat.com/mailman/listinfo/mod_nss-list</a> </blockquote> </blockquote></div> -- ~~~~~~~~~~~~~~~~~~ Christopher Glidden <a href="mailto:cglidden@gmail.com">cglidden@gmail.com</a> P: 857-222-4269 ~~~~~~~~~~~~~~~~~~