We have made some progress but still having problems.
This is what we have tried ... on SLES 10 SP1 , Suse Linux, IBM zSeries
hardware.
on the NSS side we created a certificate DB with certutil
then added openCrypto to the DB with NSS modutil
modutil -dbdir /etc/apache2/SampleCertDBs/ -add
opencryptoki -libfile /usr/lib64/libopencryptoki.so -mechanisms
RSA:RC2:RC4:RC5:DES:SHA1:MD5:MD2:SSL:TLS
webserver1:/etc/apache2 # modutil -dbdir /etc/apache2/SampleCertDBs/ -add
opencryptoki -libfile /usr/lib64/libopencryptoki.so -mechanisms
RSA:RC2:RC4:RC5:DES:SHA1:MD5:MD2:SSL:TLS
WARNING: Performing this operation while the browser is running could
cause
corruption of your security databases. If the browser is currently
running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
Using database directory /etc/apache2/SampleCertDBs...
RC=80400009 Status=0 errno=9 ThreadID=375c30
===> this gets an error that appears to be coming from z90crypt (the IBM
driver that i/f with the crypto hardware), we think that it is caused by
not having the openCryptoki CA in the NSS DB.
Module "opencryptoki" added to database.
webserver1:/etc/apache2 #
however, it claims to have added the module to NSS module db.
webserver1:/etc/apache2 # modutil -dbdir /etc/apache2/SampleCertDBs/ -list
Using database directory /etc/apache2/SampleCertDBs...
RC=80400009 Status=0 errno=9 ThreadID=375c30
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. opencryptoki
library name: /usr/lib64/libopencryptoki.so
slots: 1 slot attached
status: loaded
slot: Linux 2.6.16.46-0.12-default Linux (ICA)
token: openCryptoki
-----------------------------------------------------------
webserver1:/etc/apache2 #
when we try starting apache2 we get this in the log
[Mon Jul 28 16:13:49 2008] [info] Configuring server for SSL protocol
[Mon Jul 28 16:13:49 2008] [debug] nss_engine_init.c(556): Enabling SSL3
[Mon Jul 28 16:13:49 2008] [debug] nss_engine_init.c(561): Enabling TLS
[Mon Jul 28 16:13:49 2008] [debug] nss_engine_init.c(732): Configuring
permitted SSL ciphers
[+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Mon Jul 28 16:13:49 2008] [info] Using nickname openCryptoki:webserver1.
[Mon Jul 28 16:13:49 2008] [error] Certificate not verified:
'openCryptoki:webserver1'
[Mon Jul 28 16:13:49 2008] [error] SSL Library Error: -8156 Issuer
certificate is invalid
[Mon Jul 28 16:13:49 2008] [error] Unable to verify certificate
'openCryptoki:webserver1'. Add "NSSEnforceValidCerts off" to nss.conf so
the server can start until the problem can be resolved.
these are the certs in the db
webserver1:/etc/apache2 # certutil -L -h all -d /etc/apache2/SampleCertDBs
RC=80400009 Status=0 errno=9 ThreadID=375c00
Enter Password or Pin for "openCryptoki":
SampleSSLServerCert u,u,u
SampleSSLClientCert u,u,u
SampleRootCA CTu,Cu,Cu
openCryptoki:webserver1 u,u,u
webserver1:/etc/apache2 #
I do not know how the openCryptoki:webserver1 got in the DB we did not add
it, maybe modutil added it.
If we use "NSSEnforceValidCerts off" then Apache starts but we can not use
https.
we see this in the log
[Mon Jul 28 16:17:48 2008] [info] Connection to child 0 established
(server webserver1.pdl.pok.ibm.com:443, client 10.10.80.147)
[Mon Jul 28 16:17:48 2008] [info] SSL input filter read failed.
[Mon Jul 28 16:17:48 2008] [error] SSL Library Error: -12215 MD5 digest
function failed
[Mon Jul 28 16:17:48 2008] [info] Connection to child 0 closed (server
webserver1.pdl.pok.ibm.com:443, client 10.10.80.147)
Any suggestions on how to determine what is wrong?
_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
