Hi, I seem to be having the same issue as below...
In addition, after such a failure if I do "cryptoadm list -v", the hardware provider fails to list my hardware accelerator card (mca0- Sun Crypto Accelerator) Further this is what the /var/adm/messages indicate: Aug 25 15:21:09 crypto genunix: [ID 936769 kern.info] pool0 is /pseudo/p...@0 Aug 25 15:21:09 crypto ipf: [ID 774698 kern.info] IP Filter: v4.1.9, running. Aug 25 16:05:16 crypto genunix: [ID 246487 kern.notice] mca0: Halting processor => Fatal error reported Aug 25 16:05:16 crypto genunix: [ID 246487 kern.warning] WARNING: mca0: Data Abort / TUE AUG 25 10:35:14 2009 Aug 25 16:05:16 crypto exception raised in mcaOMCmd task ----------------------------> OM h/w slot is for key management Aug 25 16:05:17 crypto genunix: [ID 246487 kern.warning] WARNING: mca0: Fault interrupt received, halting device @Stefan: Are you still facing the problem? And do you find the above symptoms on you machine too?? Stefan Kirchner wrote: > > > > > > Hi, > > I am trying to get apache to run as a SSL Server with crypto hardware > accelerator support. I am using NSS 3.12 and mod_nss 1.0.8. > Firstable, I configured the crypto hardware into NSS: > > # ./modutil -dbdir /usr/local/apache2/nssdb2/ -list > > Listing of PKCS #11 Modules > ----------------------------------------------------------- > 1. NSS Internal PKCS #11 Module > slots: 2 slots attached > status: loaded > > slot: NSS Internal Cryptographic Services > token: NSS Generic Crypto Services > > slot: NSS User Private Key and Certificate Services > token: NSS Certificate DB > > 2. crypto > library name: /usr/lib64/opencryptoki/libopencryptoki.so > slots: 1 slot attached > status: loaded > > slot: Linux 2.6.18-92.el5 Linux (ICA) > token: SKCRYPTO > ----------------------------------------------------------- > > > I generated a CA cert and a server cert on the token as well on the > internal software token: > > # ./certutil -d /usr/local/apache2/nssdb2/ -L -h all > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Enter Password or Pin for "SKCRYPTO": > Server-Cert u,u,u > cacert CTu,Cu,Cu > SKCRYPTO:Server-Cert u,u,u > > > I setup mod_nss and when I am using the Server-Cert certificate with the > software token the SSL connection works fine (without using the crypto > hardware). > But when I set NSSNickname SKCRYPTO:Server-Cert the connection dos not > work > and I am getting following entries in the error log: > > [Wed Jan 07 13:30:38 2009] [info] Initializing SSL Session Cache of size > 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. > [Wed Jan 07 13:30:38 2009] [info] Init: Seeding PRNG with 144 bytes of > entropy. > [Wed Jan 07 13:30:38 2009] [info] Init: Initializing (virtual) servers for > SSL. > [Wed Jan 07 13:30:38 2009] [info] Configuring server for SSL protocol > [Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(594): Enabling SSL3 > [Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(599): Enabling TLS > [Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(770): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Wed Jan 07 13:30:38 2009] [info] Using nickname SKCRYPTO:Server-Cert. > [Wed Jan 07 13:30:38 2009] [info] Server: Apache/2.2.10, Interface: > mod_nss/2.2.10, Library: NSS/3.12.0.3 > [Wed Jan 07 13:30:38 2009] [info] Shutting down SSL Session ID Cache > [Wed Jan 07 13:30:38 2009] [info] Initializing SSL Session Cache of size > 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. > [Wed Jan 07 13:30:38 2009] [info] Server: Apache/2.2.10, Interface: > mod_nss/2.2.10, Library: NSS/3.12.0.3 > [Wed Jan 07 13:30:38 2009] [info] Init: Seeding PRNG with 144 bytes of > entropy > [Wed Jan 07 13:30:38 2009] [info] Configuring server for SSL protocol > [Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(594): Enabling SSL3 > [Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(599): Enabling TLS > [Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(770): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Wed Jan 07 13:30:38 2009] [info] Using nickname SKCRYPTO:Server-Cert. > [Wed Jan 07 13:30:38 2009] [error] Certificate not found: > 'SKCRYPTO:Server-Cert' > [Wed Jan 07 13:30:38 2009] [info] Init: Seeding PRNG with 144 bytes of > entropy > [Wed Jan 07 13:30:38 2009] [info] Configuring server for SSL protocol > [Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(594): Enabling SSL3 > [Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(599): Enabling TLS > [Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(770): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Wed Jan 07 13:30:38 2009] [info] Using nickname SKCRYPTO:Server-Cert. > [Wed Jan 07 13:30:38 2009] [info] Init: Seeding PRNG with 144 bytes of > entropy > [Wed Jan 07 13:30:38 2009] [info] Configuring server for SSL protocol > [Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(594): Enabling SSL3 > [Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(599): Enabling TLS > [Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(770): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Wed Jan 07 13:30:38 2009] [info] Using nickname SKCRYPTO:Server-Cert. > [Wed Jan 07 13:30:38 2009] [error] Certificate not found: > 'SKCRYPTO:Server-Cert' > [Wed Jan 07 13:30:38 2009] [info] Init: Seeding PRNG with 144 bytes of > entropy > [Wed Jan 07 13:30:38 2009] [info] Configuring server for SSL protocol > [Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(594): Enabling SSL3 > [Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(599): Enabling TLS > [Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(770): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Wed Jan 07 13:30:38 2009] [info] Using nickname SKCRYPTO:Server-Cert. > [Wed Jan 07 13:30:38 2009] [error] Certificate not found: > 'SKCRYPTO:Server-Cert' > [Wed Jan 07 13:30:38 2009] [notice] Apache/2.2.10 (Unix) mod_nss/2.2.10 > NSS/3.12.0.3 configured -- resuming normal operations > [Wed Jan 07 13:30:38 2009] [info] Server built: Dec 18 2008 16:35:28. > [Wed Jan 07 13:30:38 2009] [debug] prefork.c(1001): AcceptMutex: sysvsem > (default: sysvsem) > [Wed Jan 07 13:30:38 2009] [error] Certificate not found: > 'SKCRYPTO:Server-Cert' > [Wed Jan 07 13:30:38 2009] [info] Init: Seeding PRNG with 144 bytes of > entropy > [Wed Jan 07 13:30:38 2009] [info] Configuring server for SSL protocol > [Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(594): Enabling SSL3 > [Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(599): Enabling TLS > [Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(770): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Wed Jan 07 13:30:38 2009] [info] Using nickname SKCRYPTO:Server-Cert. > [Wed Jan 07 13:30:38 2009] [error] Certificate not found: > 'SKCRYPTO:Server-Cert' > [Wed Jan 07 13:30:39 2009] [info] Init: Seeding PRNG with 144 bytes of > entropy > [Wed Jan 07 13:30:39 2009] [info] Configuring server for SSL protocol > [Wed Jan 07 13:30:39 2009] [debug] nss_engine_init.c(594): Enabling SSL3 > [Wed Jan 07 13:30:39 2009] [debug] nss_engine_init.c(599): Enabling TLS > [Wed Jan 07 13:30:39 2009] [debug] nss_engine_init.c(770): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > [Wed Jan 07 13:30:39 2009] [info] Using nickname SKCRYPTO:Server-Cert. > [Wed Jan 07 13:30:39 2009] [error] Certificate not found: > 'SKCRYPTO:Server-Cert' > [Wed Jan 07 13:30:40 2009] [info] Init: Seeding PRNG with 144 bytes of > entropy > [Wed Jan 07 13:30:40 2009] [info] Configuring server for SSL protocol > [Wed Jan 07 13:30:40 2009] [debug] nss_engine_init.c(594): Enabling SSL3 > [Wed Jan 07 13:30:40 2009] [debug] nss_engine_init.c(599): Enabling TLS > [Wed Jan 07 13:30:40 2009] [debug] nss_engine_init.c(770): Configuring > permitted SSL ciphers > [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] > > Do you have any ideas why the certificate is only found on the first time? > > > Kind regards, > Stefan Kirchner > > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > > -- View this message in context: http://www.nabble.com/SSL-Certificate-not-found-while-starting-apache-with-mod_nss-tp21330548p25133761.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
