Alexander Bokovoy wrote:
On Mon, 08 Oct 2012, Simon Williams wrote:
I have found a problem with mod_nss that appears to have been reported in
2010, but I cannot find any further reference to it.  The 2010 reference
contains a comment saying that it is an issue and needs to be fixed.  I
have not been able to find any issue tracking system for mod_nss and so
haven't been able to check on the status.

The problem is that mod_nss does not appear to respond with the correct
certificate when multiple name virtual servers are configured on an
instance of Apache.  It always responds with the certificate of the first
name virtual server defined.  It does process the other sites'
configurations because it complains if certificates with the aliases used
are not in the database.  This would not be an issue (for me) if mod_ssl
could be used for virtual servers other than the IPA server, but they
cannot co-exist.  If you try to mix them, mod_ssl complains that port 443
is being used for the IPA server, but it is not SSL aware.  I suppose it
would be possible to reconfigure the IPA name virtual server to use
mod_ssl
bu exporting the certificate, but I really don't like to muck around with
the directory server configuration more than is necessary as it is vital
that it remains stable and secure.

Could anyone enlighten me as to whether this issue is being looked at or
even if it is fixed and the CentOS people (CentOS 6.3 standard
repositories
all packages up to date as of yesterday) just aren't supplying a new
enough
version of mod_nss.  At the moment, I can use my SSL secured sites as the
encryption works okay, but I cannot open them up as they report the wrong
host name in the certificate.
I assume all this comes because you run these virtual servers on the
same instance as FreeIPA master itself, thus conflicting mod_ssl and
mod_nss.

Here is description how to make name-based SSL virtual hosts working in
FreeIPA environment using mod_ssl. This howto assumes you are using a
separate server than FreeIPA master to provide actual hosting for
the virtual hosts which also makes sense because one would need to apply
greater security protection to the KDC which runs on the same FreeIPA
host.

http://freeipa.org/page/Apache_SNI_With_Kerberos



mod_nss doesn't support SNI because NSS doesn't support SNI server-side yet (https://bugzilla.mozilla.org/show_bug.cgi?id=360421).

The mod_nss bug tracker is bugzilla.redhat.com.

mod_ssl and mod_nss can co-exist but not on the same port (which is true of any two servers). mod_ssl and mod_nss cannot co-exist on an IPA server though, because mod_proxy only provides a single SSL interface and mod_ssl always registers it, locking mod_nss out. This is being worked on in mod_proxy.

Switching to mod_ssl wouldn't require any changes to the directory server.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to