Re: [Mod_nss-list] TLSSESSIONTICKETS

Mon, 19 Oct 2015 07:11:46 -0700 

Cohen, Laurence wrote:
> Here you go.
> 
> mod_nss-1.0.10-1.el6.x86_64
> nss-3.19.1-3.el6_6.x86_64

Hmm, I can't duplicate this. I get no session ticket offer in the
initial handshake. In fact, using ssltap I can see the client offering
the extension and the server ignoring it. In the openssl client request
I see:

     extension type session_ticket, length [0]

The server responds only with the renegotiation extension (enabled in my
configuration).

This feature was added to NSS in 3.12 and according to the docs is
disabled by default so I don't know what could be turning it on for you.

rob

> 
> On Thu, Oct 15, 2015 at 8:38 PM, Rob Crittenden <[email protected]
> <mailto:[email protected]>> wrote:
> 
>     Cohen, Laurence wrote:
>     > Hi Rob,
>     >
>     > Thanks for your reply yesterday.  Here is my problem.  We are using
>     > mod_nss version 1.0.8 on RHEL6.  Here is a session that our F5 admin
>     > sent to our production webserver at the command line using openssl.
>     >
>     > # openssl s_client -connect x.x.x.x:443 < /dev/null
>     >
>     >
>     >
>     > CONNECTED(00000003)
>     > depth=2 C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root 
> CA 2
>     > verify error:num=19:self signed certificate in certificate chain
>     > verify return:0
>     > ---
>     > Certificate chain
>     >  0 s:/C=us/O=u.s. government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil 
> <http://metadata.ces.mil>
>     > <http://metadata.ces.mil>
>     >    i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28
>     >  1 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28
>     >    i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2
>     >  2 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2
>     >    i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2
>     > ---
>     > Server certificate
>     > -----BEGIN CERTIFICATE-----
>     > MIIFczCCBFugAwIBAgIDAMDoMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAlVT
>     > MRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UE
>     > CxMDUEtJMRIwEAYDVQQDEwlET0QgQ0EtMjgwHhcNMTMxMTAxMjExMTM0WhcNMTYx
>     > MTAxMjExMTM0WjBtMQswCQYDVQQGEwJ1czEYMBYGA1UEChMPdS5zLiBnb3Zlcm5t
>     > ZW50MQwwCgYDVQQLEwNET0QxDDAKBgNVBAsTA3BraTENMAsGA1UECxMEZGlzYTEZ
>     > MBcGA1UEAxMQbWV0YWRhdGEuY2VzLm1pbDCCASIwDQYJKoZIhvcNAQEBBQADggEP
>     > ADCCAQoCggEBAMuaXfCzffQnuqtQAwwTssjkbHEpQICFsjD5T0BhhLYwf/6MEZIe
>     > Dfx97j7CvqthxvVEtVe6j5d99OXW0rrXowgo/bGhnc8pR5sDke2hlUbmjb+XkqZR
>     > 03QyKv2+DFhiv8BIlO8EAygQZSYK8lyKxvvEwI19RRht1uZ9Mcn2hUKlm7OD6nnH
>     > grCk+qo8idCE2qO52gln46Q12nHIEHIrc8u6+EcgrdbC/Tpj5G+0HTuzOw4aQ0H8
>     > EMLQk8e7EdubfOxdhscS2YQtzNBkvLVEgA8QZr2wMleYG2ZJDRB0W5m6n12/3lpv
>     > M+hZMAJO8pDrzzmM1OZ0ZZYTsd2i9pvUNAsCAwEAAaOCAjAwggIsMB8GA1UdIwQY
>     > MBaAFCa0rqotjumNim+2tVud6k6usZxpMB0GA1UdDgQWBBRKkMaGpVHBLnDcBRcL
>     > SdbKrPieKjBjBggrBgEFBQcBAQRXMFUwMQYIKwYBBQUHMAKGJWh0dHA6Ly9jcmwu
>     > ZGlzYS5taWwvc2lnbi9ET0RDQV8yOC5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9v
>     > Y3NwLmRpc2EubWlsMA4GA1UdDwEB/wQEAwIFoDCBwwYDVR0fBIG7MIG4MCqgKKAm
>     > hiRodHRwOi8vY3JsLmRpc2EubWlsL2NybC9ET0RDQV8yOC5jcmwwgYmggYaggYOG
>     > gYBsZGFwOi8vY3JsLmdkcy5kaXNhLm1pbC9jbiUzZERPRCUyMENBLTI4JTJjb3Ul
>     > M2RQS0klMmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292ZXJubWVudCUyY2MlM2RV
>     > Uz9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0O2JpbmFyeTBbBgNVHREEVDBSghBt
>     > ZXRhZGF0YS5jZXMubWlsghBtZXRhZGF0YS5jZXMubWlsghVtZXRhZGF0YS1jb2xz
>     > LmNlcy5taWyCFW1ldGFkYXRhLXNhdHguY2VzLm1pbDAjBgNVHSAEHDAaMAsGCWCG
>     > SAFlAgELBTALBglghkgBZQIBCxIwLQYDVR0lBCYwJAYIKwYBBQUHAwEGCCsGAQUF
>     > BwMCBggrBgEFBQgCAgYEVR0lADANBgkqhkiG9w0BAQUFAAOCAQEAjVht0bS/D5+M
>     > kCoYbxyFLWnAIWzoeyZC2al5znPllgQrW+RTVBjGiYlvKB2W5eXVJF+RCjCBk1k5
>     > qrtINH39+FQQZjivwhidLKWklEUt4MRN3tulRlTj+Hr34F0reD56EQaFSlXXvY0r
>     > +LNx5xzudvvrf45dCbHKGNmjDpyDIiezJbCojfYfN7E8ljkA0bq5Ku4eCsAm4sbd
>     > ezRoZsxSzzOUuynmP3yo20A+nU6+dDsVPXulkamlLGpVnC7nHnl5f8gspr4S7Ld8
>     > MnC/K7qfNaUTUkpe7Qym8WfKU0dUHWNAzqvSmhYJlk7wYwpKRfRlPi2cxabOkcxL
>     > 4F2HMSAkIw==
>     > -----END CERTIFICATE-----
>     > subject=/C=us/O=u.s.
>     > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil
>     <http://metadata.ces.mil>
>     > <http://metadata.ces.mil>
>     > issuer=/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-28
>     > ---
>     > No client certificate CA names sent
>     > ---
>     > SSL handshake has read 3989 bytes and written 647 bytes
>     > ---
>     > New, TLSv1/SSLv3, Cipher is AES256-SHA
>     > Server public key is 2048 bit
>     > Secure Renegotiation IS supported
>     > Compression: NONE
>     > Expansion: NONE
>     > SSL-Session:
>     >     Protocol  : TLSv1.1
>     >     Cipher    : AES256-SHA
>     >     Session-ID:
>     > 606DF4ED165AF725E18F3EBAA3BE18669E7E47921BF246EF1851C6E622C15B2A
>     >     Session-ID-ctx:
>     >     Master-Key:
>     >
>     
> A7F149F1EFF32EC29C8C1F570A076A7F3A20C7890F58958A9539ECC52822E28BCBBC94949C638AF52D8D89854887018C
>     >     Key-Arg   : None
>     >     PSK identity: None
>     >     PSK identity hint: None
>     >     TLS session ticket lifetime hint: 172800 (seconds)
>     >     TLS session ticket:
>     >     0000 - 4e 53 53 21 d9 f3 55 ff-e1 a9 5e a1 bb 2c 45 50
>     > NSS!..U...^..,EP
>     >     0010 - 27 9c cc 9d 07 2a af 5f-a3 06 ad 26 9a 1d cc 7a
>     > '....*._...&...z
>     >     0020 - 00 50 e7 85 b2 eb 32 7f-dc 71 d3 ec 39 09 43 8a
>     > .P....2..q..9.C.
>     >     0030 - 08 40 6c 6f b5 9e df 9c-4b 57 78 49 50 af d4 9b
>     > [email protected]...
>     >     0040 - 84 83 3d 8d de c8 91 6f-2c 9c 83 a4 bc 9c 68 4a
>     > ..=....o,.....hJ
>     >     0050 - b1 4f 46 1e fb a9 80 3f-f6 ff f7 3a 4f b3 e7 5a
>     > .OF....?...:O..Z
>     >     0060 - 8f 69 a2 3e 8a 57 d5 53-18 b2 15 bf 72 86 e1 d9
>     > .i.>.W.S....r...
>     >     0070 - 9d b5 3e 1e 45 80 d6 96-e3 b7 c5 ca b4 03 d3 21
>     > ..>.E..........!
>     >     0080 - 70 95 a7 77 32 9e 92 7b-bf bb 4d b2 92 3f 8f 61
>     > p..w2..{..M..?.a
>     >     0090 - 03 dd                                             ..
>     >
>     >     Start Time: 1444922629
>     >     Timeout   : 300 (sec)
>     >     Verify return code: 19 (self signed certificate in certificate
>     chain)
>     > ---
>     > DONE
>     >
>     > As you can see, our server is clearing presenting a TLS session ticket
>     > which supposedly should be turned off by default in this version of
>     > mod_nss.  I'm confused, and I'm also a newbie to mod_nss.  Could you
>     > please help me understand?
> 
>     Can you provide this:
> 
>     rpm -q mod_nss nss
> 
>     rob
> 
>     >
>     > Thanks,
>     >
>     > Larry Cohen
>     >
>     > On Wed, Oct 14, 2015 at 11:26 AM, Rob Crittenden <[email protected] 
> <mailto:[email protected]>
>     > <mailto:[email protected] <mailto:[email protected]>>> wrote:
>     >
>     >     Cohen, Laurence wrote:
>     >     > I'm trying to find out what version of mod_nss uses 
> TLSSESSIONTICKETS
>     >     > and has the ability to turn them off.  I see that Fedora has a 
> version
>     >     > that has this function, but I need this function for RHEL6.  I 
> want to
>     >     > try to avoid doing a custom build since this is for a government 
> customer.
>     >
>     >     TLS Session tickets are disabled by default. mod_nss 1.0.12 adds an
>     >     option to turn them on.
>     >
>     >     rob
>     >
>     >
>     >
>     >
>     > --
>     >
>     > www.novetta.com <http://www.novetta.com>
>     >
>     > Larry Cohen
>     >
>     > System Administrator
>     >
>     >
>     > 12021 Sunset Hills Road, Suite 400
>     >
>     > Reston, VA 20190
>     >
>     > Email [email protected] <mailto:[email protected]>
>     <http://novetta.com>
>     >
>     > Office 703-885-1064
>     >
> 
> 
> 
> 
> -- 
> 
> www.novetta.com
> 
> Larry Cohen
> 
> System Administrator
> 
> 
> 12021 Sunset Hills Road, Suite 400
> 
> Reston, VA 20190
> 
> Email [email protected] <http://novetta.com>
> 
> Office 703-885-1064
> 

_______________________________________________
Mod_nss-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/mod_nss-list

Reply via email to