Petr Heřmánek wrote: > Hello list, > > unfortunately I have encountered some issues while trying to implement > TLSv1.3 using mod_nss on my machine. Every attempt to reach the > listening port is shut down with ‘Request header read timeout’ and gives > back an empty reply from server. I have described the issue in more > detail below. Any advice that would eventually lead to a functioning > TLSv1.3 Apache web server is greatly appreciated. > > My web server is running Fedora 28, Apache/2.4.34, NSS 3.38.0 and NSPR > 4.19.0. I have built the latest version of mod_nss using the README > stored in the cloned repository. Configuration of mod_nss is based > mostly on Apache logs and the mod_nss.html file (config pasted below). > Different Linux distributions report the same results. > > As far as certificates are concerned, the gencert utility did not help. > Gencert server certificate caused warnings of unexpected virtual names > and kept timing out. For that reason, I decided to generate my own > self-signed certificate to silence the warnings and hopefully get a > response. At this point, I have tried various ways to generate and > install a server certificate with no success. The current certificate > does not raise any warnings but at the same time does not work with > NSSEnforceValidCerts on. I can provide logs for both Apache and mod_nss > with debug error level enabled but they only show useless information > except for enabled/disabled ciphers and the previously mentioned > ‘Request header read timeout’. > > <conf.d/nss.conf> > > Listen 443 > AddType application/x-x509-ca-cert .crt > AddType application/x-pkcs7-crl .crl > NSSPassPhraseDialog file:/usr/local/mod_nss/password.conf > NSSPassPhraseHelper /usr/sbin/nss_pcache > NSSSessionCacheSize 10000 > NSSSession3CacheTimeout 86400 > NSSRandomSeed startup builtin > NSSRenegotiation off > NSSRequireSafeNegotiation off > > <VirtualHost _default_:443> > DocumentRoot “/var/www/html” > ServerName www.example.com:443 <http://www.example.com:443> > ErrorLog /etc/httpd/logs/nss_error_log > TransferLog /etc/httpd/logs/access_log > LogLevel debug > NSSEngine on > NSSCipherSuite > +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha,+aes_128_gcm_sha_256,+aes_256_gcm_sha_384,+chacha20_poly1305_sha_256 > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2,TLSv1.3 > NSSNickname example > NSSEnforceValidCerts off > NSSCertificateDatabase /etc/httpd/alias > NSSVerifyClient none > NSSOCSP off > <Files ~ “\.(cgi|shtml|phtml|php3?)$“> > NSSOptions +StdEnvVars > </Files> > <Directory “/etc/httpd/cgi-bin”> > NSSOptions +StdEnvVars > </Directory> > </VirtualHost> > > What am I missing? > Thank you kindly for your time.
Need more information on exactly what it is you tried including: - the options you passed to the mod_nss configure - how you executed /usr/bin/gencert and what the output was - how you told apache to load the updated module. If you also have the mod_nss package installed you need to override the module location in /etc/httpd/conf.modules.d/10-nss.conf - what client you are using - does the server work if you disable 1.3? - does a client work if you force say tls 1.2? - the nss_error_log and the corresponding output from the client rob _______________________________________________ Mod_nss-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/mod_nss-list
