Re: [Fedora-directory-users] mod_nss and FIPS mode
Rob Crittenden wrote: Mark Price wrote: Hello, I am having trouble getting mod_nss to work in FIPS mode. Summary of the problem: mod_nss works fine before FIPS mode is enabled, then cannot find the certificate after enabling it. Your configuration looks ok. This is using the /etc/httpd/alias cert database, that the mod_nss RPM created with a default certificate named Server-Cert. Using that default configuration, the Apache server starts fine and loads mod_nss. However, when I enable FIPS mode in mod_nss (By adding "NSSFIPS on" to Apache config), I can't get it to find the same server certificate [Thu May 15 13:41:21 2008] [info] Init: Initializing NSS library [Thu May 15 13:41:21 2008] [info] Initializing SSL Session Cache of size 1. SSL2 timeout = 100, SSL3/TLS timeout = 86400. [Thu May 15 13:41:21 2008] [error] The server key database has not been initialized. [Thu May 15 13:41:21 2008] [info] Init: Initializing (virtual) servers for SSL [Thu May 15 13:41:21 2008] [error] Certificate not found: 'Server-Cert' I think part of the problem is "The server key database has not been initialized." I'm not sure what would cause this. I also tried using modutil to enable FIPS mode on the cert database, but that did not help: # modutil -fips true -dbdir /etc/httpd/alias Using database directory /etc/httpd/alias... FIPS mode enabled. # modutil -chkfips true -dbdir /etc/httpd/alias Using database directory /etc/httpd/alias... FIPS mode enabled. You need to let mod_nss set FIPS mode for it to work properly. Could someone please clue me in here. Is there some more extensive process I need to go through in converting the certificate database to FIPS mode? I have searched for more relevant info with certutil and modutil but haven't been able to find anything. It should be as simple as setting NSSFIPS on. I'm not sure what the problem is. Let me try to duplicate this locally and see what I can find out. Mark and I did a fair bit of follow-up off-list and I created bug https://bugzilla.redhat.com/show_bug.cgi?id=446851 as a result. This appears to be a bug in NSS 3.11 (I'm not sure if it affects 3.11.99/3.12 yet). In the bug I filed is a patch to mod_nss that will work around the problem. rob smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] mod_nss and FIPS mode
Mark Price wrote: Hello, I am having trouble getting mod_nss to work in FIPS mode. Summary of the problem: mod_nss works fine before FIPS mode is enabled, then cannot find the certificate after enabling it. Your configuration looks ok. This is using the /etc/httpd/alias cert database, that the mod_nss RPM created with a default certificate named Server-Cert. Using that default configuration, the Apache server starts fine and loads mod_nss. However, when I enable FIPS mode in mod_nss (By adding "NSSFIPS on" to Apache config), I can't get it to find the same server certificate [Thu May 15 13:41:21 2008] [info] Init: Initializing NSS library [Thu May 15 13:41:21 2008] [info] Initializing SSL Session Cache of size 1. SSL2 timeout = 100, SSL3/TLS timeout = 86400. [Thu May 15 13:41:21 2008] [error] The server key database has not been initialized. [Thu May 15 13:41:21 2008] [info] Init: Initializing (virtual) servers for SSL [Thu May 15 13:41:21 2008] [error] Certificate not found: 'Server-Cert' I think part of the problem is "The server key database has not been initialized." I'm not sure what would cause this. I also tried using modutil to enable FIPS mode on the cert database, but that did not help: # modutil -fips true -dbdir /etc/httpd/alias Using database directory /etc/httpd/alias... FIPS mode enabled. # modutil -chkfips true -dbdir /etc/httpd/alias Using database directory /etc/httpd/alias... FIPS mode enabled. You need to let mod_nss set FIPS mode for it to work properly. Could someone please clue me in here. Is there some more extensive process I need to go through in converting the certificate database to FIPS mode? I have searched for more relevant info with certutil and modutil but haven't been able to find anything. It should be as simple as setting NSSFIPS on. I'm not sure what the problem is. Let me try to duplicate this locally and see what I can find out. rob smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Fedora-directory-users] mod_nss and FIPS mode
Hello, I am having trouble getting mod_nss to work in FIPS mode. Summary of the problem: mod_nss works fine before FIPS mode is enabled, then cannot find the certificate after enabling it. Here is my setup: CentOS 5 64-bit Apache 2.2.3 from distro RPM, pre-fork MPM NSS libraries, tools, etc from distro RPMs (3.11.7-1.3) I have tried both mod_nss from distro rpm (1.0.3-4) and 1.0.7 compiled from source Here is the configuration for mod_nss I am using in Apache. It is basically the defaults Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl NSSPassPhraseDialog builtin NSSPassPhraseHelper /usr/sbin/nss_pcache NSSSessionCacheSize 1 NSSSessionCacheTimeout 100 NSSSession3CacheTimeout 86400 NSSRandomSeed startup builtin LogLevel warn NSSEngine on NSSCipherSuite +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol SSLv3,TLSv1 NSSNickname Server-Cert NSSCertificateDatabase /etc/httpd/alias NSSOptions +StdEnvVars NSSOptions +StdEnvVars This is using the /etc/httpd/alias cert database, that the mod_nss RPM created with a default certificate named Server-Cert. Using that default configuration, the Apache server starts fine and loads mod_nss. However, when I enable FIPS mode in mod_nss (By adding "NSSFIPS on" to Apache config), I can't get it to find the same server certificate [Thu May 15 13:41:21 2008] [info] Init: Initializing NSS library [Thu May 15 13:41:21 2008] [info] Initializing SSL Session Cache of size 1. SSL2 timeout = 100, SSL3/TLS timeout = 86400. [Thu May 15 13:41:21 2008] [error] The server key database has not been initialized. [Thu May 15 13:41:21 2008] [info] Init: Initializing (virtual) servers for SSL [Thu May 15 13:41:21 2008] [error] Certificate not found: 'Server-Cert' I also tried using modutil to enable FIPS mode on the cert database, but that did not help: # modutil -fips true -dbdir /etc/httpd/alias Using database directory /etc/httpd/alias... FIPS mode enabled. # modutil -chkfips true -dbdir /etc/httpd/alias Using database directory /etc/httpd/alias... FIPS mode enabled. Could someone please clue me in here. Is there some more extensive process I need to go through in converting the certificate database to FIPS mode? I have searched for more relevant info with certutil and modutil but haven't been able to find anything. Thanks, Mark -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
