[Fedora-directory-users] mod_nss and FIPS mode

Mark Price mprice at tqhosting.com
Thu May 15 17:48:06 UTC 2008


Hello,

I am having trouble getting mod_nss to work in FIPS mode.  Summary of
the problem:  mod_nss works fine before FIPS mode is enabled, then
cannot find the certificate after enabling it.

Here is my setup:

CentOS 5 64-bit
Apache 2.2.3 from distro RPM, pre-fork MPM
NSS libraries, tools, etc from distro RPMs (3.11.7-1.3)
I have tried both mod_nss from distro rpm (1.0.3-4) and 1.0.7 compiled
from source


Here is the configuration for mod_nss I am using in Apache.  It is
basically the defaults


Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
NSSPassPhraseDialog  builtin
NSSPassPhraseHelper /usr/sbin/nss_pcache
NSSSessionCacheSize 10000
NSSSessionCacheTimeout 100
NSSSession3CacheTimeout 86400
NSSRandomSeed startup builtin
<VirtualHost _default_:443>
LogLevel warn
NSSEngine on
NSSCipherSuite +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
NSSProtocol SSLv3,TLSv1
NSSNickname Server-Cert
NSSCertificateDatabase /etc/httpd/alias
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    NSSOptions +StdEnvVars
</Files>
<Directory "/etc/httpd/cgi-bin">
    NSSOptions +StdEnvVars
</Directory>
</VirtualHost>



This is using the /etc/httpd/alias cert database, that the mod_nss RPM
created with a default certificate named Server-Cert.

Using that default configuration, the Apache server starts fine and
loads mod_nss.

However, when I enable FIPS mode in mod_nss (By adding "NSSFIPS on" to
Apache config), I can't get it to find the same server certificate


[Thu May 15 13:41:21 2008] [info] Init: Initializing NSS library
[Thu May 15 13:41:21 2008] [info] Initializing SSL Session Cache of
size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400.
[Thu May 15 13:41:21 2008] [error] The server key database has not
been initialized.
[Thu May 15 13:41:21 2008] [info] Init: Initializing (virtual) servers for SSL
[Thu May 15 13:41:21 2008] [error] Certificate not found: 'Server-Cert'


I also tried using modutil to enable FIPS mode on the cert database,
but that did not help:

# modutil -fips true -dbdir /etc/httpd/alias
<snipped warning>
Using database directory /etc/httpd/alias...
FIPS mode enabled.


# modutil -chkfips true -dbdir /etc/httpd/alias
Using database directory /etc/httpd/alias...
FIPS mode enabled.

Could someone please clue me in here.  Is there some more extensive
process I need to go through in converting the certificate database to
FIPS mode?  I have searched for more relevant info with certutil and
modutil but haven't been able to find anything.


Thanks,

Mark




More information about the Fedora-directory-users mailing list