[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Mod_nss-list] "SSL input filter read failed" error for apache with mod_nss

Rishi Renjith wrote:
Hello, The issue with the dummy DB was that some permissions to some files in it were not given. I did a chmod 777 to all files and now the dummy DB seems to be working fine. I configured the NSS database with the crypto card(sun sca6000) as follows. mkdir /opt/SMC/Apache2/nsscertdb

cd /opt/SMC/Apache2/nsscertdb

-certutil -N -d /opt/SMC/Apache2/nsscertdb

-modutil -dbdir . -nocertdb -force -add "Sun Crypto Accelerator" -libfile /usr/lib/libpkcs11.so -mechanisms RSA:DSA:RC4:DES
 modutil -list -dbdir /opt/SMC/Apache2/nssdb
Using database directory /opt/SMC/Apache2/nssdb...

Listing of PKCS #11 Modules
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. Sun Crypto Accelerator
        library name: /usr/lib/libpkcs11.so
         slots: 2 slots attached
        status: loaded

         slot: Sun Metaslot
        token: Sun Metaslot

         slot: Sun Crypto Softtoken
        token: Sun Software PKCS#11 softtoken

certutil -R -s "C=IN, O=NSN, OU=SPA2, CN=sandeeprc.eu.org <http://sandeeprc.eu.org>" -h "Sun Metaslot" -o ismc.csr -d . -a -n ismc_cert

(Got the CSR signed from CA Cert)
certutil -A  -d . -n "ismc_cert" -a -t "CT,," -i cert2.csr -h "Sun Metaslot"

certutil -A -d . -n "CACERT CA" -a -t "CTu,CTu,CTu" -i ca.txt -h "Sun Metaslot"

certutil -V -u V -d . -n "ismc_cert" -h "Sun Metaslot"

The certificate is verified corrrectly. In nss.conf, i gave the following directives to use this database

Now in NSS.conf I added the following lines to use the hardware accelarator
NSSNickname "Sun Metaslot:ismc_cert"
NSSCertificateDatabase /opt/SMC/Apache2/nssdb

Now everything is working fine, the requests are getting processed correctly. But the issue is that the rsaprivate value is not getting incremented in the kstat -n mca0 output. Which means that it is not using the hardware accelerator card. I have also given cryptoadm enable metaslot token=<tokenname> so as to use the hardware accelerator. Any suggestions? (When we try to use mod_ssl using the pkcs patch, it s correctly incrementing the rsaprivate values.)

Make sure that the software token does not have the given cert and private key (actually make sure it doesn't have a cert with the same Subject and a corresponding private key -- NOTE: it should be sufficient to just remove the private key). If you do that there is no way that you can make the connection without using the accelerator for the RSA private op (since NSS does not have access to the private key itself).


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]