[Mod_nss-list] "SSL input filter read failed" error for apache with mod_nss

Rishi Renjith rishirenjith at gmail.com
Wed Aug 12 17:12:56 UTC 2009


When using mod_ssl, we just specify the crypto provider as *pkcs11 *and it
will take care of the rest. The issue with mod_ssl is that the key is not
stored in the card, that is why we wanted to go with mod_nss.
 Here in my case, the key and certificates are stored in the card, but
somehow the RSA encryption is not done in the card.

What puzzles me is that when I list the tokens using *modutil -list *only
"Sun Metaslot" has RSA has the mechanism RSA associated with it, so
logically all RSA jobs should go to the card.

I also mailed to the dev-tech-crypto list, but got no response. Do you
suspect that any of my libraries are not built properly? (NSPR, NSS ,
mod_nss or Apache).

When using JSSE through tomcat or Apache through mod_ssl, the card is being
used for RSA jobs. The issue seems to be only with NSS :(

I will try to get in touch with the Sun Metaslot support tomorrow.

Rishi

On Wed, Aug 12, 2009 at 10:29 PM, Rob Crittenden <rcritten at redhat.com>wrote:

> Rishi Renjith wrote:
>
>> I also tried this test.
>> *cryptoadm disable provider=mca/0 mechanism=all*
>>
>> In this case, the handshake fails.
>> But..., if i disable only RSA in the card, cryptoadm disable
>> provider=mca/0 mechanism=<all RSA mechanisms>
>> *it works, which means that the card is currently used for AES jobs and
>> RSA joba are done at the software level. *
>>
>
> Ok, looks like one of the SSL devs in mozilla.dev.tech.crypto (Nelson)
> thinks this is a question for the Sun Metaslot folks. I'm not sure why this
> works in mod_ssl with openssl, it may be that they explicitly configure
> things to work only in hardware.
>
> rob
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20090812/d919a8b1/attachment.htm>


More information about the Mod_nss-list mailing list