[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Mod_nss-list] "SSL input filter read failed" error for apache with mod_nss



Hello, 
The problem with the Sun Metaslot was that you should use an env variable METASLOT_DISABLED=false and it uses the hardware!!. 

But looks like I am back to square one!!! When I run mod_nss in FIPS mode, I am getting "SSL disabled" error in browser. When I checked the logs in the apache side, it says
SSL input filter read failed.
[Thu Aug 13 19:22:18 2009] [error] SSL Library Error: -12273 SSL has received a record with an incorrect Message Authentication Code

But if i turn off the FIPS in nss.conf, (comment NSSFIPS on ), the same browser connects. 

I've attached the nss.conf file and the 2 error logs I get when I run in FIPS mode. Please advice. 

Rishi


On Wed, Aug 12, 2009 at 10:29 PM, Rob Crittenden <rcritten redhat com> wrote:
Rishi Renjith wrote:
I also tried this test.
*cryptoadm disable provider=mca/0 mechanism=all*

In this case, the handshake fails.
But..., if i disable only RSA in the card, cryptoadm disable provider=mca/0 mechanism=<all RSA mechanisms>
*it works, which means that the card is currently used for AES jobs and RSA joba are done at the software level. *

Ok, looks like one of the SSL devs in mozilla.dev.tech.crypto (Nelson) thinks this is a question for the Sun Metaslot folks. I'm not sure why this works in mod_ssl with openssl, it may be that they explicitly configure things to work only in hardware.

rob

Attachment: error_log
Description: Binary data

Attachment: nsserror_log
Description: Binary data

Attachment: nss.conf
Description: Binary data


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]