[Mod_nss-list] Problem configuring Client certificate Authentication

Tomás Tormo ttormo at indenova.com
Fri Sep 3 06:33:48 UTC 2010 

First of all, thank you very much to both of you for your help. 
Yesterday I had a meeting the whole day, that's why I couldn't answer 
the emails...

Currently, I'm doind all my tests with a Ubuntu Linux 10.04, using 
Apache 2.2.14 with mod_nss 1.0.8. I downloaded the source from 
*http://directory.fedoraproject.org/wiki/Mod_nss* and compiled it. The 
SSL connection is working... but I have the problem I told you with SSL 
client.

After all the emails, I'm trying the last solution, the one whi Luis 
told me. I tried to use the directive

NSSRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
     and %{SSL_CLIENT_VERIFY} eq "SUCCESS"   )

and it works... but it also asks for the certificate the first time you 
connect... I would like it to ask for the certificate just when the user 
clicks some link (I got it working with mod_ssl). Do you know any 
solution for this?

By the way.. wich language is the one _NSSRequire is using for the 
conditions?

Thank you very much. I'll continue with the research


On 02/09/10 12:07, Luis Neves wrote:
> Hi again! Sorry everybody for so much posts
>
> Hola Tomas,
> What seems the best practices on this case is
>
> Putting the NSSverifyclient optional outside location and then playing 
> with the SSLRequire (or NSSRequire in mod_nss case)
> like for ex:
>
> <Location />
> NSSRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
>             and %{SSL_CLIENT_S_DN_O} eq "mycompany"  \
>             and %{SSL_CLIENT_S_DN_OU} in {"myrole"})
> </Location>
>
> or:
>
> NSSRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
>     and %{SSL_CLIENT_VERIFY} eq "SUCCESS"   )
>
>
> or using a virtualhost just for the authenticated part of the site
>
> Um abraço
> Luis
>
>
>
>
>
>
> ------------------------------------------------------------------------
> From: luisneves at hotmail.com
> To: rcritten at redhat.com; ttormo at indenova.com
> Date: Thu, 2 Sep 2010 08:36:20 +0000
> CC: mod_nss-list at redhat.com
> Subject: Re: [Mod_nss-list] Problem configuring Client certificate 
> Authentication
>
> Hi Robe, indeed Ive tested by myself and have the same renegotiation 
> error as well
>
> Played with the settings Ive told to Tomas but still got the problem
> Played with the Apache env variables you mentioned but to no avail, 
> same problem.
>
> Will read carefully your link but it looks the only solution is 
> avoiding at all costs using verifyclient inside location tags... :(
>
> Luis
>
>
> > Date: Wed, 1 Sep 2010 08:59:01 -0400
> > From: rcritten at redhat.com
> > To: ttormo at indenova.com
> > CC: mod_nss-list at redhat.com
> > Subject: Re: [Mod_nss-list] Problem configuring Client certificate 
> Authentication
> >
> > Tomás Tormo wrote:
> > > Greetings
> > >
> > > I'm trying to configure mod_nss in Apache in order to use it as my
> > > client certificate authentication mechanism, but I'm having problems
> > > with it..
> > >
> > > I'd like to use client authentication in some parts of a 
> website... so I
> > > tried to do it as with mod_ssl, using the Location directive with the
> > > NSSVerifyClient require directive inside, but I never works... I 
> always
> > > get this error...
> > >
> > > Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation
> > > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): 
> Performing
> > > full renegotiation: complete handshake protocol
> > > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting
> > > re-negotiation handshake
> > > *[Mon Aug 30 14:17:34 2010] [info] Read error -12176
> > > [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake 
> failed: Not
> > > accepted by client!?*
> > > [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client
> > > 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer:
> > > https://amsterdam/
> > > [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input
> > > filter read failed.
> > > [Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed 
> (server
> > > amsterdam:443, client 192.168.125.53)
> > >
> > > After this, I checked the documentation and it says I can work
> > > per-server or per-directory context... So I tried to do it per-server
> > > and It works perfectly.. but, as I told you, this is not the solution
> > > I'm looking for.. so I tried to configure it per-directory... but it
> > > doesn't work neither...
> > >
> > > Here I attach my per-directory configuration... Is just a test but 
> this
> > > is more or less how it should look at the end:
> > >
> > >
> > >
> > > /<VirtualHost *:443>
> > >
> > > ServerName amsterdam
> > >
> > > LogLevel debug
> > > ErrorLog /var/log/apache2/testmodnss/error.log
> > > CustomLog /var/log/apache2/testmodnss/access.log combined
> > > DocumentRoot /var/www/testmodnss
> > >
> > > # ssl
> > > NSSEngine on
> > > RewriteEngine on
> > > NSSCipherSuite
> > > 
> -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
> > >
> > > NSSProtocol All
> > >
> > > ## Certificate database. It contains both public and private key 
> of the
> > > ssl server. It also contains the CA certificate of the allowed client
> > > certificates
> > > NSSCertificateDatabase /etc/apache2/certs/nss/
> > >
> > > NSSNickName Server-Cert
> > >
> > >
> > > # ssl client
> > >
> > > <Directive "/var/www/testmodnss/files/">
> > >
> > > AllowOverride all
> > > NSSVerifyClient require
> > > NSSOptions +ExportCertData
> > > NSSOptions +StdEnvVars
> > >
> > > </Location>
> > >
> > > </VirtualHost>
> > >
> > > NSSPassPhraseHelper /usr/sbin/nss_pcache
> > >
> > > /
> > >
> > > Could you please help me?
> > >
> > > Thank you very much
> >
> > Sorry for the delayed response.
> >
> > What version of mod_nss and which browser (and version) are you 
> using? I
> > wonder if you have a newer browser and an older mod_nss and are bumping
> > into the SSL renegotiation changes that went into the NSS crypto system
> > to handle http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555.
> > This KB article includes some tuning information for NSS in general:
> > https://access.redhat.com/kb/docs/DOC-20491
> >
> > The latest mod_nss provides some tuning knobs for this as mentioned by
> > Luid (NSSRenegotiation and NSSRequireSafeNegotiation) that are
> > equivalent to the environment variables in the KB article, just more
> > convenient. mod_nss defaults to SSL_RENEGOTIATE_NEVER and setting
> > NSSRenegotiation is the equivalent of SSL_RENEGOTIATE_REQUIRES_XTN.
> >
> > So this is a long way of saying, try adding export
> > NSS_SSL_ENABLE_RENEGOTIATION=u or NSS_SSL_ENABLE_RENEGOTIATION=r to 
> your
> > Apache environment (/etc/sysconfig/httpd on Red Hat and Fedora systems).
> >
> > I'll be away again until next week in case you have any follow-up 
> questions.
> >
> > rob
> >
> > _______________________________________________
> > Mod_nss-list mailing list
> > Mod_nss-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/mod_nss-list
>
> _______________________________________________ Mod_nss-list mailing 
> list Mod_nss-list at redhat.com 
> https://www.redhat.com/mailman/listinfo/mod_nss-list 


-- 
Un saludo,

Tomás Tormo Franco
Area de sistemas

INDENOVA S.L.
C/ Dels Traginers 14, 2º B
Polígono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48

ttormo at indenova.com
http://www.indenova.com

Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: http://www.indenova.com/eSignaViewer.php

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20100903/a3bbc3b6/attachment.htm>

More information about the Mod_nss-list mailing list