[Mod_nss-list] Problem configuring Client certificate Authentication
Luis Neves
luisneves at hotmail.com
Fri Sep 3 08:00:04 UTC 2010
Nice!
But tell me, what fixed the problem, the mod_nss compilation or the apache variables in the init script??
Luis
Date: Fri, 3 Sep 2010 09:33:57 +0200
From: ttormo at indenova.com
To: ttormo at indenova.com
CC: luisneves at hotmail.com; rcritten at redhat.com; mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication
Well... I made it work!!!
I didn't try Robe solution yet... but when I tried it it worked like a
charm.
The problem is that in Ubuntu you don't have /etc/sysconfig/httpd
directory (it is supposed to be /etc/default/apache, but it
doesn't work there...), so I had to set the environmental variable in
the init script (/etc/init.d/apache2).
So now, my test virtualhost looks like this
<VirtualHost *:443>
ServerName amsterdam
LogLevel debug
ErrorLog /var/log/apache2/testmodnss/error.log
CustomLog /var/log/apache2/testmodnss/access.log combined
DocumentRoot /var/www/testmodnss
# ssl
NSSEngine on
RewriteEngine on
NSSCipherSuite
-des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
NSSProtocol SSLv3,TLSv1
## Certificate database. It contains both public and private key of the
ssl server. It also contains the CA certificate of the allowed client
certificates
NSSCertificateDatabase /etc/apache2/certs/nss/
NSSNickName Server-Cert
# ssl client
<Location "/files">
NSSRequireSSL
NSSVerifyClient require
</Location>
</VirtualHost>
NSSPassPhraseHelper /usr/sbin/nss_pcache
quite simple now.. isn't it?
And, what's more, the certificates that weren't working with mod_ssl
(Luis knows what I'm talking about ;) ) now work.
Thank you very much once more!!!
On 03/09/10 08:33, Tomás Tormo wrote:
Message body
First of all, thank you very much to both of you for your help.
Yesterday I had a meeting the whole day, that's why I couldn't answer
the emails...
Currently, I'm doind all my tests with a Ubuntu Linux 10.04, using
Apache 2.2.14 with mod_nss 1.0.8. I downloaded the source from http://directory.fedoraproject.org/wiki/Mod_nss
and compiled it. The SSL connection is working... but I have the
problem I told you with SSL client.
After all the emails, I'm trying the last solution, the one whi Luis
told me. I tried to use the directive
NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
and %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
and it works... but it also asks for the certificate the first time you
connect... I would like it to ask for the certificate just when the
user clicks some link (I got it working with mod_ssl). Do you know any
solution for this?
By the way.. wich language is the one _NSSRequire is using for the
conditions?
Thank you very much. I'll continue with the research
On 02/09/10 12:07, Luis Neves wrote:
Hi
again!
Sorry everybody for so much posts
Hola Tomas,
What seems the best practices on this case is
Putting the NSSverifyclient optional outside location and then playing
with the SSLRequire (or NSSRequire in mod_nss case)
like for ex:
<Location />
NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
and %{SSL_CLIENT_S_DN_O} eq "mycompany" \
and %{SSL_CLIENT_S_DN_OU} in {"myrole"})
</Location>
or:
NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
and %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
or using a virtualhost just for the authenticated part of the site
Um abraço
Luis
From: luisneves at hotmail.com
To: rcritten at redhat.com; ttormo at indenova.com
Date: Thu, 2 Sep 2010 08:36:20 +0000
CC: mod_nss-list at redhat.com
Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication
Hi
Robe, indeed Ive tested by myself and have the same renegotiation
error as well
Played with the settings Ive told to Tomas but still got the problem
Played with the Apache env variables you mentioned but to no avail,
same problem.
Will read carefully your link but it looks the only solution is
avoiding at all costs using verifyclient inside location tags... :(
Luis
> Date: Wed, 1 Sep 2010 08:59:01 -0400
> From: rcritten at redhat.com
> To: ttormo at indenova.com
> CC: mod_nss-list at redhat.com
> Subject: Re: [Mod_nss-list] Problem configuring Client certificate
Authentication
>
> Tomás Tormo wrote:
> > Greetings
> >
> > I'm trying to configure mod_nss in Apache in order to use it
as my
> > client certificate authentication mechanism, but I'm having
problems
> > with it..
> >
> > I'd like to use client authentication in some parts of a
website... so I
> > tried to do it as with mod_ssl, using the Location directive
with the
> > NSSVerifyClient require directive inside, but I never
works... I always
> > get this error...
> >
> > Mon Aug 30 14:17:34 2010] [info] Requesting connection
re-negotiation
> > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404):
Performing
> > full renegotiation: complete handshake protocol
> > [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426):
Awaiting
> > re-negotiation handshake
> > *[Mon Aug 30 14:17:34 2010] [info] Read error -12176
> > [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake
failed: Not
> > accepted by client!?*
> > [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client
> > 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files,
referer:
> > https://amsterdam/
> > [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found:
SSL input
> > filter read failed.
> > [Mon Aug 30 14:17:34 2010] [info] Connection to child 69
closed (server
> > amsterdam:443, client 192.168.125.53)
> >
> > After this, I checked the documentation and it says I can work
> > per-server or per-directory context... So I tried to do it
per-server
> > and It works perfectly.. but, as I told you, this is not the
solution
> > I'm looking for.. so I tried to configure it per-directory...
but it
> > doesn't work neither...
> >
> > Here I attach my per-directory configuration... Is just a
test but this
> > is more or less how it should look at the end:
> >
> >
> >
> > /<VirtualHost *:443>
> >
> > ServerName amsterdam
> >
> > LogLevel debug
> > ErrorLog /var/log/apache2/testmodnss/error.log
> > CustomLog /var/log/apache2/testmodnss/access.log combined
> > DocumentRoot /var/www/testmodnss
> >
> > # ssl
> > NSSEngine on
> > RewriteEngine on
> > NSSCipherSuite
> >
-des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
> >
> > NSSProtocol All
> >
> > ## Certificate database. It contains both public and private
key of the
> > ssl server. It also contains the CA certificate of the
allowed client
> > certificates
> > NSSCertificateDatabase /etc/apache2/certs/nss/
> >
> > NSSNickName Server-Cert
> >
> >
> > # ssl client
> >
> > <Directive "/var/www/testmodnss/files/">
> >
> > AllowOverride all
> > NSSVerifyClient require
> > NSSOptions +ExportCertData
> > NSSOptions +StdEnvVars
> >
> > </Location>
> >
> > </VirtualHost>
> >
> > NSSPassPhraseHelper /usr/sbin/nss_pcache
> >
> > /
> >
> > Could you please help me?
> >
> > Thank you very much
>
> Sorry for the delayed response.
>
> What version of mod_nss and which browser (and version) are you
using? I
> wonder if you have a newer browser and an older mod_nss and are
bumping
> into the SSL renegotiation changes that went into the NSS crypto
system
> to handle
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555.
> This KB article includes some tuning information for NSS in
general:
> https://access.redhat.com/kb/docs/DOC-20491
>
> The latest mod_nss provides some tuning knobs for this as
mentioned by
> Luid (NSSRenegotiation and NSSRequireSafeNegotiation) that are
> equivalent to the environment variables in the KB article, just
more
> convenient. mod_nss defaults to SSL_RENEGOTIATE_NEVER and setting
> NSSRenegotiation is the equivalent of SSL_RENEGOTIATE_REQUIRES_XTN.
>
> So this is a long way of saying, try adding export
> NSS_SSL_ENABLE_RENEGOTIATION=u or NSS_SSL_ENABLE_RENEGOTIATION=r
to your
> Apache environment (/etc/sysconfig/httpd on Red Hat and Fedora
systems).
>
> I'll be away again until next week in case you have any follow-up
questions.
>
> rob
>
> _______________________________________________
> Mod_nss-list mailing list
> Mod_nss-list at redhat.com
> https://www.redhat.com/mailman/listinfo/mod_nss-list
_______________________________________________
Mod_nss-list mailing list
Mod_nss-list at redhat.com
https://www.redhat.com/mailman/listinfo/mod_nss-list
--
Un saludo,
Tomás Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2º B
Polígono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: http://www.indenova.com/eSignaViewer.php
--
Un saludo,
Tomás Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2º B
Polígono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: http://www.indenova.com/eSignaViewer.php
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20100903/4b8bfed3/attachment.htm>
More information about the Mod_nss-list
mailing list