[Mod_nss-list] Problem configuring Client certificate Authentication
Tomás Tormo
ttormo at indenova.com
Fri Sep 3 09:16:17 UTC 2010
No problem!!
I removed the variable and it stopped working... then I put it again and
it worked. I'm using *NSS_SSL_ENABLE_RENEGOTIATION=u*
If you are using Ubuntu, you should modify */etc/init.d/apache2* script,
cause I tried in other scripts and it didn't work...
If you are using this distro (and you installed apache2 from
repository), what you have to do is to put
/ENV="$ENV NSS_SSL_ENABLE_RENEGOTIATION=u"/
just below
/ENV="env -i LANG=C PATH=/usr/local/bin:/usr/bin:/bin"/
so it should look like this (it's just at the beginning of the script)
/ENV="env -i LANG=C PATH=/usr/local/bin:/usr/bin:/bin"
ENV="$ENV NSS_SSL_ENABLE_RENEGOTIATION=u"/
I did it like this cause if I want to disable it I just have to comment
that line
Which distro are you using?
On 03/09/10 10:28, Luis Neves wrote:
> Is too much to ask you to test once more with and without that
> variable (and which value did you used)?
>
> Is just because I've tried to use the variables and they didn't worked
> for me!
>
> ------------------------------------------------------------------------
> Date: Fri, 3 Sep 2010 10:03:33 +0200
> From: ttormo at indenova.com
> To: luisneves at hotmail.com
> CC: rcritten at redhat.com; mod_nss-list at redhat.com
> Subject: Re: [Mod_nss-list] Problem configuring Client certificate
> Authentication
>
> I think it was the apache variable, cause I've been using the same
> mod_nss compilation the whole time...
>
>
> On 03/09/10 10:00, Luis Neves wrote:
>
> Nice!
>
> But tell me, what fixed the problem, the mod_nss compilation or
> the apache variables in the init script??
>
> Luis
>
> ------------------------------------------------------------------------
> Date: Fri, 3 Sep 2010 09:33:57 +0200
> From: ttormo at indenova.com <mailto:ttormo at indenova.com>
> To: ttormo at indenova.com <mailto:ttormo at indenova.com>
> CC: luisneves at hotmail.com <mailto:luisneves at hotmail.com>;
> rcritten at redhat.com <mailto:rcritten at redhat.com>;
> mod_nss-list at redhat.com <mailto:mod_nss-list at redhat.com>
> Subject: Re: [Mod_nss-list] Problem configuring Client certificate
> Authentication
>
> Well... I made it work!!!
>
> I didn't try Robe solution yet... but when I tried it it worked
> like a charm.
>
> The problem is that in Ubuntu you don't have /etc/sysconfig/httpd
> directory (it is supposed to be */etc/default/apache*, but it
> doesn't work there...), so I had to set the environmental variable
> in the init script (*/etc/init.d/apache2*).
>
> So now, my test virtualhost looks like this
>
>
>
> /<VirtualHost *:443>
>
> ServerName amsterdam
>
> LogLevel debug
> ErrorLog /var/log/apache2/testmodnss/error.log
> CustomLog /var/log/apache2/testmodnss/access.log combined
> DocumentRoot /var/www/testmodnss
>
>
> # ssl
> NSSEngine on
> RewriteEngine on
> NSSCipherSuite
> -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
>
> NSSProtocol SSLv3,TLSv1
>
> ## Certificate database. It contains both public and private key
> of the ssl server. It also contains the CA certificate of the
> allowed client certificates
> NSSCertificateDatabase /etc/apache2/certs/nss/
>
> NSSNickName Server-Cert
>
>
> # ssl client
>
> <Location "/files">
>
> NSSRequireSSL
> NSSVerifyClient require
>
> </Location>
>
> </VirtualHost>
>
> NSSPassPhraseHelper /usr/sbin/nss_pcache/
>
>
>
>
> quite simple now.. isn't it?
>
> And, what's more, the certificates that weren't working with
> mod_ssl (Luis knows what I'm talking about ;) ) now work.
>
> Thank you very much once more!!!
>
>
>
>
>
> On 03/09/10 08:33, Tomás Tormo wrote:
>
> First of all, thank you very much to both of you for your
> help. Yesterday I had a meeting the whole day, that's why I
> couldn't answer the emails...
>
> Currently, I'm doind all my tests with a Ubuntu Linux 10.04,
> using Apache 2.2.14 with mod_nss 1.0.8. I downloaded the
> source from *http://directory.fedoraproject.org/wiki/Mod_nss*
> and compiled it. The SSL connection is working... but I have
> the problem I told you with SSL client.
>
> After all the emails, I'm trying the last solution, the one
> whi Luis told me. I tried to use the directive
>
> NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> and %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
>
> and it works... but it also asks for the certificate the first
> time you connect... I would like it to ask for the certificate
> just when the user clicks some link (I got it working with
> mod_ssl). Do you know any solution for this?
>
> By the way.. wich language is the one _NSSRequire is using for
> the conditions?
>
> Thank you very much. I'll continue with the research
>
>
> On 02/09/10 12:07, Luis Neves wrote:
>
> Hi again! Sorry everybody for so much posts
>
> Hola Tomas,
> What seems the best practices on this case is
>
> Putting the NSSverifyclient optional outside location and
> then playing with the SSLRequire (or NSSRequire in mod_nss
> case)
> like for ex:
>
> <Location />
> NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> and %{SSL_CLIENT_S_DN_O} eq "mycompany" \
> and %{SSL_CLIENT_S_DN_OU} in {"myrole"})
> </Location>
>
> or:
>
> NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> and %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
>
>
> or using a virtualhost just for the authenticated part of
> the site
>
> Um abraço
> Luis
>
>
>
>
>
>
> ------------------------------------------------------------------------
> From: luisneves at hotmail.com <mailto:luisneves at hotmail.com>
> To: rcritten at redhat.com <mailto:rcritten at redhat.com>;
> ttormo at indenova.com <mailto:ttormo at indenova.com>
> Date: Thu, 2 Sep 2010 08:36:20 +0000
> CC: mod_nss-list at redhat.com <mailto:mod_nss-list at redhat.com>
> Subject: Re: [Mod_nss-list] Problem configuring Client
> certificate Authentication
>
> Hi Robe, indeed Ive tested by myself and have the same
> renegotiation error as well
>
> Played with the settings Ive told to Tomas but still got
> the problem
> Played with the Apache env variables you mentioned but to
> no avail, same problem.
>
> Will read carefully your link but it looks the only
> solution is avoiding at all costs using verifyclient
> inside location tags... :(
>
> Luis
>
>
> > Date: Wed, 1 Sep 2010 08:59:01 -0400
> > From: rcritten at redhat.com <mailto:rcritten at redhat.com>
> > To: ttormo at indenova.com <mailto:ttormo at indenova.com>
> > CC: mod_nss-list at redhat.com <mailto:mod_nss-list at redhat.com>
> > Subject: Re: [Mod_nss-list] Problem configuring Client
> certificate Authentication
> >
> > Tomás Tormo wrote:
> > > Greetings
> > >
> > > I'm trying to configure mod_nss in Apache in order to
> use it as my
> > > client certificate authentication mechanism, but I'm
> having problems
> > > with it..
> > >
> > > I'd like to use client authentication in some parts of
> a website... so I
> > > tried to do it as with mod_ssl, using the Location
> directive with the
> > > NSSVerifyClient require directive inside, but I never
> works... I always
> > > get this error...
> > >
> > > Mon Aug 30 14:17:34 2010] [info] Requesting connection
> re-negotiation
> > > [Mon Aug 30 14:17:34 2010] [debug]
> nss_engine_kernel.c(404): Performing
> > > full renegotiation: complete handshake protocol
> > > [Mon Aug 30 14:17:34 2010] [debug]
> nss_engine_kernel.c(426): Awaiting
> > > re-negotiation handshake
> > > *[Mon Aug 30 14:17:34 2010] [info] Read error -12176
> > > [Mon Aug 30 14:17:34 2010] [error] Re-negotiation
> handshake failed: Not
> > > accepted by client!?*
> > > [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615):
> [client
> > > 192.168.125.53] Zlib: Compressed 283 to 216 : URL
> /files, referer:
> > > https://amsterdam/
> > > [Mon Aug 30 14:17:34 2010] [info] (70014)End of file
> found: SSL input
> > > filter read failed.
> > > [Mon Aug 30 14:17:34 2010] [info] Connection to child
> 69 closed (server
> > > amsterdam:443, client 192.168.125.53)
> > >
> > > After this, I checked the documentation and it says I
> can work
> > > per-server or per-directory context... So I tried to
> do it per-server
> > > and It works perfectly.. but, as I told you, this is
> not the solution
> > > I'm looking for.. so I tried to configure it
> per-directory... but it
> > > doesn't work neither...
> > >
> > > Here I attach my per-directory configuration... Is
> just a test but this
> > > is more or less how it should look at the end:
> > >
> > >
> > >
> > > /<VirtualHost *:443>
> > >
> > > ServerName amsterdam
> > >
> > > LogLevel debug
> > > ErrorLog /var/log/apache2/testmodnss/error.log
> > > CustomLog /var/log/apache2/testmodnss/access.log combined
> > > DocumentRoot /var/www/testmodnss
> > >
> > > # ssl
> > > NSSEngine on
> > > RewriteEngine on
> > > NSSCipherSuite
> > >
> -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
> > >
> > > NSSProtocol All
> > >
> > > ## Certificate database. It contains both public and
> private key of the
> > > ssl server. It also contains the CA certificate of the
> allowed client
> > > certificates
> > > NSSCertificateDatabase /etc/apache2/certs/nss/
> > >
> > > NSSNickName Server-Cert
> > >
> > >
> > > # ssl client
> > >
> > > <Directive "/var/www/testmodnss/files/">
> > >
> > > AllowOverride all
> > > NSSVerifyClient require
> > > NSSOptions +ExportCertData
> > > NSSOptions +StdEnvVars
> > >
> > > </Location>
> > >
> > > </VirtualHost>
> > >
> > > NSSPassPhraseHelper /usr/sbin/nss_pcache
> > >
> > > /
> > >
> > > Could you please help me?
> > >
> > > Thank you very much
> >
> > Sorry for the delayed response.
> >
> > What version of mod_nss and which browser (and version)
> are you using? I
> > wonder if you have a newer browser and an older mod_nss
> and are bumping
> > into the SSL renegotiation changes that went into the
> NSS crypto system
> > to handle
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555.
> > This KB article includes some tuning information for NSS
> in general:
> > https://access.redhat.com/kb/docs/DOC-20491
> >
> > The latest mod_nss provides some tuning knobs for this
> as mentioned by
> > Luid (NSSRenegotiation and NSSRequireSafeNegotiation)
> that are
> > equivalent to the environment variables in the KB
> article, just more
> > convenient. mod_nss defaults to SSL_RENEGOTIATE_NEVER
> and setting
> > NSSRenegotiation is the equivalent of
> SSL_RENEGOTIATE_REQUIRES_XTN.
> >
> > So this is a long way of saying, try adding export
> > NSS_SSL_ENABLE_RENEGOTIATION=u or
> NSS_SSL_ENABLE_RENEGOTIATION=r to your
> > Apache environment (/etc/sysconfig/httpd on Red Hat and
> Fedora systems).
> >
> > I'll be away again until next week in case you have any
> follow-up questions.
> >
> > rob
> >
> > _______________________________________________
> > Mod_nss-list mailing list
> > Mod_nss-list at redhat.com <mailto:Mod_nss-list at redhat.com>
> > https://www.redhat.com/mailman/listinfo/mod_nss-list
>
> _______________________________________________
> Mod_nss-list mailing list Mod_nss-list at redhat.com
> <mailto:Mod_nss-list at redhat.com>
> https://www.redhat.com/mailman/listinfo/mod_nss-list
>
>
>
> --
> Un saludo,
>
> Tomás Tormo Franco
> Area de sistemas
>
> INDENOVA S.L.
> C/ Dels Traginers 14, 2º B
> Polígono Vara de Quart
> 46014 Valencia
> Tel. (34) 96 381 99 47
> Fax. (34) 96 381 99 48
>
> ttormo at indenova.com <mailto:ttormo at indenova.com>
> http://www.indenova.com
>
> Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente:http://www.indenova.com/eSignaViewer.php
>
>
>
>
> --
> Un saludo,
>
> Tomás Tormo Franco
> Area de sistemas
>
> INDENOVA S.L.
> C/ Dels Traginers 14, 2º B
> Polígono Vara de Quart
> 46014 Valencia
> Tel. (34) 96 381 99 47
> Fax. (34) 96 381 99 48
>
> ttormo at indenova.com <mailto:ttormo at indenova.com>
> http://www.indenova.com
>
> Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente:http://www.indenova.com/eSignaViewer.php
>
>
>
>
> --
> Un saludo,
>
> Tomás Tormo Franco
> Area de sistemas
>
> INDENOVA S.L.
> C/ Dels Traginers 14, 2º B
> Polígono Vara de Quart
> 46014 Valencia
> Tel. (34) 96 381 99 47
> Fax. (34) 96 381 99 48
>
> ttormo at indenova.com <mailto:ttormo at indenova.com>
> http://www.indenova.com
>
> Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente:http://www.indenova.com/eSignaViewer.php
>
--
Un saludo,
Tomás Tormo Franco
Area de sistemas
INDENOVA S.L.
C/ Dels Traginers 14, 2º B
Polígono Vara de Quart
46014 Valencia
Tel. (34) 96 381 99 47
Fax. (34) 96 381 99 48
ttormo at indenova.com
http://www.indenova.com
Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: http://www.indenova.com/eSignaViewer.php
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20100903/49e8f61a/attachment.htm>
More information about the Mod_nss-list
mailing list