[Mod_nss-list] nss.conf for doing maintenance

stokos at suse.de stokos at suse.de
Mon Aug 31 07:14:28 UTC 2015 

On Thu, 27 Aug 2015 14:36:06 -0400
"Cohen, Laurence" <lcohen at novetta.com> wrote:

Hi Laurence,

> Hi,
> 
> I'm trying to set up an nss.conf to use while we are doing maintenance
> which will point all ssl traffic to a file called maintenance.html
> which simply states that we are doing maintenance on the server.  The
> rewrite.conf we have set up is working fine for port 80 traffic, but
> the nss.conf is not working.
> 
> Here are the errors I'm getting.  BTW, we are using a self signed cert
> because this is our test system.  I figured this would cause an info
> or at most a warning message, but not an error message.
> 
> [Thu Aug 27 13:38:00 2015] [info] Connection to child 0 established
> (server jamie-web1:443, client "Server IP")
> [Thu Aug 27 13:38:00 2015] [info] Connection to child 7 established
> (server jamie-web1:443, client "Server IP")
> [Thu Aug 27 13:38:00 2015] [info] SSL input filter read failed.
> [Thu Aug 27 13:38:00 2015] [error] SSL Library Error: -12195 Peer
> does not recognize and trust the CA that issued your certificate
> [Thu Aug 27 13:38:00 2015] [info] Connection to child 7 closed (server
> jamie-web1.novetta.com:443, client Server IP)
> [Thu Aug 27 13:38:00 2015] [info] SSL library error -8172 writing data
> [Thu Aug 27 13:38:00 2015] [info] SSL Library Error: -8172
> Certificate is signed by an untrusted issuer
> [Thu Aug 27 13:38:00 2015] [error] (20014)Internal error: proxy: pass
> request body failed to 10.3.238.21:443 (jamie-web1)
> [Thu Aug 27 13:38:00 2015] [error] proxy: pass request body failed to
> Server IP:443 (jamie-web1) from Server IP ()
> [Thu Aug 27 13:38:00 2015] [info] Connection to child 1 closed (server
> jamie-web1:443, client "Workstation IP")
> 

I suppose that this problem is with CA certificate on remote server:

You have two possible solution:

1. add CA from remote server to your certificate database at PROXY
server
2. build mod_nss with a patch from this email


PS: I have already worked on a similar problem for our customer. 

Have nice day

Standa 

> This is the nss.conf I'm using.
> 
> Listen 443
> 
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl    .crl
> 
> NSSPassPhraseDialog file:/etc/httpd/.password.conf
> #NSSPassPhraseDialog  builtin
> 
> NSSPassPhraseHelper /usr/sbin/nss_pcache
> 
> NSSSessionCacheSize 10000
> NSSSessionCacheTimeout 100
> NSSSession3CacheTimeout 86400
> 
> 
> NSSRandomSeed startup builtin
> 
> 
> <VirtualHost _default_:443>
> 
> DocumentRoot "/var/www/docroot"
> NSSProxyCheckPeerCN Off
> NSSEngine on
> NSSProxyEngine on
> NSSEnforceValidCerts off
> NSSRenegotiation on
> NSSRequireSafeNegotiation on
> 
> NSSCipherSuite
> +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
> 
> NSSProxyCipherSuite
> +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
> 
> NSSProtocol TLSv1
> NSSNickname Server-Cert
> NSSCertificateDatabase /etc/httpd/alias
> NSSFIPS on
> NSSOCSP off
> 
> ProxyPreserveHost On
> 
> 
> <Location />
> #SSLRenegBufferSize 52430000
>       NSSVerifyClient optional
>       NSSOptions +ExportCertData +StdEnvVars
>       ProxyPass https://jamie-web1/maintenance.html
>       ProxyPassReverse https://jamie-web1/maintenance.html
> </Location>
> 
> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>     NSSOptions +StdEnvVars
> </Files>
> <Directory "/var/www/cgi-bin">
>     NSSOptions +StdEnvVars
> </Directory>
> 
> 
> # initialize the SSL headers to a blank value to avoid http header
> forgeries RequestHeader set SSL_CLIENT_CERT ""
> RequestHeader set SSL_CIPHER ""
> RequestHeader set SSL_SESSION_ID ""
> RequestHeader set SSL_CIPHER_USEKEYSIZE ""
> 
> RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
> RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s"
> RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s"
> RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s"
> 
> CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_CLIENT_CERT}x
> %{SSL_CLIENT_S_DN}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> 
> 
> ErrorLog /etc/httpd/logs/error_log
> TransferLog /etc/httpd/logs/access_log
> LogLevel info
> 
> </VirtualHost>
> 
> If anyone can help I'd appreciate it.
> 
> Thanks,
> 
> Larry Cohen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: proxy-NSSProxyCheckPeerCA-off.patch
Type: text/x-patch
Size: 10324 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20150831/d1c8ec32/attachment.bin>

More information about the Mod_nss-list mailing list