mod_nss and FIPS mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

I am having trouble getting mod_nss to work in FIPS mode.  Summary of
the problem:  mod_nss works fine before FIPS mode is enabled, then
cannot find the certificate after enabling it.

Here is my setup:

CentOS 5 64-bit
Apache 2.2.3 from distro RPM, pre-fork MPM
NSS libraries, tools, etc from distro RPMs (3.11.7-1.3)
I have tried both mod_nss from distro rpm (1.0.3-4) and 1.0.7 compiled
from source


Here is the configuration for mod_nss I am using in Apache.  It is
basically the defaults


Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
NSSPassPhraseDialog  builtin
NSSPassPhraseHelper /usr/sbin/nss_pcache
NSSSessionCacheSize 10000
NSSSessionCacheTimeout 100
NSSSession3CacheTimeout 86400
NSSRandomSeed startup builtin
<VirtualHost _default_:443>
LogLevel warn
NSSEngine on
NSSCipherSuite +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
NSSProtocol SSLv3,TLSv1
NSSNickname Server-Cert
NSSCertificateDatabase /etc/httpd/alias
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    NSSOptions +StdEnvVars
</Files>
<Directory "/etc/httpd/cgi-bin">
    NSSOptions +StdEnvVars
</Directory>
</VirtualHost>



This is using the /etc/httpd/alias cert database, that the mod_nss RPM
created with a default certificate named Server-Cert.

Using that default configuration, the Apache server starts fine and
loads mod_nss.

However, when I enable FIPS mode in mod_nss (By adding "NSSFIPS on" to
Apache config), I can't get it to find the same server certificate


[Thu May 15 13:41:21 2008] [info] Init: Initializing NSS library
[Thu May 15 13:41:21 2008] [info] Initializing SSL Session Cache of
size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400.
[Thu May 15 13:41:21 2008] [error] The server key database has not
been initialized.
[Thu May 15 13:41:21 2008] [info] Init: Initializing (virtual) servers for SSL
[Thu May 15 13:41:21 2008] [error] Certificate not found: 'Server-Cert'


I also tried using modutil to enable FIPS mode on the cert database,
but that did not help:

# modutil -fips true -dbdir /etc/httpd/alias
<snipped warning>
Using database directory /etc/httpd/alias...
FIPS mode enabled.


# modutil -chkfips true -dbdir /etc/httpd/alias
Using database directory /etc/httpd/alias...
FIPS mode enabled.

Could someone please clue me in here.  Is there some more extensive
process I need to go through in converting the certificate database to
FIPS mode?  I have searched for more relevant info with certutil and
modutil but haven't been able to find anything.


Thanks,

Mark
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux