mod_nss and FIPS mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Mark Price wrote:
> Hello,
> 
> I am having trouble getting mod_nss to work in FIPS mode.  Summary of
> the problem:  mod_nss works fine before FIPS mode is enabled, then
> cannot find the certificate after enabling it.

Your configuration looks ok.

> 
> This is using the /etc/httpd/alias cert database, that the mod_nss RPM
> created with a default certificate named Server-Cert.
> 
> Using that default configuration, the Apache server starts fine and
> loads mod_nss.
> 
> However, when I enable FIPS mode in mod_nss (By adding "NSSFIPS on" to
> Apache config), I can't get it to find the same server certificate
> 
> 
> [Thu May 15 13:41:21 2008] [info] Init: Initializing NSS library
> [Thu May 15 13:41:21 2008] [info] Initializing SSL Session Cache of
> size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400.
> [Thu May 15 13:41:21 2008] [error] The server key database has not
> been initialized.
> [Thu May 15 13:41:21 2008] [info] Init: Initializing (virtual) servers for SSL
> [Thu May 15 13:41:21 2008] [error] Certificate not found: 'Server-Cert'

I think part of the problem is "The server key database has not been 
initialized." I'm not sure what would cause this.

> I also tried using modutil to enable FIPS mode on the cert database,
> but that did not help:
> 
> # modutil -fips true -dbdir /etc/httpd/alias
> <snipped warning>
> Using database directory /etc/httpd/alias...
> FIPS mode enabled.
> 
> 
> # modutil -chkfips true -dbdir /etc/httpd/alias
> Using database directory /etc/httpd/alias...
> FIPS mode enabled.

You need to let mod_nss set FIPS mode for it to work properly.

> Could someone please clue me in here.  Is there some more extensive
> process I need to go through in converting the certificate database to
> FIPS mode?  I have searched for more relevant info with certutil and
> modutil but haven't been able to find anything.

It should be as simple as setting NSSFIPS on.

I'm not sure what the problem is. Let me try to duplicate this locally 
and see what I can find out.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20080515/f90d8b86/attachment.bin 


[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux