Rob Crittenden wrote: > Mark Price wrote: >> Hello, >> >> I am having trouble getting mod_nss to work in FIPS mode. Summary of >> the problem: mod_nss works fine before FIPS mode is enabled, then >> cannot find the certificate after enabling it. > > Your configuration looks ok. > >> >> This is using the /etc/httpd/alias cert database, that the mod_nss RPM >> created with a default certificate named Server-Cert. >> >> Using that default configuration, the Apache server starts fine and >> loads mod_nss. >> >> However, when I enable FIPS mode in mod_nss (By adding "NSSFIPS on" to >> Apache config), I can't get it to find the same server certificate >> >> >> [Thu May 15 13:41:21 2008] [info] Init: Initializing NSS library >> [Thu May 15 13:41:21 2008] [info] Initializing SSL Session Cache of >> size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. >> [Thu May 15 13:41:21 2008] [error] The server key database has not >> been initialized. >> [Thu May 15 13:41:21 2008] [info] Init: Initializing (virtual) servers >> for SSL >> [Thu May 15 13:41:21 2008] [error] Certificate not found: 'Server-Cert' > > I think part of the problem is "The server key database has not been > initialized." I'm not sure what would cause this. > >> I also tried using modutil to enable FIPS mode on the cert database, >> but that did not help: >> >> # modutil -fips true -dbdir /etc/httpd/alias >> <snipped warning> >> Using database directory /etc/httpd/alias... >> FIPS mode enabled. >> >> >> # modutil -chkfips true -dbdir /etc/httpd/alias >> Using database directory /etc/httpd/alias... >> FIPS mode enabled. > > You need to let mod_nss set FIPS mode for it to work properly. > >> Could someone please clue me in here. Is there some more extensive >> process I need to go through in converting the certificate database to >> FIPS mode? I have searched for more relevant info with certutil and >> modutil but haven't been able to find anything. > > It should be as simple as setting NSSFIPS on. > > I'm not sure what the problem is. Let me try to duplicate this locally > and see what I can find out. Mark and I did a fair bit of follow-up off-list and I created bug https://bugzilla.redhat.com/show_bug.cgi?id=446851 as a result. This appears to be a bug in NSS 3.11 (I'm not sure if it affects 3.11.99/3.12 yet). In the bug I filed is a patch to mod_nss that will work around the problem. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20080516/8c9d372a/attachment.bin
