Re: "SSL input filter read failed" error for apache with mod_nss

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello, 
The issue with the dummy DB was that some permissions to some files in it were not given. I did a chmod 777 to all files and now the dummy DB seems to be working fine. 

I configured the NSS database with the crypto card(sun sca6000) as follows. 
mkdir /opt/SMC/Apache2/nsscertdb

cd /opt/SMC/Apache2/nsscertdb

-certutil -N -d /opt/SMC/Apache2/nsscertdb

-modutil -dbdir . -nocertdb -force -add "Sun Crypto Accelerator" -libfile /usr/lib/libpkcs11.so -mechanisms RSA:DSA:RC4:DES
 modutil -list -dbdir /opt/SMC/Apache2/nssdb
Using database directory /opt/SMC/Apache2/nssdb...

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. Sun Crypto Accelerator
        library name: /usr/lib/libpkcs11.so
         slots: 2 slots attached
        status: loaded

         slot: Sun Metaslot
        token: Sun Metaslot

         slot: Sun Crypto Softtoken
        token: Sun Software PKCS#11 softtoken
-----------------------------------------------------------


certutil -R  -s "C=IN, O=NSN, OU=SPA2, CN=sandeeprc.eu.org" -h "Sun Metaslot" -o ismc.csr -d . -a  -n ismc_cert

(Got the CSR signed from CA Cert)
certutil -A  -d . -n "ismc_cert" -a -t "CT,," -i cert2.csr -h "Sun Metaslot"

certutil -A  -d . -n "CACERT CA" -a -t "CTu,CTu,CTu" -i ca.txt -h "Sun Metaslot"

certutil -V -u V -d . -n "ismc_cert" -h "Sun Metaslot"

The certificate is verified corrrectly. In nss.conf, i gave the following directives to use this database

Now in NSS.conf I added the following lines to use the hardware accelarator
NSSNickname "Sun Metaslot:ismc_cert"
NSSCertificateDatabase /opt/SMC/Apache2/nssdb

Now everything is working fine, the requests are getting processed correctly. But the issue is that the rsaprivate value is not getting incremented in the kstat -n mca0 output. Which means that it is not using the hardware accelerator card. 

I have also given cryptoadm enable metaslot token=<tokenname> so as to use the hardware accelerator. 

Any suggestions? 

(When we try to use mod_ssl using the pkcs patch, it s correctly incrementing the rsaprivate values.)

On Mon, Aug 10, 2009 at 5:16 PM, Rishi Renjith <rishirenjith@xxxxxxxxx> wrote:


---------- Forwarded message ----------
From: Rishi Renjith <rishirenjith@xxxxxxxxx>
Date: Mon, Aug 10, 2009 at 4:22 PM
Subject: "SSL input filter read failed" error for apache with mod_nss
To: mod_nss-list@xxxxxxxxxx


Hello, 
We are trying to make apache work with mod_nss in Solaris10 x86 platform in our project, which currently uses mod_ssl. For that we did the following.
1) Compiled and installed NSS with NSPR.
2) Installed Apache compiled with mod_ssl
3) Compiled and installed mod_nss for this Apache
4) Created the dummy DB using gencert.sh fie in mod_nss
5) Changed permissions for DB so that we can use it. 
The issue we are getting is that the browser(Firefox) says "SSL_Disabled", when trying to run in FIPS mode. When I checked the server logs, it says "SSL Input filter read failed." "Cannot connect, SSL is disabled".  error. 

Is there any setting that we are missing?
I am attaching the nss.conf and httpd.conf files.

Versions used: 
Mod_nss: 1.0.8
NSS and NSPR: nss-3.12.3.1-with-nspr-4.7.5
Apache: 2.2.11



Thanks, 
Rishi


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux