Bug 1410143
Summary: | NSS requires database password for SSL connection in FIPS | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Standa Laznicka <slaznick> |
Component: | nss | Assignee: | nss-nspr-maint <nss-nspr-maint> |
Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.3 | CC: | kengert |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-01-11 15:47:52 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Standa Laznicka
2017-01-04 15:08:12 UTC
I guess this cannot be avoided, because NSS can produce temporary secret keys. FIPS mode requires a password for the database, and I guess NSS enforces it, even when nothing is saved to disk. It might be difficult to distinguish whether any private key operations are memory-only or involve the disk, so NSS probably uses the safer approach. I think it's by design that NSS always requires a database with a password in FIPS mode. I assume this isn't causing any problems, rather than the inconvenience of having to set and use a database password. I do not think that you are right. While FIPS mode does require a password for the database and you can remove this requirement with --empty-password when setting the database up, this is a different issue. Try setting up an NSS database, store a CA certificate there (you will need password, that's correct) and do `$ certutil -d /path/to/nssdb -L -n "My CA cert"'. You will not be prompted for password and that is I believe the correct behavior. If you are performing an SSL connection as a client and you only need to perform server certificate verification, you should not be required to be doing anything more than listing the CA certificate as shown above. Any secrets between client and server should indeed be temporary and should not require being stored to the database. Also, no private keys are in play. This was causing huge problems in FreeIPA when trying to run in FIPS mode. FreeIPA stores a CA certificate in an NSS database and uses it just for the server certificate verification during HTTPS connection. This means that any user trying to access any information in FreeIPA via our RPC interface would have to know the password to the NSS database which we can no way allow. We are moving from NSS to OpenSSL for this purpose because of this. A client SSL/TLS connection to a server might require the creation of an ephemeral private key, depending on the cipher suite being used. Thank you for the explanation. |