Bug 1410143

Summary: NSS requires database password for SSL connection in FIPS
Product: Red Hat Enterprise Linux 7 Reporter: Standa Laznicka <slaznick>
Component: nssAssignee: nss-nspr-maint <nss-nspr-maint>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: kengert
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-11 15:47:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Standa Laznicka 2017-01-04 15:08:12 UTC 
Description of problem:
When trying to connect to a server which does not require client authentication and therefore no private keys should be in play, NSS still requires PIN for the database.

Version-Release number of selected component (if applicable):
3.21.3

How reproducible:
Always.

The easiest way to reproduce this without having to implement own SSL-based client:
1. Have an Apache server with HTTPS access allowed.
2. Have the CA cert which was used to sign the Apache server cert in an NSS database
3. # /usr/lib64/nss/unsupported-tools/tstclnt -h apache.server.com -p 443 -d /path/to/nssdb/ -V tls1.0:tls1.2

Actual results:
Prompt saying 'Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":'

Expected results:
Connect if the Apache server cert is valid.

Additional info:
In our case, we have an Apache server which we try to connect to using the HTTPS protocol, we use NSS to store the CA cert in and python-nss bindings to create the HTTPS connection.

I was debugging this and found out that the password prompt pops out during SSL handshake in ClientHello during ssl3_SendSupportedCurvesXtn() -> ssl3_IsECCEnabled(). This leads to our password_callback().
Comment 2 Kai Engert (:kaie) (inactive account) 2017-01-11 15:47:52 UTC 
I guess this cannot be avoided, because NSS can produce temporary secret keys.

FIPS mode requires a password for the database, and I guess NSS enforces it, even when nothing is saved to disk. It might be difficult to distinguish whether any private key operations are memory-only or involve the disk, so NSS probably uses the safer approach.

I think it's by design that NSS always requires a database with a password in FIPS mode.

I assume this isn't causing any problems, rather than the inconvenience of having to set and use a database password.
Comment 3 Standa Laznicka 2017-01-12 07:28:11 UTC 
I do not think that you are right.

While FIPS mode does require a password for the database and you can remove this requirement with --empty-password when setting the database up, this is a different issue.

Try setting up an NSS database, store a CA certificate there (you will need password, that's correct) and do `$ certutil -d /path/to/nssdb -L -n "My CA cert"'. You will not be prompted for password and that is I believe the correct behavior.

If you are performing an SSL connection as a client and you only need to perform server certificate verification, you should not be required to be doing anything more than listing the CA certificate as shown above. Any secrets between client and server should indeed be temporary and should not require being stored to the database. Also, no private keys are in play.

This was causing huge problems in FreeIPA when trying to run in FIPS mode. FreeIPA stores a CA certificate in an NSS database and uses it just for the server certificate verification during HTTPS connection. This means that any user trying to access any information in FreeIPA via our RPC interface would have to know the password to the NSS database which we can no way allow. We are moving from NSS to OpenSSL for this purpose because of this.
Comment 4 Kai Engert (:kaie) (inactive account) 2017-01-12 09:21:39 UTC 
A client SSL/TLS connection to a server might require the creation of an ephemeral private key, depending on the cipher suite being used.
Comment 5 Standa Laznicka 2017-01-12 14:03:07 UTC 
Thank you for the explanation.