Bug 450349
Summary: | Enabling FIPS mode does not work in mod_nss | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Martin Poole <mpoole> | ||||
Component: | mod_nss | Assignee: | Rob Crittenden <rcritten> | ||||
Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 5.2 | CC: | benl, degts, dmair, herrold, sputhenp, syeghiay, tao | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2009-01-20 20:34:48 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 446851 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Martin Poole
2008-06-06 21:02:03 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. The error message is the same but the patch that works in Fedora isn't working for EL 5. Must require some other fix found in 1.0.7. Continuing investigation. Created attachment 310750 [details]
Fix NSSFips mode
This fixes 4 problems:
1. It forces the token to logout between Apache process restarts
2. It fixes a parsing error in nss_pcache where if there was no password sent
in a STOR request the last tab would be considered part of the token name and
the slot lookup would fail.
3. If the stored token in nss_pcache is empty return a 1-byte empty string.
4. The NSS FIPS security policy requires that a database password be set.
There are 4 things to test: 1. Non-FIPS with no database password (should work) 2. FIPS with no database password (should fail) 3. Non-FIPS with a database password (should work) 4. FIPS with a database password (should work) fails means Apache doesn't start up. works means it starts and serves pages. To enable/disable FIPS add NSSFips on/off to /etc/httpd/conf.d/nss.conf before the <VirtualServer> definition (I put it right after NSSEngine on) To not prompt for a password once one is set you need to change: NSSPassPhraseDialog builtin to NSSPassPhraseDialog /path/to/password.conf (I use /etc/httpd/conf/password.conf) The format of password.conf is 'token:password' So if you set the database password to 'httptest' the file should look like: internal:httptest NSS FIPS 140-2 Certificate DB:httptest Use modutil to set the password: # modutil -dbdir /etc/httpd/alias -changepw "NSS Certificate DB" To set a blank password just press ENTER twice when prompted. NSS doesn't support DSA ciphers on the server side (yet). DSA is a FIPS approved cipher but so is RSA. Also, there is no need to explicitly put the database into FIPS mode. mod_nss will do that automatically if NSSFips is set to on. rob, with these httpd doesn't start up. [root@dhcp-126 conf.d]# rpm -q mod_nss httpd mod_nss-1.0.3-6.el5 httpd-2.2.3-22.el5 [root@dhcp-126 conf.d]# cat /etc/httpd/conf/password.conf internal:httptest NSS FIPS 140-2 Certificate DB:httptest [root@dhcp-126 conf.d]# cat nss.conf | egrep -i -e engine -e fips -e dialog # Pass Phrase Dialog: # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. NSSPassPhraseDialog builtin # SSL Engine Switch: NSSEngine on NSSFips on NSSPassPhraseDialog /etc/httpd/conf/password.conf [root@dhcp-126 conf.d]# service httpd start Starting httpd: Please enter password for "NSS FIPS 140-2 Certificate DB" token:[Mon Dec 01 15:12:23 2008] [notice] SELinux policy enabled; httpd running as context root:system_r:httpd_t:s0 [Mon Dec 01 15:12:23 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [FAILED] [root@dhcp-126 conf.d]# [Mon Dec 01 15:12:35 2008] [error] The FIPS security policy requires that a password be set. I noticed I had a error in nss.conf, but even after I fixed it I see the same error message. NSSEngine on NSSFips on NSSPassPhraseDialog /etc/httpd/conf/password.conf The syntax on NSSPassPhraseDialog is wrong. It should read: file:/etc/httpd/conf/password.conf ok. the following 4 tests were performed and can confirm that they are working. 1. Non-FIPS with no database password (should work) - Works OK 2. FIPS with no database password (should fail) - httpd fails to start 3. Non-FIPS with a database password (should work) - works OK 4. FIPS with a database password (should work) - works OK marking bug verified An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-0075.html |