Bug 1410143 - NSS requires database password for SSL connection in FIPS
Summary: NSS requires database password for SSL connection in FIPS
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nss
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: nss-nspr-maint
QA Contact: BaseOS QE Security Team
Depends On:
TreeView+ depends on / blocked
Reported: 2017-01-04 15:08 UTC by Standa Laznicka
Modified: 2017-01-12 14:03 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-01-11 15:47:52 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Standa Laznicka 2017-01-04 15:08:12 UTC
Description of problem:
When trying to connect to a server which does not require client authentication and therefore no private keys should be in play, NSS still requires PIN for the database.

Version-Release number of selected component (if applicable):

How reproducible:

The easiest way to reproduce this without having to implement own SSL-based client:
1. Have an Apache server with HTTPS access allowed.
2. Have the CA cert which was used to sign the Apache server cert in an NSS database
3. # /usr/lib64/nss/unsupported-tools/tstclnt -h apache.server.com -p 443 -d /path/to/nssdb/ -V tls1.0:tls1.2

Actual results:
Prompt saying 'Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":'

Expected results:
Connect if the Apache server cert is valid.

Additional info:
In our case, we have an Apache server which we try to connect to using the HTTPS protocol, we use NSS to store the CA cert in and python-nss bindings to create the HTTPS connection.

I was debugging this and found out that the password prompt pops out during SSL handshake in ClientHello during ssl3_SendSupportedCurvesXtn() -> ssl3_IsECCEnabled(). This leads to our password_callback().

Comment 2 Kai Engert (:kaie) (inactive account) 2017-01-11 15:47:52 UTC
I guess this cannot be avoided, because NSS can produce temporary secret keys.

FIPS mode requires a password for the database, and I guess NSS enforces it, even when nothing is saved to disk. It might be difficult to distinguish whether any private key operations are memory-only or involve the disk, so NSS probably uses the safer approach.

I think it's by design that NSS always requires a database with a password in FIPS mode.

I assume this isn't causing any problems, rather than the inconvenience of having to set and use a database password.

Comment 3 Standa Laznicka 2017-01-12 07:28:11 UTC
I do not think that you are right.

While FIPS mode does require a password for the database and you can remove this requirement with --empty-password when setting the database up, this is a different issue.

Try setting up an NSS database, store a CA certificate there (you will need password, that's correct) and do `$ certutil -d /path/to/nssdb -L -n "My CA cert"'. You will not be prompted for password and that is I believe the correct behavior.

If you are performing an SSL connection as a client and you only need to perform server certificate verification, you should not be required to be doing anything more than listing the CA certificate as shown above. Any secrets between client and server should indeed be temporary and should not require being stored to the database. Also, no private keys are in play.

This was causing huge problems in FreeIPA when trying to run in FIPS mode. FreeIPA stores a CA certificate in an NSS database and uses it just for the server certificate verification during HTTPS connection. This means that any user trying to access any information in FreeIPA via our RPC interface would have to know the password to the NSS database which we can no way allow. We are moving from NSS to OpenSSL for this purpose because of this.

Comment 4 Kai Engert (:kaie) (inactive account) 2017-01-12 09:21:39 UTC
A client SSL/TLS connection to a server might require the creation of an ephemeral private key, depending on the cipher suite being used.

Comment 5 Standa Laznicka 2017-01-12 14:03:07 UTC
Thank you for the explanation.

Note You need to log in before you can comment on or make changes to this bug.