Bug 446851 - Enabling FIPS mode does not work in mod_nss
Enabling FIPS mode does not work in mod_nss
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: mod_nss (Show other bugs)
9
All Linux
high Severity high
: ---
: ---
Assigned To: Rob Crittenden
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks: 450349
  Show dependency treegraph
 
Reported: 2008-05-16 09:31 EDT by Rob Crittenden
Modified: 2013-01-13 06:27 EST (History)
1 user (show)

See Also:
Fixed In Version: 1.0.7-6.fc9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-01 01:28:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rob Crittenden 2008-05-16 09:31:06 EDT
As reported in directory-fedora-users list:

I am having trouble getting mod_nss to work in FIPS mode.  Summary of
the problem:  mod_nss works fine before FIPS mode is enabled, then
cannot find the certificate after enabling it.

Here is my setup:

CentOS 5 64-bit
Apache 2.2.3 from distro RPM, pre-fork MPM
NSS libraries, tools, etc from distro RPMs (3.11.7-1.3)
I have tried both mod_nss from distro rpm (1.0.3-4) and 1.0.7 compiled
from source


Here is the configuration for mod_nss I am using in Apache.  It is
basically the defaults


Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
NSSPassPhraseDialog  builtin
NSSPassPhraseHelper /usr/sbin/nss_pcache
NSSSessionCacheSize 10000
NSSSessionCacheTimeout 100
NSSSession3CacheTimeout 86400
NSSRandomSeed startup builtin
<VirtualHost _default_:443>
LogLevel warn
NSSEngine on
NSSCipherSuite
+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
NSSProtocol SSLv3,TLSv1
NSSNickname Server-Cert
NSSCertificateDatabase /etc/httpd/alias
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    NSSOptions +StdEnvVars
</Files>
<Directory "/etc/httpd/cgi-bin">
    NSSOptions +StdEnvVars
</Directory>
</VirtualHost>



This is using the /etc/httpd/alias cert database, that the mod_nss RPM
created with a default certificate named Server-Cert.

Using that default configuration, the Apache server starts fine and
loads mod_nss.

However, when I enable FIPS mode in mod_nss (By adding "NSSFIPS on" to
Apache config), I can't get it to find the same server certificate


[Thu May 15 13:41:21 2008] [info] Init: Initializing NSS library
[Thu May 15 13:41:21 2008] [info] Initializing SSL Session Cache of
size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400.
[Thu May 15 13:41:21 2008] [error] The server key database has not
been initialized.
[Thu May 15 13:41:21 2008] [info] Init: Initializing (virtual) servers for SSL
[Thu May 15 13:41:21 2008] [error] Certificate not found: 'Server-Cert'


I also tried using modutil to enable FIPS mode on the cert database,
but that did not help:

# modutil -fips true -dbdir /etc/httpd/alias
<snipped warning>
Using database directory /etc/httpd/alias...
FIPS mode enabled.


# modutil -chkfips true -dbdir /etc/httpd/alias
Using database directory /etc/httpd/alias...
FIPS mode enabled.

Could someone please clue me in here.  Is there some more extensive
process I need to go through in converting the certificate database to
FIPS mode?  I have searched for more relevant info with certutil and
modutil but haven't been able to find anything.
Comment 1 Rob Crittenden 2008-05-16 09:34:30 EDT
I verified this in FC-6 (similar component versions to EL 5 and CentOS 5) and F-7.

Looks like the problem is in NSS itself. To prevent hammering on tokens the NSS
PKCS#11 interface has a timer for logins so a new one may only take place every
'x' seconds (I didn't look up what 'x' defaults to).

Since mod_nss is loaded and unloaded by Apache adn we need to authenticate
multiple times basically what we're seeing is we log in ok once and subsequent
logins fail because they are coming too fast, hence the certificate can't be found.

This patch provides a workaround:

Index: nss_engine_pphrase.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_pphrase.c,v
retrieving revision 1.10
diff -u -r1.10 nss_engine_pphrase.c
--- nss_engine_pphrase.c        22 Feb 2007 16:50:14 -0000      1.10
+++ nss_engine_pphrase.c        16 May 2008 13:34:07 -0000
@@ -62,6 +62,8 @@
     {
         PK11SlotInfo *slot = listEntry->slot;
 
+        PK11_Logout(slot);
+
         if (PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) {
             if (slot == PK11_GetInternalKeySlot()) {
                 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
Comment 2 Rob Crittenden 2008-05-16 10:29:40 EDT
File bug against NSS 3.11.7 https://bugzilla.mozilla.org/show_bug.cgi?id=434043
Comment 3 Rob Crittenden 2008-05-16 11:17:08 EDT
Committed to HEAD:

Checking in nss_engine_init.c;
/cvs/dirsec/mod_nss/nss_engine_init.c,v  <--  nss_engine_init.c
new revision: 1.32; previous revision: 1.31
done
Checking in nss_engine_pphrase.c;
/cvs/dirsec/mod_nss/nss_engine_pphrase.c,v  <--  nss_engine_pphrase.c
new revision: 1.11; previous revision: 1.10
done
Comment 4 Bug Zapper 2008-06-16 23:07:58 EDT
Fedora 7 changed to end-of-life (EOL) status on June 13, 2008. 
Fedora 7 is no longer maintained, which means that it will not 
receive any further security or bug fix updates. As a result we 
are closing this bug. 

If you can reproduce this bug against a currently maintained version 
of Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 5 Rob Crittenden 2008-06-17 08:40:40 EDT
New packages still need to be made.
Comment 6 Fedora Update System 2008-06-30 15:57:45 EDT
mod_nss-1.0.7-6.fc9 has been submitted as an update for Fedora 9
Comment 7 Fedora Update System 2008-06-30 16:11:56 EDT
mod_nss-1.0.7-5.fc8 has been submitted as an update for Fedora 8
Comment 8 Fedora Update System 2008-07-01 01:26:35 EDT
mod_nss-1.0.7-5.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2008-07-01 01:28:43 EDT
mod_nss-1.0.7-6.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2008-07-02 11:47:14 EDT
mod_nss-1.0.7-6.fc8 has been submitted as an update for Fedora 8
Comment 11 Fedora Update System 2008-07-02 11:51:54 EDT
mod_nss-1.0.7-7.fc9 has been submitted as an update for Fedora 9
Comment 12 Fedora Update System 2008-07-02 23:13:49 EDT
mod_nss-1.0.7-6.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2008-07-02 23:17:10 EDT
mod_nss-1.0.7-7.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2008-07-26 01:56:39 EDT
mod_nss-1.0.7-6.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.