As reported in directory-fedora-users list: I am having trouble getting mod_nss to work in FIPS mode. Summary of the problem: mod_nss works fine before FIPS mode is enabled, then cannot find the certificate after enabling it. Here is my setup: CentOS 5 64-bit Apache 2.2.3 from distro RPM, pre-fork MPM NSS libraries, tools, etc from distro RPMs (3.11.7-1.3) I have tried both mod_nss from distro rpm (1.0.3-4) and 1.0.7 compiled from source Here is the configuration for mod_nss I am using in Apache. It is basically the defaults Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl NSSPassPhraseDialog builtin NSSPassPhraseHelper /usr/sbin/nss_pcache NSSSessionCacheSize 10000 NSSSessionCacheTimeout 100 NSSSession3CacheTimeout 86400 NSSRandomSeed startup builtin <VirtualHost _default_:443> LogLevel warn NSSEngine on NSSCipherSuite +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol SSLv3,TLSv1 NSSNickname Server-Cert NSSCertificateDatabase /etc/httpd/alias <Files ~ "\.(cgi|shtml|phtml|php3?)$"> NSSOptions +StdEnvVars </Files> <Directory "/etc/httpd/cgi-bin"> NSSOptions +StdEnvVars </Directory> </VirtualHost> This is using the /etc/httpd/alias cert database, that the mod_nss RPM created with a default certificate named Server-Cert. Using that default configuration, the Apache server starts fine and loads mod_nss. However, when I enable FIPS mode in mod_nss (By adding "NSSFIPS on" to Apache config), I can't get it to find the same server certificate [Thu May 15 13:41:21 2008] [info] Init: Initializing NSS library [Thu May 15 13:41:21 2008] [info] Initializing SSL Session Cache of size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. [Thu May 15 13:41:21 2008] [error] The server key database has not been initialized. [Thu May 15 13:41:21 2008] [info] Init: Initializing (virtual) servers for SSL [Thu May 15 13:41:21 2008] [error] Certificate not found: 'Server-Cert' I also tried using modutil to enable FIPS mode on the cert database, but that did not help: # modutil -fips true -dbdir /etc/httpd/alias <snipped warning> Using database directory /etc/httpd/alias... FIPS mode enabled. # modutil -chkfips true -dbdir /etc/httpd/alias Using database directory /etc/httpd/alias... FIPS mode enabled. Could someone please clue me in here. Is there some more extensive process I need to go through in converting the certificate database to FIPS mode? I have searched for more relevant info with certutil and modutil but haven't been able to find anything.
I verified this in FC-6 (similar component versions to EL 5 and CentOS 5) and F-7. Looks like the problem is in NSS itself. To prevent hammering on tokens the NSS PKCS#11 interface has a timer for logins so a new one may only take place every 'x' seconds (I didn't look up what 'x' defaults to). Since mod_nss is loaded and unloaded by Apache adn we need to authenticate multiple times basically what we're seeing is we log in ok once and subsequent logins fail because they are coming too fast, hence the certificate can't be found. This patch provides a workaround: Index: nss_engine_pphrase.c =================================================================== RCS file: /cvs/dirsec/mod_nss/nss_engine_pphrase.c,v retrieving revision 1.10 diff -u -r1.10 nss_engine_pphrase.c --- nss_engine_pphrase.c 22 Feb 2007 16:50:14 -0000 1.10 +++ nss_engine_pphrase.c 16 May 2008 13:34:07 -0000 @@ -62,6 +62,8 @@ { PK11SlotInfo *slot = listEntry->slot; + PK11_Logout(slot); + if (PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) { if (slot == PK11_GetInternalKeySlot()) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
File bug against NSS 3.11.7 https://bugzilla.mozilla.org/show_bug.cgi?id=434043
Committed to HEAD: Checking in nss_engine_init.c; /cvs/dirsec/mod_nss/nss_engine_init.c,v <-- nss_engine_init.c new revision: 1.32; previous revision: 1.31 done Checking in nss_engine_pphrase.c; /cvs/dirsec/mod_nss/nss_engine_pphrase.c,v <-- nss_engine_pphrase.c new revision: 1.11; previous revision: 1.10 done
Fedora 7 changed to end-of-life (EOL) status on June 13, 2008. Fedora 7 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.
New packages still need to be made.
mod_nss-1.0.7-6.fc9 has been submitted as an update for Fedora 9
mod_nss-1.0.7-5.fc8 has been submitted as an update for Fedora 8
mod_nss-1.0.7-5.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
mod_nss-1.0.7-6.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
mod_nss-1.0.7-6.fc8 has been submitted as an update for Fedora 8
mod_nss-1.0.7-7.fc9 has been submitted as an update for Fedora 9
mod_nss-1.0.7-6.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
mod_nss-1.0.7-7.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.