Thank you Standa, Option number 2 isn't possible at our site. Would you be able to explain number 1 to me? I'm very green with mod_nss so I don't know how to set this up.
Thanks, Larry C. On Mon, Aug 31, 2015 at 3:14 AM, [email protected] <[email protected]> wrote: > On Thu, 27 Aug 2015 14:36:06 -0400 > "Cohen, Laurence" <[email protected]> wrote: > > Hi Laurence, > > > Hi, > > > > I'm trying to set up an nss.conf to use while we are doing maintenance > > which will point all ssl traffic to a file called maintenance.html > > which simply states that we are doing maintenance on the server. The > > rewrite.conf we have set up is working fine for port 80 traffic, but > > the nss.conf is not working. > > > > Here are the errors I'm getting. BTW, we are using a self signed cert > > because this is our test system. I figured this would cause an info > > or at most a warning message, but not an error message. > > > > [Thu Aug 27 13:38:00 2015] [info] Connection to child 0 established > > (server jamie-web1:443, client "Server IP") > > [Thu Aug 27 13:38:00 2015] [info] Connection to child 7 established > > (server jamie-web1:443, client "Server IP") > > [Thu Aug 27 13:38:00 2015] [info] SSL input filter read failed. > > [Thu Aug 27 13:38:00 2015] [error] SSL Library Error: -12195 Peer > > does not recognize and trust the CA that issued your certificate > > [Thu Aug 27 13:38:00 2015] [info] Connection to child 7 closed (server > > jamie-web1.novetta.com:443, client Server IP) > > [Thu Aug 27 13:38:00 2015] [info] SSL library error -8172 writing data > > [Thu Aug 27 13:38:00 2015] [info] SSL Library Error: -8172 > > Certificate is signed by an untrusted issuer > > [Thu Aug 27 13:38:00 2015] [error] (20014)Internal error: proxy: pass > > request body failed to 10.3.238.21:443 (jamie-web1) > > [Thu Aug 27 13:38:00 2015] [error] proxy: pass request body failed to > > Server IP:443 (jamie-web1) from Server IP () > > [Thu Aug 27 13:38:00 2015] [info] Connection to child 1 closed (server > > jamie-web1:443, client "Workstation IP") > > > > I suppose that this problem is with CA certificate on remote server: > > You have two possible solution: > > 1. add CA from remote server to your certificate database at PROXY > server > 2. build mod_nss with a patch from this email > > > PS: I have already worked on a similar problem for our customer. > > Have nice day > > Standa > > > This is the nss.conf I'm using. > > > > Listen 443 > > > > AddType application/x-x509-ca-cert .crt > > AddType application/x-pkcs7-crl .crl > > > > NSSPassPhraseDialog file:/etc/httpd/.password.conf > > #NSSPassPhraseDialog builtin > > > > NSSPassPhraseHelper /usr/sbin/nss_pcache > > > > NSSSessionCacheSize 10000 > > NSSSessionCacheTimeout 100 > > NSSSession3CacheTimeout 86400 > > > > > > NSSRandomSeed startup builtin > > > > > > <VirtualHost _default_:443> > > > > DocumentRoot "/var/www/docroot" > > NSSProxyCheckPeerCN Off > > NSSEngine on > > NSSProxyEngine on > > NSSEnforceValidCerts off > > NSSRenegotiation on > > NSSRequireSafeNegotiation on > > > > NSSCipherSuite > > > +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha > > > > NSSProxyCipherSuite > > > +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha > > > > NSSProtocol TLSv1 > > NSSNickname Server-Cert > > NSSCertificateDatabase /etc/httpd/alias > > NSSFIPS on > > NSSOCSP off > > > > ProxyPreserveHost On > > > > > > <Location /> > > #SSLRenegBufferSize 52430000 > > NSSVerifyClient optional > > NSSOptions +ExportCertData +StdEnvVars > > ProxyPass https://jamie-web1/maintenance.html > > ProxyPassReverse https://jamie-web1/maintenance.html > > </Location> > > > > <Files ~ "\.(cgi|shtml|phtml|php3?)$"> > > NSSOptions +StdEnvVars > > </Files> > > <Directory "/var/www/cgi-bin"> > > NSSOptions +StdEnvVars > > </Directory> > > > > > > # initialize the SSL headers to a blank value to avoid http header > > forgeries RequestHeader set SSL_CLIENT_CERT "" > > RequestHeader set SSL_CIPHER "" > > RequestHeader set SSL_SESSION_ID "" > > RequestHeader set SSL_CIPHER_USEKEYSIZE "" > > > > RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" > > RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s" > > RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s" > > RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s" > > > > CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_CLIENT_CERT}x > > %{SSL_CLIENT_S_DN}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > > > > > ErrorLog /etc/httpd/logs/error_log > > TransferLog /etc/httpd/logs/access_log > > LogLevel info > > > > </VirtualHost> > > > > If anyone can help I'd appreciate it. > > > > Thanks, > > > > Larry Cohen > > > _______________________________________________ > Mod_nss-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/mod_nss-list > -- [image: www.novetta.com] Larry Cohen System Administrator 12021 Sunset Hills Road, Suite 400 Reston, VA 20190 Email [email protected] Office 703-885-1064
_______________________________________________ Mod_nss-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/mod_nss-list
