Ok, I'll give this a shot. Thank you for your help. On Mon, Aug 31, 2015 at 10:56 AM, Rob Crittenden <[email protected]> wrote:
> Cohen, Laurence wrote: > >> Thank you Standa, >> >> Option number 2 isn't possible at our site. Would you be able to >> explain number 1 to me? I'm very green with mod_nss so I don't know how >> to set this up. >> > > The problem you're seeing is that in proxy mode, mod_nss is acting as a > client and it doesn't trust or know the issuer of the server certificate it > is contacting. So you need to get that CA cert (or chain) and add it to the > mod_nss NSS database. > > You can add it ala: > > # certutil -A -d /etc/httpd/alias -n <some useful unique nickname> -t CT,, > -a -i /path/to/ca.pem > > rob > > >> Thanks, >> >> Larry C. >> >> On Mon, Aug 31, 2015 at 3:14 AM, [email protected] <mailto:[email protected]> >> <[email protected] <mailto:[email protected]>> wrote: >> >> On Thu, 27 Aug 2015 14:36:06 -0400 >> "Cohen, Laurence" <[email protected] <mailto:[email protected]>> >> wrote: >> >> Hi Laurence, >> >> > Hi, >> > >> > I'm trying to set up an nss.conf to use while we are doing >> maintenance >> > which will point all ssl traffic to a file called maintenance.html >> > which simply states that we are doing maintenance on the server. >> The >> > rewrite.conf we have set up is working fine for port 80 traffic, >> but >> > the nss.conf is not working. >> > >> > Here are the errors I'm getting. BTW, we are using a self signed >> cert >> > because this is our test system. I figured this would cause an >> info >> > or at most a warning message, but not an error message. >> > >> > [Thu Aug 27 13:38:00 2015] [info] Connection to child 0 established >> > (server jamie-web1:443, client "Server IP") >> > [Thu Aug 27 13:38:00 2015] [info] Connection to child 7 established >> > (server jamie-web1:443, client "Server IP") >> > [Thu Aug 27 13:38:00 2015] [info] SSL input filter read failed. >> > [Thu Aug 27 13:38:00 2015] [error] SSL Library Error: -12195 Peer >> > does not recognize and trust the CA that issued your certificate >> > [Thu Aug 27 13:38:00 2015] [info] Connection to child 7 closed >> (server >> > jamie-web1.novetta.com:443 <http://jamie-web1.novetta.com:443>, >> client Server IP) >> > [Thu Aug 27 13:38:00 2015] [info] SSL library error -8172 writing >> data >> > [Thu Aug 27 13:38:00 2015] [info] SSL Library Error: -8172 >> > Certificate is signed by an untrusted issuer >> > [Thu Aug 27 13:38:00 2015] [error] (20014)Internal error: proxy: >> pass >> > request body failed to 10.3.238.21:443 <http://10.3.238.21:443> >> >> (jamie-web1) >> > [Thu Aug 27 13:38:00 2015] [error] proxy: pass request body failed >> to >> > Server IP:443 (jamie-web1) from Server IP () >> > [Thu Aug 27 13:38:00 2015] [info] Connection to child 1 closed >> (server >> > jamie-web1:443, client "Workstation IP") >> > >> >> I suppose that this problem is with CA certificate on remote server: >> >> You have two possible solution: >> >> 1. add CA from remote server to your certificate database at PROXY >> server >> 2. build mod_nss with a patch from this email >> >> >> PS: I have already worked on a similar problem for our customer. >> >> Have nice day >> >> Standa >> >> > This is the nss.conf I'm using. >> > >> > Listen 443 >> > >> > AddType application/x-x509-ca-cert .crt >> > AddType application/x-pkcs7-crl .crl >> > >> > NSSPassPhraseDialog file:/etc/httpd/.password.conf >> > #NSSPassPhraseDialog builtin >> > >> > NSSPassPhraseHelper /usr/sbin/nss_pcache >> > >> > NSSSessionCacheSize 10000 >> > NSSSessionCacheTimeout 100 >> > NSSSession3CacheTimeout 86400 >> > >> > >> > NSSRandomSeed startup builtin >> > >> > >> > <VirtualHost _default_:443> >> > >> > DocumentRoot "/var/www/docroot" >> > NSSProxyCheckPeerCN Off >> > NSSEngine on >> > NSSProxyEngine on >> > NSSEnforceValidCerts off >> > NSSRenegotiation on >> > NSSRequireSafeNegotiation on >> > >> > NSSCipherSuite >> > >> >> +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha >> > >> > NSSProxyCipherSuite >> > >> >> +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha >> > >> > NSSProtocol TLSv1 >> > NSSNickname Server-Cert >> > NSSCertificateDatabase /etc/httpd/alias >> > NSSFIPS on >> > NSSOCSP off >> > >> > ProxyPreserveHost On >> > >> > >> > <Location /> >> > #SSLRenegBufferSize 52430000 >> > NSSVerifyClient optional >> > NSSOptions +ExportCertData +StdEnvVars >> > ProxyPass https://jamie-web1/maintenance.html >> > ProxyPassReverse https://jamie-web1/maintenance.html >> > </Location> >> > >> > <Files ~ "\.(cgi|shtml|phtml|php3?)$"> >> > NSSOptions +StdEnvVars >> > </Files> >> > <Directory "/var/www/cgi-bin"> >> > NSSOptions +StdEnvVars >> > </Directory> >> > >> > >> > # initialize the SSL headers to a blank value to avoid http header >> > forgeries RequestHeader set SSL_CLIENT_CERT "" >> > RequestHeader set SSL_CIPHER "" >> > RequestHeader set SSL_SESSION_ID "" >> > RequestHeader set SSL_CIPHER_USEKEYSIZE "" >> > >> > RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" >> > RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s" >> > RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s" >> > RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s" >> > >> > CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_CLIENT_CERT}x >> > %{SSL_CLIENT_S_DN}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" >> > >> > >> > ErrorLog /etc/httpd/logs/error_log >> > TransferLog /etc/httpd/logs/access_log >> > LogLevel info >> > >> > </VirtualHost> >> > >> > If anyone can help I'd appreciate it. >> > >> > Thanks, >> > >> > Larry Cohen >> >> >> _______________________________________________ >> Mod_nss-list mailing list >> [email protected] <mailto:[email protected]> >> https://www.redhat.com/mailman/listinfo/mod_nss-list >> >> >> >> >> -- >> >> www.novetta.com >> >> Larry Cohen >> >> System Administrator >> >> >> 12021 Sunset Hills Road, Suite 400 >> >> Reston, VA 20190 >> >> Email [email protected] <http://novetta.com> >> >> Office 703-885-1064 >> >> >> >> _______________________________________________ >> Mod_nss-list mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/mod_nss-list >> >> > -- [image: www.novetta.com] Larry Cohen System Administrator 12021 Sunset Hills Road, Suite 400 Reston, VA 20190 Email [email protected] Office 703-885-1064
_______________________________________________ Mod_nss-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/mod_nss-list
