Cohen, Laurence wrote: > Rob, > > It turned out that we were actually running 1.0.12 because someone > compiled libmodnss.so to solve a separate problem. He didn't create an > rpm to install it though. He just replaced the file directly. Also, > with Apache 2.2 which is what we are running, the default is > NSSSessionTickets on. You have to explicitly turn them off. They > default to off in Apache 2.4.
I'm not sure I understand how the default would be different unless the default is different in the versions of NSS on those systems, or the way I initialize things in mod_nss is somehow different in the different versions of Apache. Can you clarify that at all? rob > > Thanks, > > Larry Cohen > > On Tue, Oct 20, 2015 at 11:43 AM, Cohen, Laurence <[email protected] > <mailto:[email protected]>> wrote: > > Ok Rob, > > Thanks for all your help anyway. Someone else on my team is going > to create an RPM for version 1.0.12 so that I can just install it. > I appreciate your time and effort. > > Larry Cohen > > On Mon, Oct 19, 2015 at 1:23 PM, Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Cohen, Laurence wrote: > > Unfortunately the latest one I can find available for RHEL6 is > 1.0.10, > > which is the one we have on our production system. > > Yeah, you'd need to grab the release tarball and build it yourself. > > rob > > > > > On Mon, Oct 19, 2015 at 11:39 AM, Rob Crittenden > <[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > Cohen, Laurence wrote: > > > Well, I appreciate your assistance anyway. Is there a way to > explicitly > > > turn it off, even though the default is supposed to be off? > > > > I guess as a test you can pull the latest mod_nss upstream > release and > > try that since it has the ability to turn it off. If behavior > changes > > then we may need to file a bug against nss. > > > > rob > > > > > > > > Thanks, > > > > > > Larry Cohen > > > > > > On Mon, Oct 19, 2015 at 10:09 AM, Rob Crittenden > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> wrote: > > > > > > Cohen, Laurence wrote: > > > > Here you go. > > > > > > > > mod_nss-1.0.10-1.el6.x86_64 > > > > nss-3.19.1-3.el6_6.x86_64 > > > > > > Hmm, I can't duplicate this. I get no session ticket > offer in the > > > initial handshake. In fact, using ssltap I can see the > client offering > > > the extension and the server ignoring it. In the openssl > client request > > > I see: > > > > > > extension type session_ticket, length [0] > > > > > > The server responds only with the renegotiation extension > (enabled in my > > > configuration). > > > > > > This feature was added to NSS in 3.12 and according to > the docs is > > > disabled by default so I don't know what could be turning > it on for you. > > > > > > rob > > > > > > > > > > > On Thu, Oct 15, 2015 at 8:38 PM, Rob Crittenden > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>> wrote: > > > > > > > > Cohen, Laurence wrote: > > > > > Hi Rob, > > > > > > > > > > Thanks for your reply yesterday. Here is my > problem. We > > > are using > > > > > mod_nss version 1.0.8 on RHEL6. Here is a > session > > that our > > > F5 admin > > > > > sent to our production webserver at the > command line using > > > openssl. > > > > > > > > > > # openssl s_client -connect x.x.x.x:443 < > /dev/null > > > > > > > > > > > > > > > > > > > > CONNECTED(00000003) > > > > > depth=2 C = US, O = U.S. Government, OU = > DoD, OU = > > PKI, CN > > > = DoD Root CA 2 > > > > > verify error:num=19:self signed certificate in > > certificate chain > > > > > verify return:0 > > > > > --- > > > > > Certificate chain > > > > > 0 s:/C=us/O=u.s. > > > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil > <http://metadata.ces.mil> > > <http://metadata.ces.mil> > > > <http://metadata.ces.mil> <http://metadata.ces.mil> > > > > > <http://metadata.ces.mil> > > > > > i:/C=US/O=U.S. > Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > > > > 1 s:/C=US/O=U.S. > Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > > > > i:/C=US/O=U.S. > Government/OU=DoD/OU=PKI/CN=DoD Root > > CA 2 > > > > > 2 s:/C=US/O=U.S. > Government/OU=DoD/OU=PKI/CN=DoD Root > > CA 2 > > > > > i:/C=US/O=U.S. > Government/OU=DoD/OU=PKI/CN=DoD Root > > CA 2 > > > > > --- > > > > > Server certificate > > > > > -----BEGIN CERTIFICATE----- > > > > > > > > MIIFczCCBFugAwIBAgIDAMDoMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAlVT > > > > > > > > MRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UE > > > > > > > > CxMDUEtJMRIwEAYDVQQDEwlET0QgQ0EtMjgwHhcNMTMxMTAxMjExMTM0WhcNMTYx > > > > > > > > MTAxMjExMTM0WjBtMQswCQYDVQQGEwJ1czEYMBYGA1UEChMPdS5zLiBnb3Zlcm5t > > > > > > > > ZW50MQwwCgYDVQQLEwNET0QxDDAKBgNVBAsTA3BraTENMAsGA1UECxMEZGlzYTEZ > > > > > > > > MBcGA1UEAxMQbWV0YWRhdGEuY2VzLm1pbDCCASIwDQYJKoZIhvcNAQEBBQADggEP > > > > > > > > ADCCAQoCggEBAMuaXfCzffQnuqtQAwwTssjkbHEpQICFsjD5T0BhhLYwf/6MEZIe > > > > > > > > Dfx97j7CvqthxvVEtVe6j5d99OXW0rrXowgo/bGhnc8pR5sDke2hlUbmjb+XkqZR > > > > > > > > 03QyKv2+DFhiv8BIlO8EAygQZSYK8lyKxvvEwI19RRht1uZ9Mcn2hUKlm7OD6nnH > > > > > > > > grCk+qo8idCE2qO52gln46Q12nHIEHIrc8u6+EcgrdbC/Tpj5G+0HTuzOw4aQ0H8 > > > > > > > > EMLQk8e7EdubfOxdhscS2YQtzNBkvLVEgA8QZr2wMleYG2ZJDRB0W5m6n12/3lpv > > > > > > > > M+hZMAJO8pDrzzmM1OZ0ZZYTsd2i9pvUNAsCAwEAAaOCAjAwggIsMB8GA1UdIwQY > > > > > > > > MBaAFCa0rqotjumNim+2tVud6k6usZxpMB0GA1UdDgQWBBRKkMaGpVHBLnDcBRcL > > > > > > > > SdbKrPieKjBjBggrBgEFBQcBAQRXMFUwMQYIKwYBBQUHMAKGJWh0dHA6Ly9jcmwu > > > > > > > > ZGlzYS5taWwvc2lnbi9ET0RDQV8yOC5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9v > > > > > > > > Y3NwLmRpc2EubWlsMA4GA1UdDwEB/wQEAwIFoDCBwwYDVR0fBIG7MIG4MCqgKKAm > > > > > > > > hiRodHRwOi8vY3JsLmRpc2EubWlsL2NybC9ET0RDQV8yOC5jcmwwgYmggYaggYOG > > > > > > > > gYBsZGFwOi8vY3JsLmdkcy5kaXNhLm1pbC9jbiUzZERPRCUyMENBLTI4JTJjb3Ul > > > > > > > > M2RQS0klMmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292ZXJubWVudCUyY2MlM2RV > > > > > > > > Uz9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0O2JpbmFyeTBbBgNVHREEVDBSghBt > > > > > > > > ZXRhZGF0YS5jZXMubWlsghBtZXRhZGF0YS5jZXMubWlsghVtZXRhZGF0YS1jb2xz > > > > > > > > LmNlcy5taWyCFW1ldGFkYXRhLXNhdHguY2VzLm1pbDAjBgNVHSAEHDAaMAsGCWCG > > > > > > > > SAFlAgELBTALBglghkgBZQIBCxIwLQYDVR0lBCYwJAYIKwYBBQUHAwEGCCsGAQUF > > > > > > > > BwMCBggrBgEFBQgCAgYEVR0lADANBgkqhkiG9w0BAQUFAAOCAQEAjVht0bS/D5+M > > > > > > > > kCoYbxyFLWnAIWzoeyZC2al5znPllgQrW+RTVBjGiYlvKB2W5eXVJF+RCjCBk1k5 > > > > > > > > qrtINH39+FQQZjivwhidLKWklEUt4MRN3tulRlTj+Hr34F0reD56EQaFSlXXvY0r > > > > > > > > +LNx5xzudvvrf45dCbHKGNmjDpyDIiezJbCojfYfN7E8ljkA0bq5Ku4eCsAm4sbd > > > > > > > > ezRoZsxSzzOUuynmP3yo20A+nU6+dDsVPXulkamlLGpVnC7nHnl5f8gspr4S7Ld8 > > > > > > > > MnC/K7qfNaUTUkpe7Qym8WfKU0dUHWNAzqvSmhYJlk7wYwpKRfRlPi2cxabOkcxL > > > > > 4F2HMSAkIw== > > > > > -----END CERTIFICATE----- > > > > > subject=/C=us/O=u.s. > > > > > > government/OU=DOD/OU=pki/OU=disa/CN=metadata.ces.mil > <http://metadata.ces.mil> > > <http://metadata.ces.mil> > > > <http://metadata.ces.mil> > > > > <http://metadata.ces.mil> > > > > > <http://metadata.ces.mil> > > > > > issuer=/C=US/O=U.S. > Government/OU=DoD/OU=PKI/CN=DOD CA-28 > > > > > --- > > > > > No client certificate CA names sent > > > > > --- > > > > > SSL handshake has read 3989 bytes and > written 647 bytes > > > > > --- > > > > > New, TLSv1/SSLv3, Cipher is AES256-SHA > > > > > Server public key is 2048 bit > > > > > Secure Renegotiation IS supported > > > > > Compression: NONE > > > > > Expansion: NONE > > > > > SSL-Session: > > > > > Protocol : TLSv1.1 > > > > > Cipher : AES256-SHA > > > > > Session-ID: > > > > > > > > 606DF4ED165AF725E18F3EBAA3BE18669E7E47921BF246EF1851C6E622C15B2A > > > > > Session-ID-ctx: > > > > > Master-Key: > > > > > > > > > > > > > > > > A7F149F1EFF32EC29C8C1F570A076A7F3A20C7890F58958A9539ECC52822E28BCBBC94949C638AF52D8D89854887018C > > > > > Key-Arg : None > > > > > PSK identity: None > > > > > PSK identity hint: None > > > > > TLS session ticket lifetime hint: 172800 > (seconds) > > > > > TLS session ticket: > > > > > 0000 - 4e 53 53 21 d9 f3 55 ff-e1 a9 5e > a1 bb 2c 45 50 > > > > > NSS!..U...^..,EP > > > > > 0010 - 27 9c cc 9d 07 2a af 5f-a3 06 ad > 26 9a 1d cc 7a > > > > > '....*._...&...z > > > > > 0020 - 00 50 e7 85 b2 eb 32 7f-dc 71 d3 > ec 39 09 43 8a > > > > > .P....2..q..9.C. > > > > > 0030 - 08 40 6c 6f b5 9e df 9c-4b 57 78 > 49 50 af d4 9b > > > > > [email protected]... > > > > > 0040 - 84 83 3d 8d de c8 91 6f-2c 9c 83 > a4 bc 9c 68 4a > > > > > ..=....o,.....hJ > > > > > 0050 - b1 4f 46 1e fb a9 80 3f-f6 ff f7 > 3a 4f b3 e7 5a > > > > > .OF....?...:O..Z > > > > > 0060 - 8f 69 a2 3e 8a 57 d5 53-18 b2 15 > bf 72 86 e1 d9 > > > > > .i.>.W.S....r... > > > > > 0070 - 9d b5 3e 1e 45 80 d6 96-e3 b7 c5 > ca b4 03 d3 21 > > > > > ..>.E..........! > > > > > 0080 - 70 95 a7 77 32 9e 92 7b-bf bb 4d > b2 92 3f 8f 61 > > > > > p..w2..{..M..?.a > > > > > 0090 - 03 dd > > .. > > > > > > > > > > Start Time: 1444922629 > > > > > Timeout : 300 (sec) > > > > > Verify return code: 19 (self signed > certificate in > > > certificate > > > > chain) > > > > > --- > > > > > DONE > > > > > > > > > > As you can see, our server is clearing > presenting a TLS > > > session ticket > > > > > which supposedly should be turned off by > default in this > > > version of > > > > > mod_nss. I'm confused, and I'm also a > newbie to mod_nss. > > > Could you > > > > > please help me understand? > > > > > > > > Can you provide this: > > > > > > > > rpm -q mod_nss nss > > > > > > > > rob > > > > > > > > > > > > > > Thanks, > > > > > > > > > > Larry Cohen > > > > > > > > > > On Wed, Oct 14, 2015 at 11:26 AM, Rob Crittenden > > > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> > > > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > <mailto:[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>>> wrote: > > > > > > > > > > Cohen, Laurence wrote: > > > > > > I'm trying to find out what version of > mod_nss > > uses TLSSESSIONTICKETS > > > > > > and has the ability to turn them off. > I see > > that Fedora has a version > > > > > > that has this function, but I need > this function > > for RHEL6. I want to > > > > > > try to avoid doing a custom build > since this is > > for a government customer. > > > > > > > > > > TLS Session tickets are disabled by default. > > mod_nss 1.0.12 adds an > > > > > option to turn them on. > > > > > > > > > > rob > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > www.novetta.com <http://www.novetta.com> > <http://www.novetta.com> > > <http://www.novetta.com> > > > <http://www.novetta.com> > > > > > > > > > > Larry Cohen > > > > > > > > > > System Administrator > > > > > > > > > > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > > > > > > > Reston, VA 20190 > > > > > > > > > > Email [email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> > > > > <http://novetta.com> > > > > > > > > > > Office 703-885-1064 > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > www.novetta.com <http://www.novetta.com> > <http://www.novetta.com> > > <http://www.novetta.com> > > > > > > > > Larry Cohen > > > > > > > > System Administrator > > > > > > > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > > > > > Reston, VA 20190 > > > > > > > > Email [email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <http://novetta.com> > > > > > > > > Office 703-885-1064 > > > > > > > > > > > > > > > > > > > -- > > > > > > www.novetta.com <http://www.novetta.com> > <http://www.novetta.com> > > > > > > Larry Cohen > > > > > > System Administrator > > > > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > > > Reston, VA 20190 > > > > > > Email [email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <http://novetta.com> > > > > > > Office 703-885-1064 > > > > > > > > > > > > > -- > > > > www.novetta.com <http://www.novetta.com> > > > > Larry Cohen > > > > System Administrator > > > > > > 12021 Sunset Hills Road, Suite 400 > > > > Reston, VA 20190 > > > > Email [email protected] <mailto:[email protected]> > <http://novetta.com> > > > > Office 703-885-1064 > > > > > > > -- > > www.novetta.com > > Larry Cohen > > System Administrator > > > 12021 Sunset Hills Road, Suite 400 > > Reston, VA 20190 > > Email [email protected] <http://novetta.com> > > Office 703-885-1064 > > > > > -- > > www.novetta.com > > Larry Cohen > > System Administrator > > > 12021 Sunset Hills Road, Suite 400 > > Reston, VA 20190 > > Email [email protected] <http://novetta.com> > > Office 703-885-1064 > _______________________________________________ Mod_nss-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/mod_nss-list
