The Server: OS: RHEL 7.3 Kernel FIPS module is enabled
HTTPD: httpd-2.4.6-45.el7.x86_64 httpd-tools-2.4.6-45.el7.x86_64 MOD_NSS: mod_nss-1.0.14-7.el7.x86_64 FIPS mode enabled on the NSS Keystore via modutil NSS: nss-softokn-3.16.2.3-14.4.el7.x86_64 nss-softokn-freebl-3.16.2.3-14.4.el7.x86_64 nss-3.21.3-2.el7_3.x86_64 libsss_nss_idmap-1.14.0-43.el7.x86_64 nss-util-3.21.3-1.1.el7_3.x86_64 nss-sysinit-3.21.3-2.el7_3.x86_64 nss-tools-3.21.3-2.el7_3.x86_64 Hardware Token: Server Cert private key is in an nCipher netHSM 6000 Clients using some versions OpenSSL and Windows based java clients using java.security socket libraries cannot complete the TLS handshake. However, Firefox, Internet Explorer, and Microsoft edge can all successfully complete the handshake. error logs from failure case: [Mon Jun 19 14:09:02.954556 2017] [:error] [pid 2737] SSL Library Error: -8152 The key does not support the requested operation Then I tried turning off all the ecdhe_rsa_* ciphers in nss.conf and we just switched to this error: [Mon Jun 19 17:05:00.776737 2017] [:error] [pid 30517] SSL Library Error: -12273 SSL has received a record with an incorrect Message Authentication Code If FIPS mode is disabled in the OS and on the NSS Keystore, the OpenSSL and Windows based java clients using java.security libraries can complete the handshake. Any thoughts on what's going on? Thanks GW
_______________________________________________ Mod_nss-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/mod_nss-list
