George Wash wrote: > The Server: > > OS: > RHEL 7.3 > Kernel FIPS module is enabled > > HTTPD: > httpd-2.4.6-45.el7.x86_64 > httpd-tools-2.4.6-45.el7.x86_64 > > MOD_NSS: > mod_nss-1.0.14-7.el7.x86_64 > FIPS mode enabled on the NSS Keystore via modutil > > NSS: > nss-softokn-3.16.2.3-14.4.el7.x86_64 > nss-softokn-freebl-3.16.2.3-14.4.el7.x86_64 > nss-3.21.3-2.el7_3.x86_64 > libsss_nss_idmap-1.14.0-43.el7.x86_64 > nss-util-3.21.3-1.1.el7_3.x86_64 > nss-sysinit-3.21.3-2.el7_3.x86_64 > nss-tools-3.21.3-2.el7_3.x86_64
Not saying this is the problem but that's a relatively old version of nss. > > Hardware Token: > Server Cert private key is in an nCipher netHSM 6000 > > Clients using some versions OpenSSL and Windows based java clients using > java.security socket libraries cannot complete the TLS handshake. > However, Firefox, Internet Explorer, and Microsoft edge can all > successfully complete the handshake. What versions of OpenSSL fail? > error logs from failure case: > [Mon Jun 19 14:09:02.954556 2017] [:error] [pid 2737] SSL Library Error: > -8152 The key does not support the requested operation > > __ __ > > Then I tried turning off all the ecdhe_rsa_* ciphers in nss.conf and we > just switched to this error:____ > > __ > > [Mon Jun 19 17:05:00.776737 2017] [:error] [pid 30517] SSL Library > Error: -12273 SSL has received a record with an incorrect Message > Authentication Code One thing you can try is the ssltap utility. It is a proxy that will display the SSL handshake. You run it something like: # ssltap -slx `hostname`:443 Then point your client at port 1924 (or use -p <port> to specify your own). It would be interesting to see a working and a non-working connection for comparison. You may want to re-enable the ciphers too. I'm curious what operation the key won't do. If the nCipher has any logging you may want to enable that as well to see what PKCS#11 commands are being executed. rob > If FIPS mode is disabled in the OS and on the NSS Keystore, the OpenSSL > and Windows based java clients using java.security libraries can > complete the handshake. > > > Any thoughts on what's going on? _______________________________________________ Mod_nss-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/mod_nss-list
