Hello list,
unfortunately I have encountered some issues while trying to implement
TLSv1.3 using mod_nss on my machine. Every attempt to reach the listening
port is shut down with ‘Request header read timeout’ and gives back an
empty reply from server. I have described the issue in more detail below.
Any advice that would eventually lead to a functioning TLSv1.3 Apache web
server is greatly appreciated.
My web server is running Fedora 28, Apache/2.4.34, NSS 3.38.0 and NSPR
4.19.0. I have built the latest version of mod_nss using the README stored
in the cloned repository. Configuration of mod_nss is based mostly on
Apache logs and the mod_nss.html file (config pasted below). Different
Linux distributions report the same results.
As far as certificates are concerned, the gencert utility did not help.
Gencert server certificate caused warnings of unexpected virtual names and
kept timing out. For that reason, I decided to generate my own self-signed
certificate to silence the warnings and hopefully get a response. At this
point, I have tried various ways to generate and install a server
certificate with no success. The current certificate does not raise any
warnings but at the same time does not work with NSSEnforceValidCerts on. I
can provide logs for both Apache and mod_nss with debug error level enabled
but they only show useless information except for enabled/disabled ciphers
and the previously mentioned ‘Request header read timeout’.
<conf.d/nss.conf>
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
NSSPassPhraseDialog file:/usr/local/mod_nss/password.conf
NSSPassPhraseHelper /usr/sbin/nss_pcache
NSSSessionCacheSize 10000
NSSSession3CacheTimeout 86400
NSSRandomSeed startup builtin
NSSRenegotiation off
NSSRequireSafeNegotiation off
<VirtualHost _default_:443>
DocumentRoot “/var/www/html”
ServerName www.example.com:443
ErrorLog /etc/httpd/logs/nss_error_log
TransferLog /etc/httpd/logs/access_log
LogLevel debug
NSSEngine on
NSSCipherSuite
+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha,+aes_128_gcm_sha_256,+aes_256_gcm_sha_384,+chacha20_poly1305_sha_256
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2,TLSv1.3
NSSNickname example
NSSEnforceValidCerts off
NSSCertificateDatabase /etc/httpd/alias
NSSVerifyClient none
NSSOCSP off
<Files ~ “\.(cgi|shtml|phtml|php3?)$“>
NSSOptions +StdEnvVars
</Files>
<Directory “/etc/httpd/cgi-bin”>
NSSOptions +StdEnvVars
</Directory>
</VirtualHost>
What am I missing?
Thank you kindly for your time.
_______________________________________________
Mod_nss-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/mod_nss-list
