subject:"SSL input filter read failed error for apache with mod

Re: "SSL input filter read failed" error for apache with mod_nss

2009-08-11 Thread Nelson B Bolyard

On 2009-08-11 07:11 PDT, Rishi Renjith wrote:
> Hello, 
> The issue with the dummy DB was that some permissions to some files in
> it were not given. I did a chmod 777 to all files and now the dummy DB
> seems to be working fine. 

I still don't know what a dummy DB is, but I'm glad you got past it.

> I configured the NSS database with the crypto card(sun sca6000) as follows. 
> mkdir /opt/SMC/Apache2/nsscertdb
> 
> cd /opt/SMC/Apache2/nsscertdb
> 
> certutil -N -d /opt/SMC/Apache2/nsscertdb
> 
> modutil -dbdir . -nocertdb -force -add "Sun Crypto Accelerator"
> -libfile /usr/lib/libpkcs11.so -mechanisms RSA:DSA:RC4:DES

Ah!  You're trying to use a Sun Crypto Accelerator!  You didn't mention
that in your previous message.

>  modutil -list -dbdir /opt/SMC/Apache2/nssdb
> Using database directory /opt/SMC/Apache2/nssdb...
> 
> Listing of PKCS #11 Modules
> ---
>   1. NSS Internal PKCS #11 Module
>  slots: 2 slots attached
> status: loaded
> 
>  slot: NSS Internal Cryptographic Services
> token: NSS Generic Crypto Services
> 
>  slot: NSS User Private Key and Certificate Services
> token: NSS Certificate DB
> 
>   2. Sun Crypto Accelerator
> library name: /usr/lib/libpkcs11.so
>  slots: 2 slots attached
> status: loaded
> 
>  slot: Sun Metaslot
> token: Sun Metaslot
> 
>  slot: Sun Crypto Softtoken
> token: Sun Software PKCS#11 softtoken
> ---

No crypto accelerator there!  It should show up as a slot.

Sun's Metaslot is a special software slot that redistributes the tasks
it is asked to do to the other slots.  Its other slots actually come
from other PKCS#11 modules that plug into it.  In this case, it shows
only one other slot, one belonging to Sun's pure-software PKCS#11 module,
Sun's "softtoken" (note: two t's, unlike NSS's pure-software softoken
which has only one t :).  That tells us that Sun's Metaslot has not been
configured to know about the Sun Crypto Accelerator you want to use.
In other words, your Sun Crypto Accelerator has not been "plugged in" to
your Metaslot.  So, when you did various operations, such as generating
a key pair and a CSR in the "metaslot", the Metaslot redistributed that
task to the only other slot it could fine, Sun's Softtoken.  That's not
what you expected, I see.

> certutil -R  -s "C=IN, O=NSN, OU=SPA2, CN=sandeeprc.eu.org
> " -h "Sun Metaslot" -o ismc.csr -d . -a  -n
> ismc_cert

> (Got the CSR signed from CA Cert)
> certutil -A  -d . -n "ismc_cert" -a -t "CT,," -i cert2.csr -h "Sun Metaslot"
> 
> certutil -A  -d . -n "CACERT CA" -a -t "CTu,CTu,CTu" -i ca.txt -h "Sun
> Metaslot"
> 
> certutil -V -u V -d . -n "ismc_cert" -h "Sun Metaslot"
> 
> The certificate is verified corrrectly. 

I think you will find that all those certs appear to be in two slots,
the Metaslot and also in the softoken.  Try listing the certs in all
slots, e.g.
  certutil -L -d . -h all

> In nss.conf, i gave the following directives to use this database
> 
> Now in NSS.conf I added the following lines to use the hardware accelarator
> NSSNickname "Sun Metaslot:ismc_cert"
> NSSCertificateDatabase /opt/SMC/Apache2/nssdb
> 
> Now everything is working fine, the requests are getting processed
> correctly. But the issue is that the rsaprivate value is not getting
> incremented in the kstat -n mca0 output. Which means that it is not
> using the hardware accelerator card. 

Right. Not surprising, given that the SCA doesn't show up among the slots
known to the metaslot.

> I have also given cryptoadm enable metaslot token= so as to
> use the hardware accelerator. 
> 
> Any suggestions? 
> 
> (When we try to use mod_ssl using the pkcs patch, it s correctly
> incrementing the rsaprivate values.)

Now, your question is a Sun configuration question, namely, how do you
configure Sun's Metaslot so that it knows about the SCA-6000?  You'll
have to get the answer to that question from Sun.

If/when you get an answer, please share it with us here.  Thanks.
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: "SSL input filter read failed" error for apache with mod_nss

2009-08-11 Thread Robert Relyea


On 08/11/2009 07:11 AM, Rishi Renjith wrote:
Now in NSS.conf I added the following lines to use the hardware 
accelarator

NSSNickname "Sun Metaslot:ismc_cert"
NSSCertificateDatabase /opt/SMC/Apache2/nssdb

Now everything is working fine, the requests are getting processed 
correctly. But the issue is that the rsaprivate value is not getting 
incremented in the kstat -n mca0 output. Which means that it is not 
using the hardware accelerator card.
If everything is connecting correctly, then there is only a few 
possibilities:


1) You are not using an RSA cipher (possible, but unlikely -- not 
possible if you have not other key and cert types).
2) You have a copy of the private key in the softoken.- NSS should 
prefer the HW token if the exact cert and key is in both. If the key is 
only in one or the other then NSS will use the token that contains that 
private key (it has not choice).  If NSS is using the softoken key it's 
likely because:
2a) There is a second cert with the same subject as the one in your 
token with a valid public key, and NSS is prefering that cert (probably 
because of issuance or key usage reasons).
2b) You don't have the private key in the token (I noted that your 
setup did not import any private keys, you used certutil to import your 
cert -- which just imports certs, not private keys. You'll want to use 
pk12util to import a PKCS #12 package with both the cert and the key).
NOTE: you can solve 2a by deleting the private key in softoken --- 
however if your problem is 2b) that means you will loose your private 
key. You may want to use pk12util to back it up first.
3) If you are using RSA, and you have not RSA private keys in the 
softoken database, and you are connecting correctly -- then you *MUST* 
be using the token (or some token) as NSS could never do the private key 
operation without the private key. In that case I would suspect your 
counter.


bob


-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: "SSL input filter read failed" error for apache with mod_nss

2009-08-11 Thread Nelson B Bolyard

On 2009-08-10 04:47 PDT, Rishi wrote:
> Hello,
> We are trying to make apache work with mod_nss in Solaris10 x86
> platform in our project, which currently uses mod_ssl. For that we did
> the following.
> 1) Compiled and installed NSS with NSPR.
> 2) Installed Apache compiled with mod_ssl
> 3) Compiled and installed mod_nss for this Apache
> 4) Created the dummy DB using gencert.sh fie in mod_nss

mod_nss is a plug-in for Apache that uses NSS.  It was developed by
someone who does not participate in this discussion forum (as far as I
know) and the people in this forum may not be able to help you with
mod_nss.  We can help you with NSS, but not mod_nss.  I appreciate that
you may not know where the boundaries are between them.

The mod_nss people hang out somewhere in Red Hat discussion areas.
Sorry, I can't be more specific.

I don't know what a "dummy DB" is.  I'm not aware that NSS ever has any
dummy DBs.  Maybe this dummy DB is not an NSS DB?  I'm curious to know
what documentation advises you about a "dummy DB".

> 5) Changed permissions for DB so that we can use it.
> The issue we are getting is that the browser(Firefox) says
> "SSL_Disabled", when trying to run in FIPS mode. 

Firefox reports "SSL Disabled" when it has tried and failed to complete
a TLS and/or SSL handshake with the same server 2-3 times in a row.
It's actually a bug that it reports SSL disabled, and not something else,
but regardless of the words of the report, the point is that the handshakes
are failing.  There are potentially many reasons why.

> When I checked the server logs, it says "SSL Input filter read failed."
> "Cannot connect, SSL is disabled".  error.

That's not an NSS error.  It's likely a server configuration issue.

> Is there any setting that we are missing?
> nss.conf and httpd.conf files.

NSS doesn't have any files named nss.conf or httpd.conf.  Those must be
mod_nss files and/or Apache files.  You'll have to ask the mod_nss people
about that.

> 
> Versions used:
> Mod_nss: 1.0.8
> NSS and NSPR: nss-3.12.3.1-with-nspr-4.7.5
> Apache: 2.2.11
> 

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: "SSL input filter read failed" error for apache with mod_nss

2009-08-11 Thread Rishi Renjith

Hello, The issue with the dummy DB was that some permissions to some files
in it were not given. I did a chmod 777 to all files and now the dummy DB
seems to be working fine.

I configured the NSS database with the crypto card(sun sca6000) as follows.
mkdir /opt/SMC/Apache2/nsscertdb

cd /opt/SMC/Apache2/nsscertdb

-certutil -N -d /opt/SMC/Apache2/nsscertdb

-modutil -dbdir . -nocertdb -force -add "Sun Crypto Accelerator" -libfile
/usr/lib/libpkcs11.so -mechanisms RSA:DSA:RC4:DES
 modutil -list -dbdir /opt/SMC/Apache2/nssdb
Using database directory /opt/SMC/Apache2/nssdb...

Listing of PKCS #11 Modules
---
  1. NSS Internal PKCS #11 Module
 slots: 2 slots attached
status: loaded

 slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services

 slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB

  2. Sun Crypto Accelerator
library name: /usr/lib/libpkcs11.so
 slots: 2 slots attached
status: loaded

 slot: Sun Metaslot
token: Sun Metaslot

 slot: Sun Crypto Softtoken
token: Sun Software PKCS#11 softtoken
---


certutil -R  -s "C=IN, O=NSN, OU=SPA2, CN=sandeeprc.eu.org" -h "Sun
Metaslot" -o ismc.csr -d . -a  -n ismc_cert

(Got the CSR signed from CA Cert)
certutil -A  -d . -n "ismc_cert" -a -t "CT,," -i cert2.csr -h "Sun Metaslot"

certutil -A  -d . -n "CACERT CA" -a -t "CTu,CTu,CTu" -i ca.txt -h "Sun
Metaslot"

certutil -V -u V -d . -n "ismc_cert" -h "Sun Metaslot"

The certificate is verified corrrectly. In nss.conf, i gave the following
directives to use this database

Now in NSS.conf I added the following lines to use the hardware accelarator
NSSNickname "Sun Metaslot:ismc_cert"
NSSCertificateDatabase /opt/SMC/Apache2/nssdb

Now everything is working fine, the requests are getting processed
correctly. But the issue is that the rsaprivate value is not getting
incremented in the kstat -n mca0 output. Which means that it is not using
the hardware accelerator card.

I have also given cryptoadm enable metaslot token= so as to use
the hardware accelerator.

Any suggestions?

(When we try to use mod_ssl using the pkcs patch, it s correctly
incrementing the rsaprivate values.)

On Mon, Aug 10, 2009 at 5:12 PM, Rishi Renjith wrote:

>
> Hello, We are trying to make apache work with mod_nss in Solaris10 x86
> platform in our project, which currently uses mod_ssl. For that we did the
> following.
> 1) Compiled and installed NSS with NSPR.
>  2) Installed Apache compiled with mod_ssl
> 3) Compiled and installed mod_nss for this Apache
> 4) Created the dummy DB using gencert.sh fie in mod_nss
> 5) Changed permissions for DB so that we can use it.
> The issue we are getting is that the browser(Firefox) says "SSL_Disabled",
> when trying to run in FIPS mode. When I checked the server logs, it says
> "SSL Input filter read failed." "Cannot connect, SSL is disabled".  error.
>
> Is there any setting that we are missing?
> I am attaching the nss.conf and httpd.conf files.
>
> Versions used:
> Mod_nss: 1.0.8
> NSS and NSPR: nss-3.12.3.1-with-nspr-4.7.5
> Apache: 2.2.11
>
>
>
> Thanks,
> Rishi
>
>
>
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

"SSL input filter read failed" error for apache with mod_nss

2009-08-10 Thread Rishi

Hello,
We are trying to make apache work with mod_nss in Solaris10 x86
platform in our project, which currently uses mod_ssl. For that we did
the following.
1) Compiled and installed NSS with NSPR.
2) Installed Apache compiled with mod_ssl
3) Compiled and installed mod_nss for this Apache
4) Created the dummy DB using gencert.sh fie in mod_nss
5) Changed permissions for DB so that we can use it.
The issue we are getting is that the browser(Firefox) says
"SSL_Disabled", when trying to run in FIPS mode. When I checked the
server logs, it says "SSL Input filter read failed." "Cannot connect,
SSL is disabled".  error.

Is there any setting that we are missing?
nss.conf and httpd.conf files.

Versions used:
Mod_nss: 1.0.8
NSS and NSPR: nss-3.12.3.1-with-nspr-4.7.5
Apache: 2.2.11

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: "SSL input filter read failed" error for apache with mod_nss

Re: "SSL input filter read failed" error for apache with mod_nss

Re: "SSL input filter read failed" error for apache with mod_nss

Re: "SSL input filter read failed" error for apache with mod_nss

"SSL input filter read failed" error for apache with mod_nss

5 matches

Site Navigation

Mail list logo

Footer information