Re: [Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication
> > Only one nss database may be opened at a time. mod_nss should probably error > out if multiple are defined to prevent confusion. > > I'd think a nickname should be unique to a given VirtualServer. If not then > it's a bug. That makes sense - and yeah it should probably error out rather than just open the last without notice. Pretty sure the NSSNickname issue is a bug - but at this time not sure where that lies exactly given that mod_nss doesn't claim SNI support currently anyway I'm going to let this lie for now to get on with other bits and will probably pick it up again in a weke or so to dig a little deeper (ie use multiple IPs and compare behaviour versus on a single IP etc)... If I can find anything relevant I'll open appropriate tickets with the appropriate parties then. For now (and in the context of this thread) I'll not mention mod_nss and leave the wiki page as is. James ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication
James Hogarth wrote: I'll try and replicate the blog findings in the course of the next couple of days if it works I'll add it to the wiki ... Set up a test this morning using Centos 6: nss-3.13.1-7.el6_2.x86_64 mod_nss-1.0.8-14.el6_2.x86_64 The behaviour was... odd SNI itself must have been working as the contents differed depending on the domain which matched the expectation from the two virtual hosts however there appears to remain certificate selection issues and/or issues with respect to the the behaviour of the NSS options - only the last NSSCertificateDatabase seemed to apply rather than be local to a given VirtualHost (if separating certificate databases) and if in a common database although Apache reported different nicknamed certificates in error_log only the first NSSNickname seemed to be used to obtain the correct certificate... Set up a similar test on Fedora 17: nss-3.13.4-3.fc17.x86_64 mod_nss-1.0.8-17.fc17.x86_64 Same behaviour occurred (not that surprising given the versions) So the short of it is ignore that blog and Rob is right - mod_nss is not ready yet... if you want SNI you need mod_ssl (or mod_gnutls)... if you have FIPS etc requirements or other reasons to use mod_nss then SNI is not at this time possible if you want valid certificates in place... Only one nss database may be opened at a time. mod_nss should probably error out if multiple are defined to prevent confusion. I'd think a nickname should be unique to a given VirtualServer. If not then it's a bug. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication
> I'll try and replicate the blog findings in the course of the next couple of > days if it works I'll add it to the wiki ... > Set up a test this morning using Centos 6: nss-3.13.1-7.el6_2.x86_64 mod_nss-1.0.8-14.el6_2.x86_64 The behaviour was... odd SNI itself must have been working as the contents differed depending on the domain which matched the expectation from the two virtual hosts however there appears to remain certificate selection issues and/or issues with respect to the the behaviour of the NSS options - only the last NSSCertificateDatabase seemed to apply rather than be local to a given VirtualHost (if separating certificate databases) and if in a common database although Apache reported different nicknamed certificates in error_log only the first NSSNickname seemed to be used to obtain the correct certificate... Set up a similar test on Fedora 17: nss-3.13.4-3.fc17.x86_64 mod_nss-1.0.8-17.fc17.x86_64 Same behaviour occurred (not that surprising given the versions) So the short of it is ignore that blog and Rob is right - mod_nss is not ready yet... if you want SNI you need mod_ssl (or mod_gnutls)... if you have FIPS etc requirements or other reasons to use mod_nss then SNI is not at this time possible if you want valid certificates in place... James ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication
> > mod_nss doesn't support SNI yet because the NSS support isn't complete yet (though getting closer). > Accidentally sent this to only rob (Android Gmail client I blame... defaults to reply rather than reply all)... For the benefit of the list That's what I thought based on the Mozilla bugzilla entries plus the changelog of mod_nss over at the fedora ds site... But then I found this on Googling which implies SNI should work with mod_nss: http://arika.firstyear.id.au/blog/ I'll try and replicate the blog findings in the course of the next couple of days if it works I'll add it to the wiki ... J ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication
Simo Sorce wrote: On Tue, 2012-06-19 at 13:04 +0100, James Hogarth wrote: Hi all, As mentioned on IRC today I've finished my write up of using Apache with SNI and kerberos authentication with an IPA backend I'd be interested in any feedback: http://freeipa.org/page/Apache_SNI_With_Kerberos Very nice writeup! I see you use mod_ssl, can this configuration be obtained with mod_nss as well ? I was going to try it but on an ipa server we use mod_nss and would like to avoid having to find out how to reconfigure stuff to use mod_ssl. Simo. mod_nss doesn't support SNI yet because the NSS support isn't complete yet (though getting closer). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication
On Tue, Jun 19, 2012 at 2:04 PM, James Hogarth wrote: > Hi all, > > As mentioned on IRC today I've finished my write up of using Apache > with SNI and kerberos authentication with an IPA backend > > I'd be interested in any feedback: > > http://freeipa.org/page/Apache_SNI_With_Kerberos > nice! I will try it shortly. Thanks! -- natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication
On Tue, 2012-06-19 at 13:04 +0100, James Hogarth wrote: > Hi all, > > As mentioned on IRC today I've finished my write up of using Apache > with SNI and kerberos authentication with an IPA backend > > I'd be interested in any feedback: > > http://freeipa.org/page/Apache_SNI_With_Kerberos Very nice writeup! I see you use mod_ssl, can this configuration be obtained with mod_nss as well ? I was going to try it but on an ipa server we use mod_nss and would like to avoid having to find out how to reconfigure stuff to use mod_ssl. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication
Hi all, As mentioned on IRC today I've finished my write up of using Apache with SNI and kerberos authentication with an IPA backend I'd be interested in any feedback: http://freeipa.org/page/Apache_SNI_With_Kerberos Kind regards, James ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
