Re: SSL Certificate not found while starting apache with mod_nss

Stefan Kirchner Wed, 07 Jan 2009 04:48:33 -0800


Hi,

I am trying to get apache to run as a SSL Server with crypto hardware
accelerator support. I am using NSS 3.12 and mod_nss 1.0.8.
Firstable, I configured the crypto hardware into NSS:

# ./modutil -dbdir /usr/local/apache2/nssdb2/ -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. crypto
        library name: /usr/lib64/opencryptoki/libopencryptoki.so
         slots: 1 slot attached
        status: loaded

         slot: Linux 2.6.18-92.el5 Linux (ICA)
        token: SKCRYPTO
-----------------------------------------------------------


I generated a CA cert and a server cert on the token as well on the
internal software token:

# ./certutil -d /usr/local/apache2/nssdb2/ -L -h all

Certificate Nickname                                         Trust
Attributes

SSL,S/MIME,JAR/XPI

Enter Password or Pin for "SKCRYPTO":
Server-Cert                                                  u,u,u
cacert                                                       CTu,Cu,Cu
SKCRYPTO:Server-Cert                                         u,u,u


I setup mod_nss and when I am using the Server-Cert certificate with the
software token the SSL connection works fine (without using the crypto
hardware).
But when I set NSSNickname SKCRYPTO:Server-Cert the connection dos not work
and I am getting following entries in the error log:

[Wed Jan 07 13:30:38 2009] [info] Initializing SSL Session Cache of size
10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400.
[Wed Jan 07 13:30:38 2009] [info] Init: Seeding PRNG with 144 bytes of
entropy.
[Wed Jan 07 13:30:38 2009] [info] Init: Initializing (virtual) servers for
SSL.
[Wed Jan 07 13:30:38 2009] [info] Configuring server for SSL protocol
[Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(594): Enabling SSL3
[Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(599): Enabling TLS
[Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(770): Configuring
permitted SSL ciphers
[+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Wed Jan 07 13:30:38 2009] [info] Using nickname SKCRYPTO:Server-Cert.
[Wed Jan 07 13:30:38 2009] [info] Server: Apache/2.2.10, Interface:
mod_nss/2.2.10, Library: NSS/3.12.0.3
[Wed Jan 07 13:30:38 2009] [info] Shutting down SSL Session ID Cache
[Wed Jan 07 13:30:38 2009] [info] Initializing SSL Session Cache of size
10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400.
[Wed Jan 07 13:30:38 2009] [info] Server: Apache/2.2.10, Interface:
mod_nss/2.2.10, Library: NSS/3.12.0.3
[Wed Jan 07 13:30:38 2009] [info] Init: Seeding PRNG with 144 bytes of
entropy
[Wed Jan 07 13:30:38 2009] [info] Configuring server for SSL protocol
[Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(594): Enabling SSL3
[Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(599): Enabling TLS
[Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(770): Configuring
permitted SSL ciphers
[+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Wed Jan 07 13:30:38 2009] [info] Using nickname SKCRYPTO:Server-Cert.
[Wed Jan 07 13:30:38 2009] [error] Certificate not found:
'SKCRYPTO:Server-Cert'
[Wed Jan 07 13:30:38 2009] [info] Init: Seeding PRNG with 144 bytes of
entropy
[Wed Jan 07 13:30:38 2009] [info] Configuring server for SSL protocol
[Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(594): Enabling SSL3
[Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(599): Enabling TLS
[Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(770): Configuring
permitted SSL ciphers
[+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Wed Jan 07 13:30:38 2009] [info] Using nickname SKCRYPTO:Server-Cert.
[Wed Jan 07 13:30:38 2009] [info] Init: Seeding PRNG with 144 bytes of
entropy
[Wed Jan 07 13:30:38 2009] [info] Configuring server for SSL protocol
[Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(594): Enabling SSL3
[Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(599): Enabling TLS
[Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(770): Configuring
permitted SSL ciphers
[+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Wed Jan 07 13:30:38 2009] [info] Using nickname SKCRYPTO:Server-Cert.
[Wed Jan 07 13:30:38 2009] [error] Certificate not found:
'SKCRYPTO:Server-Cert'
[Wed Jan 07 13:30:38 2009] [info] Init: Seeding PRNG with 144 bytes of
entropy
[Wed Jan 07 13:30:38 2009] [info] Configuring server for SSL protocol
[Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(594): Enabling SSL3
[Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(599): Enabling TLS
[Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(770): Configuring
permitted SSL ciphers
[+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Wed Jan 07 13:30:38 2009] [info] Using nickname SKCRYPTO:Server-Cert.
[Wed Jan 07 13:30:38 2009] [error] Certificate not found:
'SKCRYPTO:Server-Cert'
[Wed Jan 07 13:30:38 2009] [notice] Apache/2.2.10 (Unix) mod_nss/2.2.10
NSS/3.12.0.3 configured -- resuming normal operations
[Wed Jan 07 13:30:38 2009] [info] Server built: Dec 18 2008 16:35:28.
[Wed Jan 07 13:30:38 2009] [debug] prefork.c(1001): AcceptMutex: sysvsem
(default: sysvsem)
[Wed Jan 07 13:30:38 2009] [error] Certificate not found:
'SKCRYPTO:Server-Cert'
[Wed Jan 07 13:30:38 2009] [info] Init: Seeding PRNG with 144 bytes of
entropy
[Wed Jan 07 13:30:38 2009] [info] Configuring server for SSL protocol
[Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(594): Enabling SSL3
[Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(599): Enabling TLS
[Wed Jan 07 13:30:38 2009] [debug] nss_engine_init.c(770): Configuring
permitted SSL ciphers
[+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Wed Jan 07 13:30:38 2009] [info] Using nickname SKCRYPTO:Server-Cert.
[Wed Jan 07 13:30:38 2009] [error] Certificate not found:
'SKCRYPTO:Server-Cert'
[Wed Jan 07 13:30:39 2009] [info] Init: Seeding PRNG with 144 bytes of
entropy
[Wed Jan 07 13:30:39 2009] [info] Configuring server for SSL protocol
[Wed Jan 07 13:30:39 2009] [debug] nss_engine_init.c(594): Enabling SSL3
[Wed Jan 07 13:30:39 2009] [debug] nss_engine_init.c(599): Enabling TLS
[Wed Jan 07 13:30:39 2009] [debug] nss_engine_init.c(770): Configuring
permitted SSL ciphers
[+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Wed Jan 07 13:30:39 2009] [info] Using nickname SKCRYPTO:Server-Cert.
[Wed Jan 07 13:30:39 2009] [error] Certificate not found:
'SKCRYPTO:Server-Cert'
[Wed Jan 07 13:30:40 2009] [info] Init: Seeding PRNG with 144 bytes of
entropy
[Wed Jan 07 13:30:40 2009] [info] Configuring server for SSL protocol
[Wed Jan 07 13:30:40 2009] [debug] nss_engine_init.c(594): Enabling SSL3
[Wed Jan 07 13:30:40 2009] [debug] nss_engine_init.c(599): Enabling TLS
[Wed Jan 07 13:30:40 2009] [debug] nss_engine_init.c(770): Configuring
permitted SSL ciphers
[+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]

Do you have any ideas why the certificate is only found on the first time?


Kind regards,
Stefan Kirchner

_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: SSL Certificate not found while starting apache with mod_nss

Reply via email to
