Hello,
I am having trouble getting mod_nss to work in FIPS mode. Summary of
the problem: mod_nss works fine before FIPS mode is enabled, then
cannot find the certificate after enabling it.
Here is my setup:
CentOS 5 64-bit
Apache 2.2.3 from distro RPM, pre-fork MPM
NSS libraries, tools, etc from distro RPMs (3.11.7-1.3)
I have tried both mod_nss from distro rpm (1.0.3-4) and 1.0.7 compiled
from source
Here is the configuration for mod_nss I am using in Apache. It is
basically the defaults
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
NSSPassPhraseDialog builtin
NSSPassPhraseHelper /usr/sbin/nss_pcache
NSSSessionCacheSize 10000
NSSSessionCacheTimeout 100
NSSSession3CacheTimeout 86400
NSSRandomSeed startup builtin
<VirtualHost _default_:443>
LogLevel warn
NSSEngine on
NSSCipherSuite +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
NSSProtocol SSLv3,TLSv1
NSSNickname Server-Cert
NSSCertificateDatabase /etc/httpd/alias
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
NSSOptions +StdEnvVars
</Files>
<Directory "/etc/httpd/cgi-bin">
NSSOptions +StdEnvVars
</Directory>
</VirtualHost>
This is using the /etc/httpd/alias cert database, that the mod_nss RPM
created with a default certificate named Server-Cert.
Using that default configuration, the Apache server starts fine and
loads mod_nss.
However, when I enable FIPS mode in mod_nss (By adding "NSSFIPS on" to
Apache config), I can't get it to find the same server certificate
[Thu May 15 13:41:21 2008] [info] Init: Initializing NSS library
[Thu May 15 13:41:21 2008] [info] Initializing SSL Session Cache of
size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400.
[Thu May 15 13:41:21 2008] [error] The server key database has not
been initialized.
[Thu May 15 13:41:21 2008] [info] Init: Initializing (virtual) servers for SSL
[Thu May 15 13:41:21 2008] [error] Certificate not found: 'Server-Cert'
I also tried using modutil to enable FIPS mode on the cert database,
but that did not help:
# modutil -fips true -dbdir /etc/httpd/alias
<snipped warning>
Using database directory /etc/httpd/alias...
FIPS mode enabled.
# modutil -chkfips true -dbdir /etc/httpd/alias
Using database directory /etc/httpd/alias...
FIPS mode enabled.
Could someone please clue me in here. Is there some more extensive
process I need to go through in converting the certificate database to
FIPS mode? I have searched for more relevant info with certutil and
modutil but haven't been able to find anything.
Thanks,
Mark