Fedora directory users - May 2008 - mod_nss and FIPS mode

Hello,

I am having trouble getting mod_nss to work in FIPS mode.  Summary of
the problem:  mod_nss works fine before FIPS mode is enabled, then
cannot find the certificate after enabling it.

Here is my setup:

CentOS 5 64-bit
Apache 2.2.3 from distro RPM, pre-fork MPM
NSS libraries, tools, etc from distro RPMs (3.11.7-1.3)
I have tried both mod_nss from distro rpm (1.0.3-4) and 1.0.7 compiled
from source


Here is the configuration for mod_nss I am using in Apache.  It is
basically the defaults


Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
NSSPassPhraseDialog  builtin
NSSPassPhraseHelper /usr/sbin/nss_pcache
NSSSessionCacheSize 10000
NSSSessionCacheTimeout 100
NSSSession3CacheTimeout 86400
NSSRandomSeed startup builtin
<VirtualHost _default_:443>
LogLevel warn
NSSEngine on
NSSCipherSuite
+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
NSSProtocol SSLv3,TLSv1
NSSNickname Server-Cert
NSSCertificateDatabase /etc/httpd/alias
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    NSSOptions +StdEnvVars
</Files>
<Directory "/etc/httpd/cgi-bin">
    NSSOptions +StdEnvVars
</Directory>
</VirtualHost>



This is using the /etc/httpd/alias cert database, that the mod_nss RPM
created with a default certificate named Server-Cert.

Using that default configuration, the Apache server starts fine and
loads mod_nss.

However, when I enable FIPS mode in mod_nss (By adding "NSSFIPS on" to
Apache config), I can''t get it to find the same server certificate


[Thu May 15 13:41:21 2008] [info] Init: Initializing NSS library
[Thu May 15 13:41:21 2008] [info] Initializing SSL Session Cache of
size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400.
[Thu May 15 13:41:21 2008] [error] The server key database has not
been initialized.
[Thu May 15 13:41:21 2008] [info] Init: Initializing (virtual) servers for SSL
[Thu May 15 13:41:21 2008] [error] Certificate not found:
''Server-Cert''


I also tried using modutil to enable FIPS mode on the cert database,
but that did not help:

# modutil -fips true -dbdir /etc/httpd/alias
<snipped warning>
Using database directory /etc/httpd/alias...
FIPS mode enabled.


# modutil -chkfips true -dbdir /etc/httpd/alias
Using database directory /etc/httpd/alias...
FIPS mode enabled.

Could someone please clue me in here.  Is there some more extensive
process I need to go through in converting the certificate database to
FIPS mode?  I have searched for more relevant info with certutil and
modutil but haven''t been able to find anything.


Thanks,

Mark

Mark Price wrote:
> Hello,
> 
> I am having trouble getting mod_nss to work in FIPS mode.  Summary of
> the problem:  mod_nss works fine before FIPS mode is enabled, then
> cannot find the certificate after enabling it.
Your configuration looks ok.
> 
> This is using the /etc/httpd/alias cert database, that the mod_nss RPM
> created with a default certificate named Server-Cert.
> 
> Using that default configuration, the Apache server starts fine and
> loads mod_nss.
> 
> However, when I enable FIPS mode in mod_nss (By adding "NSSFIPS
on" to
> Apache config), I can''t get it to find the same server certificate
> 
> 
> [Thu May 15 13:41:21 2008] [info] Init: Initializing NSS library
> [Thu May 15 13:41:21 2008] [info] Initializing SSL Session Cache of
> size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400.
> [Thu May 15 13:41:21 2008] [error] The server key database has not
> been initialized.
> [Thu May 15 13:41:21 2008] [info] Init: Initializing (virtual) servers for
SSL
> [Thu May 15 13:41:21 2008] [error] Certificate not found:
''Server-Cert''
I think part of the problem is "The server key database has not been 
initialized." I''m not sure what would cause this.
> I also tried using modutil to enable FIPS mode on the cert database,
> but that did not help:
> 
> # modutil -fips true -dbdir /etc/httpd/alias
> <snipped warning>
> Using database directory /etc/httpd/alias...
> FIPS mode enabled.
> 
> 
> # modutil -chkfips true -dbdir /etc/httpd/alias
> Using database directory /etc/httpd/alias...
> FIPS mode enabled.
You need to let mod_nss set FIPS mode for it to work properly.
> Could someone please clue me in here.  Is there some more extensive
> process I need to go through in converting the certificate database to
> FIPS mode?  I have searched for more relevant info with certutil and
> modutil but haven''t been able to find anything.
It should be as simple as setting NSSFIPS on.

I''m not sure what the problem is. Let me try to duplicate this locally 
and see what I can find out.

rob

Rob Crittenden wrote:
> Mark Price wrote:
>> Hello,
>>
>> I am having trouble getting mod_nss to work in FIPS mode.  Summary of
>> the problem:  mod_nss works fine before FIPS mode is enabled, then
>> cannot find the certificate after enabling it.
> 
> Your configuration looks ok.
> 
>>
>> This is using the /etc/httpd/alias cert database, that the mod_nss RPM
>> created with a default certificate named Server-Cert.
>>
>> Using that default configuration, the Apache server starts fine and
>> loads mod_nss.
>>
>> However, when I enable FIPS mode in mod_nss (By adding "NSSFIPS
on" to
>> Apache config), I can''t get it to find the same server
certificate
>>
>>
>> [Thu May 15 13:41:21 2008] [info] Init: Initializing NSS library
>> [Thu May 15 13:41:21 2008] [info] Initializing SSL Session Cache of
>> size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400.
>> [Thu May 15 13:41:21 2008] [error] The server key database has not
>> been initialized.
>> [Thu May 15 13:41:21 2008] [info] Init: Initializing (virtual) servers 
>> for SSL
>> [Thu May 15 13:41:21 2008] [error] Certificate not found:
''Server-Cert''
> 
> I think part of the problem is "The server key database has not been 
> initialized." I''m not sure what would cause this.
> 
>> I also tried using modutil to enable FIPS mode on the cert database,
>> but that did not help:
>>
>> # modutil -fips true -dbdir /etc/httpd/alias
>> <snipped warning>
>> Using database directory /etc/httpd/alias...
>> FIPS mode enabled.
>>
>>
>> # modutil -chkfips true -dbdir /etc/httpd/alias
>> Using database directory /etc/httpd/alias...
>> FIPS mode enabled.
> 
> You need to let mod_nss set FIPS mode for it to work properly.
> 
>> Could someone please clue me in here.  Is there some more extensive
>> process I need to go through in converting the certificate database to
>> FIPS mode?  I have searched for more relevant info with certutil and
>> modutil but haven''t been able to find anything.
> 
> It should be as simple as setting NSSFIPS on.
> 
> I''m not sure what the problem is. Let me try to duplicate this
locally
> and see what I can find out.
Mark and I did a fair bit of follow-up off-list and I created bug 
https://bugzilla.redhat.com/show_bug.cgi?id=446851 as a result.

This appears to be a bug in NSS 3.11 (I''m not sure if it affects 
3.11.99/3.12 yet). In the bug I filed is a patch to mod_nss that will 
work around the problem.

rob