You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Rishi Renjith <ri...@gmail.com> on 2009/08/11 16:11:21 UTC
[users@httpd] Re: "SSL input filter read failed" error for apache with mod_nss
Hello, The issue with the dummy DB was that some permissions to some files
in it were not given. I did a chmod 777 to all files and now the dummy DB
seems to be working fine.
I configured the NSS database with the crypto card(sun sca6000) as follows.
mkdir /opt/SMC/Apache2/nsscertdb
cd /opt/SMC/Apache2/nsscertdb
-certutil -N -d /opt/SMC/Apache2/nsscertdb
-modutil -dbdir . -nocertdb -force -add "Sun Crypto Accelerator" -libfile
/usr/lib/libpkcs11.so -mechanisms RSA:DSA:RC4:DES
modutil -list -dbdir /opt/SMC/Apache2/nssdb
Using database directory /opt/SMC/Apache2/nssdb...
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. Sun Crypto Accelerator
library name: /usr/lib/libpkcs11.so
slots: 2 slots attached
status: loaded
slot: Sun Metaslot
token: Sun Metaslot
slot: Sun Crypto Softtoken
token: Sun Software PKCS#11 softtoken
-----------------------------------------------------------
certutil -R -s "C=IN, O=NSN, OU=SPA2, CN=sandeeprc.eu.org" -h "Sun
Metaslot" -o ismc.csr -d . -a -n ismc_cert
(Got the CSR signed from CA Cert)
certutil -A -d . -n "ismc_cert" -a -t "CT,," -i cert2.csr -h "Sun Metaslot"
certutil -A -d . -n "CACERT CA" -a -t "CTu,CTu,CTu" -i ca.txt -h "Sun
Metaslot"
certutil -V -u V -d . -n "ismc_cert" -h "Sun Metaslot"
The certificate is verified corrrectly. In nss.conf, i gave the following
directives to use this database
Now in NSS.conf I added the following lines to use the hardware accelarator
NSSNickname "Sun Metaslot:ismc_cert"
NSSCertificateDatabase /opt/SMC/Apache2/nssdb
Now everything is working fine, the requests are getting processed
correctly. But the issue is that the rsaprivate value is not getting
incremented in the kstat -n mca0 output. Which means that it is not using
the hardware accelerator card.
I have also given cryptoadm enable metaslot token=<tokenname> so as to use
the hardware accelerator.
Any suggestions?
(When we try to use mod_ssl using the pkcs patch, it s correctly
incrementing the rsaprivate values.)
On Mon, Aug 10, 2009 at 5:16 PM, Rishi Renjith <ri...@gmail.com>wrote:
>
>
> ---------- Forwarded message ----------
> From: Rishi Renjith <ri...@gmail.com>
> Date: Mon, Aug 10, 2009 at 4:22 PM
> Subject: "SSL input filter read failed" error for apache with mod_nss
> To: mod_nss-list@redhat.com
>
>
> Hello, We are trying to make apache work with mod_nss in Solaris10 x86
> platform in our project, which currently uses mod_ssl. For that we did the
> following.
> 1) Compiled and installed NSS with NSPR.
> 2) Installed Apache compiled with mod_ssl
> 3) Compiled and installed mod_nss for this Apache
> 4) Created the dummy DB using gencert.sh fie in mod_nss
> 5) Changed permissions for DB so that we can use it.
> The issue we are getting is that the browser(Firefox) says "SSL_Disabled",
> when trying to run in FIPS mode. When I checked the server logs, it says
> "SSL Input filter read failed." "Cannot connect, SSL is disabled". error.
>
> Is there any setting that we are missing?
> I am attaching the nss.conf and httpd.conf files.
>
> Versions used:
> Mod_nss: 1.0.8
> NSS and NSPR: nss-3.12.3.1-with-nspr-4.7.5
> Apache: 2.2.11
>
>
>
> Thanks,
> Rishi
>
>