I'm trying to set up a apache webserver with mod_nss. When available, OCSP should be used to verify the validity of the certificate. When the OCSP is unavailable, CRLs are used.
I installed the CRLS, and configured everything. (My nss.conf is included in this message).
When I comment out "NSSOCSP On": it validates the certificates using CRL correctly.
When "NSSOCSP on" is used, it validates the certificates using OCSP correctly.
However, when NSSOCSP is enabled, but I make the OCSP server unavailable (e.g. by putting an extra entry in /etc/hosts), a request takes a long time (I guess mod_nss tries a few times to get to the OCSP) and eventually fails.
Is what I want supported? If so, does anyone have a clue what I do wrong?
I tried this on CentOS5.* I tried this configuration file on 2 versions of mod_nss. First using version* 1.0.3-4.el5 which is installed using 'yum install mod_nss'. I also tried it on version 1.0.8 (which I built from source)
thanks!
My nss.conf file:
#
# This is the Apache server configuration file providing SSL support using.
# the mod_nss plugin.* It contains the configuration directives to instruct
# the server how to serve pages over an https connection.
#
# Do NOT simply read the instructions in here without understanding
# what they do.* They're here only as hints or reminders.* If you are unsure
# consult the online docs. You have been warned.*
#
LoadModule nss_module modules/libmodnss.so
#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
##
##* SSL Global Context
##
##* All SSL configuration in this context applies both to
##* the main server and all SSL-enabled virtual hosts.
##
#
#** Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl*** .crl
#** Pass Phrase Dialog:
#** Configure the pass phrase gathering process.
#** The filtering dialog program (`builtin' is a internal
#** terminal dialog) has to provide the pass phrase on stdout.
NSSPassPhraseDialog* builtin
#** Pass Phrase Helper:
#** This helper program stores the token password pins between
#** restarts of Apache.
NSSPassPhraseHelper /usr/sbin/nss_pcache
#** Configure the SSL Session Cache.
#** NSSSessionCacheSize is the number of entries in the cache.
#** NSSSessionCacheTimeout is the SSL2 session timeout (in seconds).
#** NSSSession3CacheTimeout is the SSL3/TLS session timeout (in seconds).
NSSSessionCacheSize 10000
NSSSessionCacheTimeout 100
NSSSession3CacheTimeout 86400
#
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. Those platforms usually also provide a non-blocking
# device, /dev/urandom, which may be used instead.
#
# This does not support seeding the RNG with each connection.
# SSL 3 ciphers + ECC ciphers. SSL 2 is disabled by default.
#
# Comment out the NSSCipherSuite line above and use the one below if you have
# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
#NSSProtocol SSLv3,TLSv1
NSSProtocol -ALL +SSLv3 +TLSv1
#** SSL Certificate Nickname:
#** The nickname of the RSA server certificate you are going to use.
NSSNickname Server-Cert
#** SSL Certificate Nickname:
#** The nickname of the ECC server certificate you are going to use, if you
#** have an ECC-enabled version of NSS and mod_nss
#NSSECCNickname Server-Cert-ecc
#** Server Certificate Database:
#** The NSS security database directory that holds the certificates and
#** keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
#** Provide the directory that these files exist.
NSSCertificateDatabase /etc/httpd/alias
#** Database Prefix:
#** In order to be able to store multiple NSS databases in one directory
#** they need unique names. This option sets the database prefix used for
#** cert8.db and key3.db.
#NSSDBPrefix my-prefix-
#** Client Authentication (Type):
#** Client certificate verification type.* Types are none, optional and
#** require.
NSSVerifyClient require
#
#** Online Certificate Status Protocol (OCSP).
#** Verify that certificates have not been revoked before accepting them.
NSSOCSP On
#** Access Control:
#** With SSLRequire you can do per-directory access control based
#** on arbitrary complex boolean expressions containing server
#** variable checks and other lookup directives.* The syntax is a
#** mixture between C and Perl.* See the mod_nss documentation
#** for more details.
#<Location />
#NSSRequire (*** %{SSL_CIPHER} !~ m/^(EXP|NULL)/
#*********** and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd."
#*********** and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
#*********** and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5
#*********** and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20****** )
#********** or %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/
#</Location>
#** SSL Engine Options:
#** Set various options for the SSL engine.
#** o FakeBasicAuth:
#**** Translate the client X.509 into a Basic Authorisation.* This means that
#**** the standard Auth/DBMAuth methods can be used for access control.* The
#**** user name is the `one line' version of the client's X.509 certificate.
#**** Note that no password is obtained from the user. Every entry in the user
#**** file needs this password: `xxj31ZMTZzkVA'.
#** o ExportCertData:
#**** This exports two additional environment variables: SSL_CLIENT_CERT and
#**** SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#**** server (always existing) and the client (only existing when client
#**** authentication is used). This can be used to import the certificates
#**** into CGI scripts.
#** o StdEnvVars:
#**** This exports the standard SSL/TLS related `SSL_*' environment variables.
#**** Per default this exportation is switched off for performance reasons,
#**** because the extraction step is an expensive operation and is usually
#**** useless for serving static content. So one usually enables the
#**** exportation for CGI and SSI requests only.
#** o StrictRequire:
#**** This denies access when "NSSRequireSSL" or "NSSRequire" applied even
#**** under a "Satisfy any" situation, i.e. when it applies access is denied
#**** and no other module can change it.
#** o OptRenegotiate:
#**** This enables optimized SSL connection renegotiation handling when SSL
#**** directives are used in per-directory context.
NSSOptions +FakeBasicAuth +ExportCertData +StrictRequire
##<Files ~ ".(cgi|shtml|phtml|php3?)$">
mod_nss OCSP failover to CRL
