-
Notifications
You must be signed in to change notification settings - Fork 18
mod_nss
sudo apt-get install libapache2-mod-nss
It is necessary to configure a security database for apache. The NSS database files will be stored in /etc/apache2/nss-ssl :
cd /etc/apache2
mkdir nss-ssl
cd nss-ssl
umask 0077
touch nss-passwd.txt
umask 0
chown www-data:www-data nss-passwd.txt
Initialize the NSS database (you will be prompted to enter a DB password, optional):
certutil -N -d /etc/apache2/nss-ssl
chown www-data:www-data *.db
Now to use credentials stored on a token we need to add it to the database
modutil -add "libp11client" -libfile /usr/local/lib/libp11client.so -dbdir /etc/apache2/nss-ssl
Since the database is empty, no trust is configured, it is therefore necessary to edit trust parameters to use our certificate on the token.
Before that, you need to identify your CA certificates:
certutil -L -d /etc/apache2/nss-ssl -h all
You should be able to identify CA certificates, now for each of them edit their trust (see certutil --help)
certutil -M -n <token_label>:<CA_nickname> -t "C,," -d /etc/apache2/nss-ssl
Enable apache support for mod_nss:
a2enmod nss
#If OpenSSL ssl module is enabled, disable since it could conflict:
a2dismod ssl
Edit /etc/apache2/mods-enabled/nss.conf to make sure apache will listen for https:
...
Listen 443
Edit apache2 SSL site configuration file:
<IfModule mod_nss.c>
<VirtualHost *:443>
...
NSSEngine on
NSSCertificateDatabase /etc/apache2/nss-ssl
NSSProtocol TLSv1
#DHE-RSA* ciphersuites still unsupported, see https://bugzilla.mozilla.org/show_bug.cgi?id=102794
#Still, we can enable ECDHE ciphersuites
NSSCipherSuite +rsa_aes_128_sha,+rsa_aes_256_sha,+aes_128_sha_256,+aes_256_sha_256,+rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+ecdhe_rsa_aes_128_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256
#This avoids being prompted for a PIN when starting apache
NSSPassPhraseDialog file:/etc/apache2/nss-ssl/nss-passwd.txt
NSSNickname <token_label>:<server_cert_nickname>
...
If you use NSSPassPhraseDialog then edit nss-passwd.txt, if you did not provide a DB password, skip the first line.
internal:<password for internal DB>
<token_label>:<PIN for the PKCS#11 resource>
Stop/start the daemon and check error logs.
apache2ctl stop
apache2ctl start
Please make sure that the Caml Crush UNIX socket has correct permissions otherwise, you might have such errors:
[Fri Apr 03 16:17:19.900909 2015] [:info] [pid 62413] Configuring server for SSL protocol
[Fri Apr 03 16:17:19.900999 2015] [:debug] [pid 62413] nss_engine_init.c(654): Enabling TLS
[Fri Apr 03 16:17:19.901049 2015] [:debug] [pid 62413] nss_engine_init.c(825): Configuring permitted SSL ciphers [...]
[Fri Apr 03 16:17:19.901075 2015] [:info] [pid 62413] Using nickname Test:web_server.
[Fri Apr 03 16:17:19.901368 2015] [:error] [pid 62413] Certificate not found: 'Test:web_server'
error: could not connect to server.
caml-crush: C_SetupArch: failed detecting architecture
Using ECC certificate in mod_nss is working and was tested using SoftHSMv2 (beta).
In order to have this working, your token needs to be provisioned with an ECC certificate and the corresponding private key.
Since SoftHSMv2 is still in development, some missing and unimplemented features needs to be worked around. Fortunately, the filtering engine can be used to do just that. The filtering engine needs to be configured to block mechanisms so that NSS does not try to use them, namely:
- CKM_ECDH1_DERIVE
- CKM_DES_CBC
- CKM_DES3_CBC
Assuming the module you compiled is using the softhsm alias, the filter.conf should be as follows:
forbidden_mechanisms = [("softhsm", [CKM_ECDH1_DERIVE, CKM_DES_CBC, CKM_DES3_CBC_PAD])]
Add the following ciphersuites to NSSCipherSuite parameter in your apache2 configuration:
+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256
The parameter NSSECCNickname is used to indicate which ECC certificate to use:
NSSECCNickname <token_label>:<server_ecc_cert_nickname>