Part 6: MOD_NSS

from the MOD_NSS home page:
“mod_nss is an SSL provider derived from the mod_ssl module for the Apache web server that uses the Network Security Services (NSS) libraries. We started with mod_ssl and replaced the OpenSSL calls with NSS calls.

The mod_ssl package was created in April 1998 by Ralf S. Engelschall and was originally derived from the Apache-SSL package developed by Ben Laurie. It is licensed under the Apache 2.0 license. ”

what is very attractive now for us is that MOD_NSS has out-of-the-box  support for Certificate Revocation Lists (CRLs) and OCSP. Not only this but support for another interesting module: mod_revocator
”
mod_revocator is an Apache module that lets an administrator configure remote Certificate Revocation Lists (CRLs) to be downloaded and installed automatically on a regular basis without restarting the server. This helps ensure that the CRLs are kept up-to-date with minimal effort. The module can also bring the server down if the CRL expires and a new one cannot be obtained.”

this module provides:

* Automatic CRL download and installation from an HTTP[S] or LDAP[S] source
* The source can be an executable that retrieves the CRL from another method
* Can specify per CRL source the interval between downloads
* Can specify per CRL source the maximum age of the CRL before requiring a new one
* Can shut down the server if a CRL is not available

this is all very nice indeed! It makes all that automation Ive talked about in previous pages for you. We don’t need to create or use third-party scripts for downloading CRL or delta-CRL, installing them, testing errors, restarting Apache, as all is done for you automatically! Lets see if we can put this to work, sounds to good to be true…

Its possible to install MOD_NSS easily on our system
just type “yum install mod_nss” and you’re done, then tune some mod_nss.conf parameters.
The problem is that then we will want to install the mod_revocator as well, and that module only exists in form of a installation package (RPM) on Redhat based system. On Debian systems it will need to be compiled (or converted to a deb file using the alien tool? I didn’t tested this option)

So Ive decided to be radically different this time
Ive just installed a brand new system with a Fedora 13 distribution

then

yum install mod_nss mod_revocator openssh-server nss-tools
gencert /etc/httpd/alias (generate self-signed certificate for testing)

now import the CA certificates to the NSS database. NSS uses a certificate database rather than discrete files

certutil -d /etc/httpd/alias -A -n "ECCC0001" -t "CT,," -a -i ./EC\  de\ Autenticacao\ do\ Cartao\ de\ Cidadao\ 0001.pem certutil -d  /etc/httpd/alias -A -n "ECCC0002" -t "CT,," -a -i ./EC\ de\  Autenticacao\ do\ Cartao\ de\ Cidadao\ 0002.pem certutil -d  /etc/httpd/alias -A -n "CC0002" -t "CT,," -a -i ./EC\ de\ Autenticacao\  do\ Cartao\ de\ Cidadao\ 0002.pem certutil -d /etc/httpd/alias -A -n  "CC0003" -t "CT,," -a -i ./EC\ de\ Autenticacao\ do\ Cartao\ de\  Cidadao\ 0003.pem certutil -d /etc/httpd/alias -A -n "ECRaiz" -t "CT,,"  -a -i ./ECRaizEstado.pem 
now list the content of the DB
certutil -L -d /etc/httpd/alias/

edit nss.conf

changed Listen 8443 to 443
changed to 443
LogLevel debug
NSSVerifyClient require
NSSOCSP on

bounced Apache But got some error on a log file:

cat /var/log/httpd/error_log
[error] NSS_Initialize failed. Certificate database: /etc/httpd/alias.
[error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED

The NSS database needs to be readable by the user apache (the default user of httpd). so fix this error changing the owner of /etc/httpd/alias/*.db to root:apache and permissions to mode 0640

bounce apache and test.
It works! I can access the server and can confirm everything in the logs

just to be sure the OCSP responder is being called I’ve captured the network traffic going to/from the responder address using the TCPDUMP tool while using the web site

tcpdump host ocsp.auc.cartaodecidadao.pt

The resulting packets confirmed that the communication is being established

Now to test the CRL functionality, I will begin by installing the other CA server certificate, the one CA which doesn’t allow us to use their OCSP responder without paying a fee. So I will use their CRL lists.

Add the Verisign Server Certificates (the Certificate chain, but one by one) to the NSS database:

certutil -d /etc/httpd/alias -A -n "Verisign" -t "CT,," -a -i ./VeriSignClass2PublicPrimaryCertificationAUthority_G3.pem
certutil -d /etc/httpd/alias -A -n "DigitalSignQualifiedCA" -t "CT,," -a -i ./DigitalSignQualifiedCA.pem
certutil -d /etc/httpd/alias -A -n "VeriSignClass2PublicPrimaryCAG3" -t "CT,," -a -i ./VeriSignClass2PublicPrimaryCAG3.pem
certutil -d /etc/httpd/alias -A -n "BTClass2CAG2" -t "CT,," -a -i ./BTClass2CAG2.pem

alter /etc/httpd/conf.d/revocator.conf file and activate the CRL usage and specifiy the crl file address and the interval between refreshes:

CRLEngine on
CRLFILE "http://onsitecrl.trustwise.com/BritishTelecommunicationsplcBTDigitalSignQualifiedCA/LatestCRL.crl;1440;1440"

Bounce Apache and test.
Voila’! It works again! confirm on the Apache logs that everything is going fine and one more, monitor the communication to the CRL address using TCPDUMP

tcpdump host onsitecrl.trustwise.com

Now to finalise this, its necessary to add the reverse-proxy stuff to the http.conf file

NSSVerifyClient optional

RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
RewriteRule .* /index.html [L]

     RequestHeader set SSL_CLIENT_S_DN    ""
     RequestHeader set SSL_CLIENT_I_DN    ""
     RequestHeader set SSL_CLIENT_S_DN_O ""
     RequestHeader set SSL_CLIENT_VERIFY  ""

     # add all the SSL_* you need in the internal web application
     RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
     RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
     RequestHeader set SSL_CLIENT_S_DN_O "%{SSL_CLIENT_S_DN_O}s"
     RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"

     ProxyPass          http://internal.server.net/
     ProxyPassReverse   http://internal.server.net/