So, my consultant said we needed to change Apache to use mod_nss instead of mod_ssl to enable TLS.
install mod_nss to the current apache replacing mod_ssl which supports tls 1.2.
However, apache2-mod_nss and dependency mozilla-nss-tools installed fine but the the problem is that someplace along the way in updates the behavior changed.
what is supposed to happen is that the migration script should snag the ssl certs and create a database in /etc/apache2/mod_nss.conf consisting of three files, cert8.db, key3.db and secmod.db but instead it seems that we have newer versions of mozilla-nss-tools
which create instead the files cert9.db, key4.db and pkcs11.txt, despite all types of documentation referring to the first version. so I think that the certs are in fact getting imported to the new nss db, and i figured out what to change in the apache config
file to tell it to look there for the cert when it starts up, but it fails to start and conveniently leaves no error message other than failed to load. i tried using earlier versions of apache2-mod_nss and mozilla-nss-tools in the hope that it might match
the documented behavior but no.
so i'm stuck at this point. Is there anything else I can try here? Bottom line is to get apache2-mod_nss configured and I think we'll be good to go.
Understood. Just trying to exhaust all possible solutions before doing an OS upgrade.
We need to change Apache to use mod_nss instead of mod_ssl to enable TLS. This used to work just fine (I've installed this on OES/SLES11), and you will in fact find it discussed here:https://support.microfocus.com/kb/doc.php?id=7016828# but
unfortunately the other pages referenced in that article are broken links, another side effect of MicroFocus's ingestion of SUSE and Novell etc.
Apparently, at some point since that TID was written, upstream updates to mod_nss changed the way it works in that the related tools create the nss certificate database in a different format by
default (sqlite), and Apache doesn't seem to be willing to read it. There's probably a straightforward way around this, but it seems to be missing from the current documentation. Perhaps this question is better brought up in a SuSE listerv and not the general