Apache 2.2 and tls 1.2

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Apache 2.2 and tls 1.2

Tom Jubb
New certs will successfully installed on Apache 2.2 but browsers now compain as they are not tls 1.2 compliant:

So, my consultant said we needed to change Apache to use mod_nss instead of mod_ssl to enable TLS. 

install mod_nss to the current apache replacing mod_ssl which supports tls 1.2.

However, apache2-mod_nss and dependency mozilla-nss-tools installed fine but the the problem is that someplace along the way in updates the behavior changed.

what is supposed to happen is that the migration script should snag the ssl certs and create a database in /etc/apache2/mod_nss.conf consisting of three files, cert8.db, key3.db and secmod.db but instead it seems that we have newer versions of mozilla-nss-tools which create instead the files cert9.db, key4.db and pkcs11.txt, despite all types of documentation referring to the first version.  so I think that the certs are in fact getting imported to the new nss db, and i figured out what to change in the apache config file to tell it to look there for the cert when it starts up, but it fails to start and conveniently leaves no error message other than failed to load.  i tried using earlier versions of apache2-mod_nss and mozilla-nss-tools in the hope that it might match the documented behavior but no.

so i'm stuck at this point.  Is there anything else I can try here?  Bottom line is to get apache2-mod_nss configured and I think we'll be good to go.

Thanks,
Tom

Reply | Threaded
Open this post in threaded view
|

Re: Apache 2.2 and tls 1.2

Dennis Clarke-3
On 7/23/20 4:41 PM, Tom Jubb wrote:
> New certs will successfully installed on Apache 2.2

Apache 2.2 ?

That was End of Life a while ago.

You have a bigger problem.  Migrate to 2.4.43 and then deal with certs
and such.


--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Apache 2.2 and tls 1.2

Tom Jubb
Understood.  Just trying to exhaust all possible solutions before doing an OS upgrade.

We need to change Apache to use mod_nss instead of mod_ssl to enable TLS.  This used to work just fine (I've installed this on OES/SLES11), and you will in fact find it discussed here: https://support.microfocus.com/kb/doc.php?id=7016828# but unfortunately the other pages referenced in that article are broken links, another side effect of MicroFocus's ingestion of SUSE and Novell etc.

Apparently, at some point since that TID was written, upstream updates to mod_nss changed the way it works in that the related tools create the nss certificate database in a different format by default (sqlite), and Apache doesn't seem to be willing to read it.  There's probably a straightforward way around this, but it seems to be missing from the current documentation.  Perhaps this question is better brought up in a SuSE listerv and not the general Apache listserv.



From: Dennis Clarke <[hidden email]>
Sent: Thursday, July 23, 2020 12:59 PM
To: [hidden email] <[hidden email]>
Subject: Re: [users@httpd] Apache 2.2 and tls 1.2
 
On 7/23/20 4:41 PM, Tom Jubb wrote:
> New certs will successfully installed on Apache 2.2

Apache 2.2 ?

That was End of Life a while ago.

You have a bigger problem.  Migrate to 2.4.43 and then deal with certs
and such.


--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Apache 2.2 and tls 1.2

Tom Browder
On Thu, Jul 23, 2020 at 12:51 Tom Jubb <[hidden email]> wrote:
> Understood.  Just trying to exhaust all possible solutions before doing an OS upgrade.

FYI, I recently completed a local src build of Apache 2.4.43 (and APR
and APR-UTIL), and OpenSSL 1.1.1g on Debian 10 Buster. I have
documented the process on my Github repo at:

    https://github.com/tbrowder/config-scripts/tree/master/Apache

Best regards,

-Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]