Securing Apache/mod_nss with SSL/TLS on RHEL7

Updated -

Securing httpd with mod_nss (v1.0.14) that uses NSS

This article is part of the Securing Applications Collection

Configuration File

   /etc/httpd/conf.d/nss.conf

shortform

NSSEngine on
NSSPassPhraseDialog file:/etc/httpd/alias/pin.txt
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
NSSCipherSuite +ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha_384,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_128_sha_256,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+ecdhe_rsa_aes_256_sha_384,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha,
NSSCertificateDatabase /etc/httpd/alias
# The name needs to match the name in the db
NSSNickname rhel7-64.example.com

Protocols

    NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2

Protocol - Alternative Values

NSSProtocol TLSv1.2

Only TVSv1.2

NSSProtocol SSLV3,TLSv1.0,TLSv1.1,TLSv1.2

Allow old clients

Ciphers

    NSSCipherSuite +ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha_384,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_128_sha_256,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+ecdhe_rsa_aes_256_sha_384,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha

Best fit current ciphers.

Ciphers - Alternative Values

NSSCipherSuite +ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha_384,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_128_sha_256,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+ecdhe_rsa_aes_256_sha_384,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha,+rsa_rc4_128_sha

Allow old browsers.

Certificate Handling

mod_nss uses the nss db certificate store. This contains keys, certificates, intermediates and root certificates.
The key access usually requires a passphrase, this is provided via a pin file

Certificate Database

NSSCertificateDatabase /etc/httpd/alias

Which contains

# ls -l /etc/httpd/alias/*.db
-rw-r-----. 1 root apache 65536 Jun  2 09:21 /etc/httpd/alias/cert8.db
-rw-r-----. 1 root apache 16384 Jun  2 09:21 /etc/httpd/alias/key3.db
-rw-r-----. 1 root apache 16384 Jun  2 09:21 /etc/httpd/alias/secmod.db

and within the database

# certutil -d /etc/httpd/alias -L

Certificate Nickname                                         Trust Attributes
                                                            SSL,S/MIME,JAR/XPI

rhel7-64.example.com                                         u,u,u
Certificate Authority                                        CT,C,C
Signing Cert                                                 CT,C,C

pin file

NSSPassPhraseDialog file:/etc/httpd/alias/pin.txt

pin file for access to certificate database. Contains similar to

internal:password

Comments