Securing Apache/mod_nss with SSL/TLS on RHEL6
Updated -
Securing httpd with mod_nss (v1.0.10) that uses NSS
This article is part of the Securing Applications Collection
Configuration File
/etc/httpd/conf.d/nss.conf
shortform
NSSEngine on
NSSPassPhraseDialog file:/etc/httpd/alias/pin.txt
NSSProtocol TLSv1.2
NSSCipherSuite +rsa_aes_128_sha,+rsa_aes_256_sha,+ecdhe_rsa_aes_256_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,+ecdh_rsa_aes_128_
sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdh_ecdsa_aes_128_sha
NSSCertificateDatabase /etc/httpd/alias
# The name needs to match the name in the db
NSSNickname rhel6-64.example.com
Protocols
NSSProtocol TLSv1.2
Protocol - Alternative Values
NSSProtocol TLSv1.1
Only TVSv1.1
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
Allow old clients
Ciphers
NSSCipherSuite +rsa_aes_128_sha,+rsa_aes_256_sha,+ecdhe_rsa_aes_256_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,+ecdh_rsa_aes_128_
sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdh_ecdsa_aes_128_sha
Best fit current ciphers.
Ciphers - Alternative Values
NSSCipherSuite +rsa_aes_128_sha,+rsa_aes_256_sha,+ecdhe_rsa_aes_256_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,+ecdh_rsa_aes_128_ sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdh_ecdsa_aes_128_sha,+rsa_rc4_128_sha
Allow old browsers.
Certificate Handling
mod_nss uses the nss db certificate store. This contains keys, certificates, intermediates and root certificates.
The key access usually requires a passphrase, this is provided via a pin file
Certificate Database
NSSCertificateDatabase /etc/httpd/alias
Which contains
# ls -l /etc/httpd/alias/*.db -rw-r-----. 1 root apache 65536 Jun 2 09:21 /etc/httpd/alias/cert8.db -rw-r-----. 1 root apache 16384 Jun 2 09:21 /etc/httpd/alias/key3.db -rw-r-----. 1 root apache 16384 Jun 2 09:21 /etc/httpd/alias/secmod.db
and within the database
# certutil -d /etc/httpd/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI rhel6-64.example.com u,u,u Certificate Authority CT,C,C Signing Cert CT,C,C
pin file
NSSPassPhraseDialog file:/etc/httpd/alias/pin.txt
pin file for access to certificate database. Contains similar to
internal:password
Comments