Setting up SSL with NSS is easier than you think

At least, it is on Fedora 16

sudo yum install mod_nss

/etc/httpd/alias/ is populated already with ca and server cert self signed
/etc/httpd/conf.d/nss.conf already exists
change 8443 to 443 in two places

--- /etc/httpd/conf.d/nss.conf.orig	2012-03-29 12:59:06.319470425 -0400
+++ /etc/httpd/conf.d/nss.conf	2012-03-29 12:19:38.862721465 -0400
@@ -17,7 +17,7 @@
 # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
 #       Listen directives: "Listen [::]:8443" and "Listen"
-Listen 8443
+Listen 443
 ##  SSL Global Context
@@ -81,7 +81,7 @@
 ## SSL Virtual Host Context
 #   General setup for the virtual host
 #DocumentRoot "/etc/httpd/htdocs"

Make sure your firewall is open on the HTTPS port. Add the following line in /etc/sysconfig/iptables

-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

before the statement

-A INPUT -j REJECT --reject-with icmp-host-prohibited

and restart the services

sudo systemctl restart iptables.service
sudo systemctl restart httpd.service

The documentation provides a lot more detail. Almost all of these steps are performed by the RPM install on F16 and later.

2 thoughts on “Setting up SSL with NSS is easier than you think

  1. Matěj,

    The value for NSSCipherSuite is set in the nss.conf file for F17 like this:
    NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha

Leave a Reply

Your email address will not be published. Required fields are marked *