|Applies To||RSA Validation Manager 3.1|
Redhat Linux Advanced Server 4.0
Network Security Services (NSS/NSPR) libraries 3.12.4
OCSP - Online Certificate Status Protocol
|Issue||Incompatibility Issue with NSS library and RSA Validation Manager|
The OCSP requests formed by the Network Security Services (NSS/NSPR) libraries 3.12.4 that are provided as core security libraries in Red Hat Enterprise 4 and up are coming in a format improperly handled by the RSA Validation Manager. The Validation Manager is rejecting all OCSP requests generated by the NSS libraries and immediately closing the connection on receiving the request, and closing the connection. This causes Apache HTTPD 2.2.x using the MOD_NSS plugin to support OCSP calls to fail on startup and all other subsequent client requests. Essentially, with mod_nss and the OCSP responder turned on, Apache cannot start.
The NSS/NSPR libraries provided by RH and that reside in all Mozilla Foundation products allow for Apache to do a dynamic lookup of a client certificate during the SSL handshake. However, NSS is generating the OCSP request in a manner different from OpenSSL.
The problem is with the singleRequestExtension in the OCSP request sent by NSS .
Normally singleRequestExtension contains servicelocator URL (this extension is optional).
NSS tool is adding some default value to the singleRequestExtension even if the certificate does not contain AIA extension or service locator URL is not specified explicitly.
As Server Certificate does not contain AIA extension(Customer sends the OCSP status for server certificate), the NSS tool adds some default value to the singleRequestExtension which is not understood by RVM while decoding the OCSP request.
If we send an OCSP request for a certificate (that contain AIA extension),the verification of the certificate is successful.
|Resolution||Engineering has provided updated binaries to resolve this issue. Contact RSA Customer Support for more details.|
|Legacy Article ID||a50029|