000015354 - Incompatibility Issue with NSS library and RSA Validation Manager

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000015354
Applies ToRSA Validation Manager 3.1
Redhat Linux Advanced Server 4.0
 Network Security Services (NSS/NSPR) libraries 3.12.4
OCSP - Online Certificate Status Protocol
IssueIncompatibility Issue with NSS library and RSA Validation Manager
The OCSP requests formed by the Network Security Services (NSS/NSPR) libraries 3.12.4 that are provided as core security libraries in Red Hat Enterprise 4 and up are coming in a format improperly handled by the RSA Validation Manager. The Validation Manager is rejecting all OCSP requests generated by the NSS libraries and immediately closing the connection on receiving the request, and closing the connection. This causes Apache HTTPD 2.2.x using the MOD_NSS plugin to support OCSP calls to fail on startup and all other subsequent client requests. Essentially, with mod_nss and the OCSP responder turned on, Apache cannot start.
The NSS/NSPR libraries provided by RH and that reside in all Mozilla Foundation products allow for Apache to do a dynamic lookup of a client certificate during the SSL handshake. However, NSS is generating the OCSP request in a manner different from OpenSSL.

The problem is with the singleRequestExtension in the OCSP request sent by NSS .

Normally singleRequestExtension contains servicelocator URL (this extension is optional).
Either it takes from AIA extension from the certificate or takes the value if it is specified explicitly.
Or it may be NULL.

NSS tool is adding some default value to the singleRequestExtension even if the certificate does not contain AIA extension or service locator URL is not specified explicitly.

As Server Certificate does not contain AIA extension(Customer sends the OCSP status for server certificate), the NSS tool adds some default value to the singleRequestExtension which is not understood by RVM while decoding the OCSP request.

If we send an OCSP request for a certificate (that contain AIA extension),the verification of the certificate is successful.

ResolutionEngineering has provided updated binaries to resolve this issue. Contact RSA Customer Support for more details.
Legacy Article IDa50029