[Mod_nss-list] NSSSessionTickets causes some segfault in error log

Oliver Graute Mon, 22 Feb 2016 06:21:52 -0800

Hello,

I installed the mod_nss plugin in version 1.0.12 on my apache webserver,
TLS on Port 443 is working fine until I enable the new NSSSession ticket
feature in my nss.conf with:


#RFC 5077
NSSSessionTickets on

then something is broken, I see segfaults in my apache error log:

[Fri Feb 19 10:12:15.338660 2016] [mpm_prefork:notice] [pid 413] AH00163: 
Apache/2.4.16 (Unix) mod_nss/1.0.12 NSS/3.19.2 Basic ECC PHP/5.5.10 configured 
-- resuming normal operations
[Fri Feb 19 10:12:15.338843 2016] [mpm_prefork:info] [pid 413] AH00164: Server 
built: Feb 22 2016 12:44:38
[Fri Feb 19 10:12:15.339046 2016] [core:notice] [pid 413] AH00094: Command 
line: '/usr/sbin/httpd -D FOREGROUND -D SSL -D PHP5'
[Fri Feb 19 10:12:15.339160 2016] [mpm_prefork:debug] [pid 413] prefork.c(995): 
AH00165: Accept mutex: sysvsem (default: sysvsem)
[Fri Feb 19 10:12:15.386483 2016] [:debug] [pid 416] nss_engine_init.c(286): 
SNI is enabled
[Fri Feb 19 10:12:15.386853 2016] [:info] [pid 416] Init: Seeding PRNG with 136 
bytes of entropy
[Fri Feb 19 10:12:40.374175 2016] [core:notice] [pid 413] AH00052: child pid 
416 exit signal Segmentation fault (11)
[Fri Feb 19 10:12:41.496820 2016] [:debug] [pid 423] nss_engine_init.c(286): 
SNI is enabled
[Fri Feb 19 10:12:41.497224 2016] [:info] [pid 423] Init: Seeding PRNG with 136 
bytes of entropy
[Fri Feb 19 10:12:42.388948 2016] [core:notice] [pid 413] AH00052: child pid 
423 exit signal Segmentation fault (11)
[Fri Feb 19 10:12:43.508779 2016] [:debug] [pid 424] nss_engine_init.c(286): 
SNI is enabled
[Fri Feb 19 10:12:43.509217 2016] [:info] [pid 424] Init: Seeding PRNG with 136 
bytes of entropy
[Fri Feb 19 10:12:44.404130 2016] [core:notice] [pid 413] AH00052: child pid 
424 exit signal Segmentation fault (11)


and in Chrome Browser I got:

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

I tested also a basic ssl client connection with openssl:

openssl s_client -connect 192.168.1.229:443 -state -debug

SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
write to 0x205dec0 [0x206dd50] (75 bytes => 75 (0x4B))
0000 - 16 03 03 00 46 10 00 00-42 41 04 3d c7 93 63 45   ....F...BA.=..cE
0010 - 79 41 11 bc 06 c0 b7 c6-d1 b5 33 d9 86 a6 d5 e9   yA........3.....
0020 - 36 e4 2b ac 0e bc 70 d6-d6 8c a7 a9 3c dd 1b 0c   6.+...p.....<...
0030 - 77 48 20 38 dd 1e c9 a1-05 6c 5c b6 c9 f4 99 f2   wH 8.....l\.....
0040 - 1a 18 ae 81 63 71 65 90-e8 a5 b6                  ....cqe....
SSL_connect:SSLv3 write client key exchange A
write to 0x205dec0 [0x206dd50] (6 bytes => 6 (0x6))
0000 - 14 03 03 00 01 01                                 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x205dec0 [0x206dd50] (45 bytes => 45 (0x2D))
0000 - 16 03 03 00 28 b1 e0 60-8a 2c 97 cf a0 4f 97 ee   ....(..`.,...O..
0010 - cd 8f 05 41 aa 50 a6 73-a3 4c 86 1e 5f 3c 7b 2b   ...A.P.s.L.._<{+
0020 - 2d 7e 6a 68 dc 97 94 9d-91 15 c0 0e 27            -~jh........'
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x205dec0 [0x2063f83] (5 bytes => 0 (0x0))
SSL_connect:failed in SSLv3 read server session ticket A
140123095688864:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:s23_lib.c:177:

apache and mod_nss are build from the sources for an embedded yocto environment.

some ideas, whats going on here?

Best regards,

Oliver

_______________________________________________
Mod_nss-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/mod_nss-list

[Mod_nss-list] NSSSessionTickets causes some segfault in error log

Reply via email to