On Tue, Feb 23, 2016 at 5:10 PM, Oliver Graute <[email protected]> wrote: > On 23/02/16, Rob Crittenden wrote: >> Oliver Graute wrote: >> > On 22/02/16, Rob Crittenden wrote: >> >> Oliver Graute wrote: >> >>> Hello, >> >>> >> >>> I installed the mod_nss plugin in version 1.0.12 on my apache webserver, >> >>> TLS on Port 443 is working fine until I enable the new NSSSession ticket >> >>> feature in my nss.conf with: >> >>> >> >>> #RFC 5077 >> >>> NSSSessionTickets on >> >>> >> >>> then something is broken, I see segfaults in my apache error log: >> >>> >> >>> [Fri Feb 19 10:12:15.338660 2016] [mpm_prefork:notice] [pid 413] >> >>> AH00163: Apache/2.4.16 (Unix) mod_nss/1.0.12 NSS/3.19.2 Basic ECC >> >>> PHP/5.5.10 configured -- resuming normal operations >> >>> [Fri Feb 19 10:12:15.338843 2016] [mpm_prefork:info] [pid 413] AH00164: >> >>> Server built: Feb 22 2016 12:44:38 >> >>> [Fri Feb 19 10:12:15.339046 2016] [core:notice] [pid 413] AH00094: >> >>> Command line: '/usr/sbin/httpd -D FOREGROUND -D SSL -D PHP5' >> >>> [Fri Feb 19 10:12:15.339160 2016] [mpm_prefork:debug] [pid 413] >> >>> prefork.c(995): AH00165: Accept mutex: sysvsem (default: sysvsem) >> >>> [Fri Feb 19 10:12:15.386483 2016] [:debug] [pid 416] >> >>> nss_engine_init.c(286): SNI is enabled >> >>> [Fri Feb 19 10:12:15.386853 2016] [:info] [pid 416] Init: Seeding PRNG >> >>> with 136 bytes of entropy >> >>> [Fri Feb 19 10:12:40.374175 2016] [core:notice] [pid 413] AH00052: child >> >>> pid 416 exit signal Segmentation fault (11) >> >>> [Fri Feb 19 10:12:41.496820 2016] [:debug] [pid 423] >> >>> nss_engine_init.c(286): SNI is enabled >> >>> [Fri Feb 19 10:12:41.497224 2016] [:info] [pid 423] Init: Seeding PRNG >> >>> with 136 bytes of entropy >> >>> [Fri Feb 19 10:12:42.388948 2016] [core:notice] [pid 413] AH00052: child >> >>> pid 423 exit signal Segmentation fault (11) >> >>> [Fri Feb 19 10:12:43.508779 2016] [:debug] [pid 424] >> >>> nss_engine_init.c(286): SNI is enabled >> >>> [Fri Feb 19 10:12:43.509217 2016] [:info] [pid 424] Init: Seeding PRNG >> >>> with 136 bytes of entropy >> >>> [Fri Feb 19 10:12:44.404130 2016] [core:notice] [pid 413] AH00052: child >> >>> pid 424 exit signal Segmentation fault (11) >> >>> >> >>> >> >>> and in Chrome Browser I got: >> >>> >> >>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH >> >>> >> >>> I tested also a basic ssl client connection with openssl: >> >>> >> >>> openssl s_client -connect 192.168.1.229:443 -state -debug >> >>> >> >>> SSL_connect:SSLv3 read server certificate A >> >>> SSL_connect:SSLv3 read server key exchange A >> >>> SSL_connect:SSLv3 read server done A >> >>> write to 0x205dec0 [0x206dd50] (75 bytes => 75 (0x4B)) >> >>> 0000 - 16 03 03 00 46 10 00 00-42 41 04 3d c7 93 63 45 ....F...BA.=..cE >> >>> 0010 - 79 41 11 bc 06 c0 b7 c6-d1 b5 33 d9 86 a6 d5 e9 yA........3..... >> >>> 0020 - 36 e4 2b ac 0e bc 70 d6-d6 8c a7 a9 3c dd 1b 0c 6.+...p.....<... >> >>> 0030 - 77 48 20 38 dd 1e c9 a1-05 6c 5c b6 c9 f4 99 f2 wH 8.....l\..... >> >>> 0040 - 1a 18 ae 81 63 71 65 90-e8 a5 b6 ....cqe.... >> >>> SSL_connect:SSLv3 write client key exchange A >> >>> write to 0x205dec0 [0x206dd50] (6 bytes => 6 (0x6)) >> >>> 0000 - 14 03 03 00 01 01 ...... >> >>> SSL_connect:SSLv3 write change cipher spec A >> >>> write to 0x205dec0 [0x206dd50] (45 bytes => 45 (0x2D)) >> >>> 0000 - 16 03 03 00 28 b1 e0 60-8a 2c 97 cf a0 4f 97 ee ....(..`.,...O.. >> >>> 0010 - cd 8f 05 41 aa 50 a6 73-a3 4c 86 1e 5f 3c 7b 2b ...A.P.s.L.._<{+ >> >>> 0020 - 2d 7e 6a 68 dc 97 94 9d-91 15 c0 0e 27 -~jh........' >> >>> SSL_connect:SSLv3 write finished A >> >>> SSL_connect:SSLv3 flush data >> >>> read from 0x205dec0 [0x2063f83] (5 bytes => 0 (0x0)) >> >>> SSL_connect:failed in SSLv3 read server session ticket A >> >>> 140123095688864:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake >> >>> failure:s23_lib.c:177: >> >>> >> >>> apache and mod_nss are build from the sources for an embedded yocto >> >>> environment. >> >>> >> >>> some ideas, whats going on here? >> >> >> >> Can you get a stack trace from the core? >> > >> > I can give you an strace, see below. Other stack tools are currently not >> > available, because I need to compile them first for my yocto >> > environment. If you need something special please tell me. >> > >> >> This is Apache 2.4.x? >> > >> > yes it is Apache 2.4.16 >> > >> >> Is it failing on a request or on startup? >> > >> > its failing on every https request. >> >> strace in this case isn't particularly helpful as it doesn't show where >> it is crashing. >> >> Can I see your nss.conf? >> >> What version of NSS are you using? > > I'am using nss in version 3.19.2 > > here my nss.conf > > # > # This is the Apache server configuration file providing SSL support using. > # the mod_nss plugin. It contains the configuration directives to instruct > # the server how to serve pages over an https connection. > # > # Do NOT simply read the instructions in here without understanding > # what they do. They're here only as hints or reminders. If you are unsure > # consult the online docs. You have been warned. > # > > # > # When we also provide SSL we have to listen to the > # standard HTTP port (see above) and to the HTTPS port > # > # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two > # Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" > # > Listen 443 > > ## > ## SSL Global Context > ## > ## All SSL configuration in this context applies both to > ## the main server and all SSL-enabled virtual hosts. > ## > > # > # Some MIME-types for downloading Certificates and CRLs > # > AddType application/x-x509-ca-cert .crt > AddType application/x-pkcs7-crl .crl > > > # Pass Phrase Helper: > # This helper program stores the token password pins between > # restarts of Apache. > # Unfortunately the directive is required even if we use no password > # (though in such case the program should never be used) > NSSPassPhraseHelper /usr/lib/apache2/bin/nss_pcache > > # Pass Phrase Dialog: > # Configure the pass phrase gathering process. > # The filtering dialog program (`builtin' is a internal > # terminal dialog) has to provide the pass phrase on stdout. > #NSSPassPhraseDialog builtin > NSSPassPhraseDialog file:/etc/apache2/password.conf > > # Configure the SSL Session Cache. > # NSSSessionCacheSize is the number of entries in the cache. > # NSSSessionCacheTimeout is the SSL2 session timeout (in seconds). > # NSSSession3CacheTimeout is the SSL3/TLS session timeout (in seconds). > NSSSessionCacheSize 10000 > NSSSessionCacheTimeout 100 > NSSSession3CacheTimeout 86400 > > #RFC 5077 > NSSSessionTickets off
SessionTickets are on not off NSSSessionTickets on Best regards, Oliver _______________________________________________ Mod_nss-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/mod_nss-list
