On 23/02/16, Oliver Graute wrote: > On Tue, Feb 23, 2016 at 5:10 PM, Oliver Graute <[email protected]> > wrote: > > On 23/02/16, Rob Crittenden wrote: > >> Oliver Graute wrote: > >> > On 22/02/16, Rob Crittenden wrote: > >> >> Oliver Graute wrote: > >> >>> Hello, > >> >>> > >> >>> I installed the mod_nss plugin in version 1.0.12 on my apache > >> >>> webserver, > >> >>> TLS on Port 443 is working fine until I enable the new NSSSession > >> >>> ticket > >> >>> feature in my nss.conf with: > >> >>> > >> >>> #RFC 5077 > >> >>> NSSSessionTickets on > >> >>> > >> >>> then something is broken, I see segfaults in my apache error log: > >> >>> > >> >>> [Fri Feb 19 10:12:15.338660 2016] [mpm_prefork:notice] [pid 413] > >> >>> AH00163: Apache/2.4.16 (Unix) mod_nss/1.0.12 NSS/3.19.2 Basic ECC > >> >>> PHP/5.5.10 configured -- resuming normal operations > >> >>> [Fri Feb 19 10:12:15.338843 2016] [mpm_prefork:info] [pid 413] > >> >>> AH00164: Server built: Feb 22 2016 12:44:38 > >> >>> [Fri Feb 19 10:12:15.339046 2016] [core:notice] [pid 413] AH00094: > >> >>> Command line: '/usr/sbin/httpd -D FOREGROUND -D SSL -D PHP5' > >> >>> [Fri Feb 19 10:12:15.339160 2016] [mpm_prefork:debug] [pid 413] > >> >>> prefork.c(995): AH00165: Accept mutex: sysvsem (default: sysvsem) > >> >>> [Fri Feb 19 10:12:15.386483 2016] [:debug] [pid 416] > >> >>> nss_engine_init.c(286): SNI is enabled > >> >>> [Fri Feb 19 10:12:15.386853 2016] [:info] [pid 416] Init: Seeding PRNG > >> >>> with 136 bytes of entropy > >> >>> [Fri Feb 19 10:12:40.374175 2016] [core:notice] [pid 413] AH00052: > >> >>> child pid 416 exit signal Segmentation fault (11) > >> >>> [Fri Feb 19 10:12:41.496820 2016] [:debug] [pid 423] > >> >>> nss_engine_init.c(286): SNI is enabled > >> >>> [Fri Feb 19 10:12:41.497224 2016] [:info] [pid 423] Init: Seeding PRNG > >> >>> with 136 bytes of entropy > >> >>> [Fri Feb 19 10:12:42.388948 2016] [core:notice] [pid 413] AH00052: > >> >>> child pid 423 exit signal Segmentation fault (11) > >> >>> [Fri Feb 19 10:12:43.508779 2016] [:debug] [pid 424] > >> >>> nss_engine_init.c(286): SNI is enabled > >> >>> [Fri Feb 19 10:12:43.509217 2016] [:info] [pid 424] Init: Seeding PRNG > >> >>> with 136 bytes of entropy > >> >>> [Fri Feb 19 10:12:44.404130 2016] [core:notice] [pid 413] AH00052: > >> >>> child pid 424 exit signal Segmentation fault (11) > >> >>> > >> >>> > >> >>> and in Chrome Browser I got: > >> >>> > >> >>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH > >> >>> > >> >>> I tested also a basic ssl client connection with openssl: > >> >>> > >> >>> openssl s_client -connect 192.168.1.229:443 -state -debug > >> >>> > >> >>> SSL_connect:SSLv3 read server certificate A > >> >>> SSL_connect:SSLv3 read server key exchange A > >> >>> SSL_connect:SSLv3 read server done A > >> >>> write to 0x205dec0 [0x206dd50] (75 bytes => 75 (0x4B)) > >> >>> 0000 - 16 03 03 00 46 10 00 00-42 41 04 3d c7 93 63 45 > >> >>> ....F...BA.=..cE > >> >>> 0010 - 79 41 11 bc 06 c0 b7 c6-d1 b5 33 d9 86 a6 d5 e9 > >> >>> yA........3..... > >> >>> 0020 - 36 e4 2b ac 0e bc 70 d6-d6 8c a7 a9 3c dd 1b 0c > >> >>> 6.+...p.....<... > >> >>> 0030 - 77 48 20 38 dd 1e c9 a1-05 6c 5c b6 c9 f4 99 f2 wH > >> >>> 8.....l\..... > >> >>> 0040 - 1a 18 ae 81 63 71 65 90-e8 a5 b6 ....cqe.... > >> >>> SSL_connect:SSLv3 write client key exchange A > >> >>> write to 0x205dec0 [0x206dd50] (6 bytes => 6 (0x6)) > >> >>> 0000 - 14 03 03 00 01 01 ...... > >> >>> SSL_connect:SSLv3 write change cipher spec A > >> >>> write to 0x205dec0 [0x206dd50] (45 bytes => 45 (0x2D)) > >> >>> 0000 - 16 03 03 00 28 b1 e0 60-8a 2c 97 cf a0 4f 97 ee > >> >>> ....(..`.,...O.. > >> >>> 0010 - cd 8f 05 41 aa 50 a6 73-a3 4c 86 1e 5f 3c 7b 2b > >> >>> ...A.P.s.L.._<{+ > >> >>> 0020 - 2d 7e 6a 68 dc 97 94 9d-91 15 c0 0e 27 -~jh........' > >> >>> SSL_connect:SSLv3 write finished A > >> >>> SSL_connect:SSLv3 flush data > >> >>> read from 0x205dec0 [0x2063f83] (5 bytes => 0 (0x0)) > >> >>> SSL_connect:failed in SSLv3 read server session ticket A > >> >>> 140123095688864:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > >> >>> failure:s23_lib.c:177: > >> >>> > >> >>> apache and mod_nss are build from the sources for an embedded yocto > >> >>> environment. > >> >>> > >> >>> some ideas, whats going on here? > >> >> > >> >> Can you get a stack trace from the core? > >> > > >> > I can give you an strace, see below. Other stack tools are currently not > >> > available, because I need to compile them first for my yocto > >> > environment. If you need something special please tell me. > >> > > >> >> This is Apache 2.4.x? > >> > > >> > yes it is Apache 2.4.16 > >> > > >> >> Is it failing on a request or on startup? > >> > > >> > its failing on every https request. > >> > >> strace in this case isn't particularly helpful as it doesn't show where > >> it is crashing. > >> > >> Can I see your nss.conf? > >> > >> What version of NSS are you using? > > > > I'am using nss in version 3.19.2 > > > > here my nss.conf > > > > # > > # This is the Apache server configuration file providing SSL support using. > > # the mod_nss plugin. It contains the configuration directives to instruct > > # the server how to serve pages over an https connection. > > # > > # Do NOT simply read the instructions in here without understanding > > # what they do. They're here only as hints or reminders. If you are unsure > > # consult the online docs. You have been warned. > > # > > > > # > > # When we also provide SSL we have to listen to the > > # standard HTTP port (see above) and to the HTTPS port > > # > > # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two > > # Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" > > # > > Listen 443 > > > > ## > > ## SSL Global Context > > ## > > ## All SSL configuration in this context applies both to > > ## the main server and all SSL-enabled virtual hosts. > > ## > > > > # > > # Some MIME-types for downloading Certificates and CRLs > > # > > AddType application/x-x509-ca-cert .crt > > AddType application/x-pkcs7-crl .crl > > > > > > # Pass Phrase Helper: > > # This helper program stores the token password pins between > > # restarts of Apache. > > # Unfortunately the directive is required even if we use no password > > # (though in such case the program should never be used) > > NSSPassPhraseHelper /usr/lib/apache2/bin/nss_pcache > > > > # Pass Phrase Dialog: > > # Configure the pass phrase gathering process. > > # The filtering dialog program (`builtin' is a internal > > # terminal dialog) has to provide the pass phrase on stdout. > > #NSSPassPhraseDialog builtin > > NSSPassPhraseDialog file:/etc/apache2/password.conf > > > > # Configure the SSL Session Cache. > > # NSSSessionCacheSize is the number of entries in the cache. > > # NSSSessionCacheTimeout is the SSL2 session timeout (in seconds). > > # NSSSession3CacheTimeout is the SSL3/TLS session timeout (in seconds). > > NSSSessionCacheSize 10000 > > NSSSessionCacheTimeout 100 > > NSSSession3CacheTimeout 86400 > > > > #RFC 5077 > > NSSSessionTickets off > > SessionTickets are on not off > > NSSSessionTickets on >
in my /etc/apache2/extra/httpd-vhosts.conf I also added some mod_nss parameters for every virtual host. It seems that the problem is here. Because if I remove the include of httpd-vhosts.conf no segfaults occur. here my httpd-vhosts.conf with nss related parameters. Are these parameters capable for a virtual host configuration? Best regards, Oliver # Virtual Hosts # # Required modules: mod_log_config # If you want to maintain multiple domains/hostnames on your # machine you can setup VirtualHost containers for them. Most configurations # use only name-based virtual hosts so the server doesn't need to worry about # IP addresses. This is indicated by the asterisks in the directives below. # # Please see the documentation at # <URL:http://httpd.apache.org/docs/2.4/vhosts/> # for further details before you try to setup virtual hosts. # # You may use the command line option '-S' to verify your virtual host # configuration. # # VirtualHost example: # Almost any Apache directive may go into a VirtualHost container. # The first VirtualHost section is used for all requests that do not # match a ServerName or ServerAlias in any <VirtualHost> block. # <VirtualHost _default_:443> ServerAdmin [email protected] DocumentRoot "/var/www" <Directory "/var/www"> Options FollowSymLinks Options Indexes FollowSymLinks MultiViews AllowOverride None Require all granted </Directory> ServerName www.example.com ServerAlias www.example.com ErrorLog "/var/apache2/logs/example.com-error_log" CustomLog "/var/apache2/logs/example.com-access_log" common LogLevel debug AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl NSSPassPhraseHelper /usr/lib/apache2/bin/nss_pcache NSSPassPhraseDialog file:/etc/apache2/password.conf NSSSessionCacheSize 10000 NSSSessionCacheTimeout 100 NSSSession3CacheTimeout 86400 NSSSessionTickets on NSSRenegotiation off NSSRequireSafeNegotiation off NSSEngine on NSSSNI off NSSProtocol TLSv1.2 NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha_256 NSSNickname "localhost - XXXXXX" NSSEnforceValidCerts off NSSCertificateDatabase /etc/apache2/nss-conf NSSOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire <Files ~ "\.(cgi|shtml|phtml|php3?)$"> NSSOptions +StdEnvVars </Files> <Directory "/usr/cgi-bin"> NSSOptions +StdEnvVars </Directory> </VirtualHost> Listen 444 <VirtualHost 192.168.1.229:444> ServerAdmin [email protected] DocumentRoot "/var/www/example2.com" <Directory "/var/www"> Options FollowSymLinks Options Indexes FollowSymLinks MultiViews AllowOverride None Require all granted </Directory> ServerName www.example2.com ErrorLog "/var/apache2/logs/example2.com-error_log" CustomLog "/var/apache2/logs/example2.com-access_log" common LogLevel debug AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl NSSPassPhraseHelper /usr/lib/apache2/bin/nss_pcache NSSPassPhraseDialog file:/etc/apache2/password.conf NSSSessionCacheSize 10000 NSSSessionCacheTimeout 100 NSSSession3CacheTimeout 86400 NSSSessionTickets on NSSRenegotiation off NSSRequireSafeNegotiation off NSSEngine on NSSSNI off NSSProtocol TLSv1.2 NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha_256 NSSNickname "localhost - XXXXXX" NSSEnforceValidCerts off NSSCertificateDatabase /etc/apache2/nss-conf NSSOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire <Files ~ "\.(cgi|shtml|phtml|php3?)$"> NSSOptions +StdEnvVars </Files> <Directory "/usr/cgi-bin"> NSSOptions +StdEnvVars </Directory> </VirtualHost> Listen 1226 <VirtualHost 192.168.1.229:1226> ServerAdmin [email protected] DocumentRoot "/var/www/iMTR" <Directory "/var/www/iMTR"> Options FollowSymLinks Options Indexes FollowSymLinks MultiViews AllowOverride None Require all granted </Directory> ServerName www.example3.com ErrorLog "/var/apache2/logs/iMTR-error_log" CustomLog "/var/apache2/logs/iMTR-access_log" common LogLevel debug AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl NSSPassPhraseHelper /usr/lib/apache2/bin/nss_pcache NSSPassPhraseDialog file:/etc/apache2/password.conf NSSSessionCacheSize 10000 NSSSessionCacheTimeout 100 NSSSession3CacheTimeout 86400 NSSSessionTickets on NSSRenegotiation off NSSRequireSafeNegotiation off NSSEngine on NSSSNI off NSSProtocol TLSv1.2 NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha_256 NSSNickname "localhost - XXXXXX" NSSEnforceValidCerts off NSSCertificateDatabase /etc/apache2/nss-conf NSSOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire <Files ~ "\.(cgi|shtml|phtml|php3?)$"> NSSOptions +StdEnvVars </Files> <Directory "/usr/cgi-bin"> NSSOptions +StdEnvVars </Directory> </VirtualHost> _______________________________________________ Mod_nss-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/mod_nss-list
