Oliver Graute wrote: > On 23/02/16, Oliver Graute wrote: >> On Tue, Feb 23, 2016 at 5:10 PM, Oliver Graute <[email protected]> >> wrote: >>> On 23/02/16, Rob Crittenden wrote: >>>> Oliver Graute wrote: >>>>> On 22/02/16, Rob Crittenden wrote: >>>>>> Oliver Graute wrote: >>>>>>> Hello, >>>>>>> >>>>>>> I installed the mod_nss plugin in version 1.0.12 on my apache webserver, >>>>>>> TLS on Port 443 is working fine until I enable the new NSSSession ticket >>>>>>> feature in my nss.conf with: >>>>>>> >>>>>>> #RFC 5077 >>>>>>> NSSSessionTickets on >>>>>>> >>>>>>> then something is broken, I see segfaults in my apache error log: >>>>>>> >>>>>>> [Fri Feb 19 10:12:15.338660 2016] [mpm_prefork:notice] [pid 413] >>>>>>> AH00163: Apache/2.4.16 (Unix) mod_nss/1.0.12 NSS/3.19.2 Basic ECC >>>>>>> PHP/5.5.10 configured -- resuming normal operations >>>>>>> [Fri Feb 19 10:12:15.338843 2016] [mpm_prefork:info] [pid 413] AH00164: >>>>>>> Server built: Feb 22 2016 12:44:38 >>>>>>> [Fri Feb 19 10:12:15.339046 2016] [core:notice] [pid 413] AH00094: >>>>>>> Command line: '/usr/sbin/httpd -D FOREGROUND -D SSL -D PHP5' >>>>>>> [Fri Feb 19 10:12:15.339160 2016] [mpm_prefork:debug] [pid 413] >>>>>>> prefork.c(995): AH00165: Accept mutex: sysvsem (default: sysvsem) >>>>>>> [Fri Feb 19 10:12:15.386483 2016] [:debug] [pid 416] >>>>>>> nss_engine_init.c(286): SNI is enabled >>>>>>> [Fri Feb 19 10:12:15.386853 2016] [:info] [pid 416] Init: Seeding PRNG >>>>>>> with 136 bytes of entropy >>>>>>> [Fri Feb 19 10:12:40.374175 2016] [core:notice] [pid 413] AH00052: >>>>>>> child pid 416 exit signal Segmentation fault (11) >>>>>>> [Fri Feb 19 10:12:41.496820 2016] [:debug] [pid 423] >>>>>>> nss_engine_init.c(286): SNI is enabled >>>>>>> [Fri Feb 19 10:12:41.497224 2016] [:info] [pid 423] Init: Seeding PRNG >>>>>>> with 136 bytes of entropy >>>>>>> [Fri Feb 19 10:12:42.388948 2016] [core:notice] [pid 413] AH00052: >>>>>>> child pid 423 exit signal Segmentation fault (11) >>>>>>> [Fri Feb 19 10:12:43.508779 2016] [:debug] [pid 424] >>>>>>> nss_engine_init.c(286): SNI is enabled >>>>>>> [Fri Feb 19 10:12:43.509217 2016] [:info] [pid 424] Init: Seeding PRNG >>>>>>> with 136 bytes of entropy >>>>>>> [Fri Feb 19 10:12:44.404130 2016] [core:notice] [pid 413] AH00052: >>>>>>> child pid 424 exit signal Segmentation fault (11) >>>>>>> >>>>>>> >>>>>>> and in Chrome Browser I got: >>>>>>> >>>>>>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH >>>>>>> >>>>>>> I tested also a basic ssl client connection with openssl: >>>>>>> >>>>>>> openssl s_client -connect 192.168.1.229:443 -state -debug >>>>>>> >>>>>>> SSL_connect:SSLv3 read server certificate A >>>>>>> SSL_connect:SSLv3 read server key exchange A >>>>>>> SSL_connect:SSLv3 read server done A >>>>>>> write to 0x205dec0 [0x206dd50] (75 bytes => 75 (0x4B)) >>>>>>> 0000 - 16 03 03 00 46 10 00 00-42 41 04 3d c7 93 63 45 >>>>>>> ....F...BA.=..cE >>>>>>> 0010 - 79 41 11 bc 06 c0 b7 c6-d1 b5 33 d9 86 a6 d5 e9 >>>>>>> yA........3..... >>>>>>> 0020 - 36 e4 2b ac 0e bc 70 d6-d6 8c a7 a9 3c dd 1b 0c >>>>>>> 6.+...p.....<... >>>>>>> 0030 - 77 48 20 38 dd 1e c9 a1-05 6c 5c b6 c9 f4 99 f2 wH >>>>>>> 8.....l\..... >>>>>>> 0040 - 1a 18 ae 81 63 71 65 90-e8 a5 b6 ....cqe.... >>>>>>> SSL_connect:SSLv3 write client key exchange A >>>>>>> write to 0x205dec0 [0x206dd50] (6 bytes => 6 (0x6)) >>>>>>> 0000 - 14 03 03 00 01 01 ...... >>>>>>> SSL_connect:SSLv3 write change cipher spec A >>>>>>> write to 0x205dec0 [0x206dd50] (45 bytes => 45 (0x2D)) >>>>>>> 0000 - 16 03 03 00 28 b1 e0 60-8a 2c 97 cf a0 4f 97 ee >>>>>>> ....(..`.,...O.. >>>>>>> 0010 - cd 8f 05 41 aa 50 a6 73-a3 4c 86 1e 5f 3c 7b 2b >>>>>>> ...A.P.s.L.._<{+ >>>>>>> 0020 - 2d 7e 6a 68 dc 97 94 9d-91 15 c0 0e 27 -~jh........' >>>>>>> SSL_connect:SSLv3 write finished A >>>>>>> SSL_connect:SSLv3 flush data >>>>>>> read from 0x205dec0 [0x2063f83] (5 bytes => 0 (0x0)) >>>>>>> SSL_connect:failed in SSLv3 read server session ticket A >>>>>>> 140123095688864:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake >>>>>>> failure:s23_lib.c:177: >>>>>>> >>>>>>> apache and mod_nss are build from the sources for an embedded yocto >>>>>>> environment. >>>>>>> >>>>>>> some ideas, whats going on here? >>>>>> >>>>>> Can you get a stack trace from the core? >>>>> >>>>> I can give you an strace, see below. Other stack tools are currently not >>>>> available, because I need to compile them first for my yocto >>>>> environment. If you need something special please tell me. >>>>> >>>>>> This is Apache 2.4.x? >>>>> >>>>> yes it is Apache 2.4.16 >>>>> >>>>>> Is it failing on a request or on startup? >>>>> >>>>> its failing on every https request. >>>> >>>> strace in this case isn't particularly helpful as it doesn't show where >>>> it is crashing. >>>> >>>> Can I see your nss.conf? >>>> >>>> What version of NSS are you using? >>> >>> I'am using nss in version 3.19.2 >>> >>> here my nss.conf >>> >>> # >>> # This is the Apache server configuration file providing SSL support using. >>> # the mod_nss plugin. It contains the configuration directives to instruct >>> # the server how to serve pages over an https connection. >>> # >>> # Do NOT simply read the instructions in here without understanding >>> # what they do. They're here only as hints or reminders. If you are unsure >>> # consult the online docs. You have been warned. >>> # >>> >>> # >>> # When we also provide SSL we have to listen to the >>> # standard HTTP port (see above) and to the HTTPS port >>> # >>> # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two >>> # Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" >>> # >>> Listen 443 >>> >>> ## >>> ## SSL Global Context >>> ## >>> ## All SSL configuration in this context applies both to >>> ## the main server and all SSL-enabled virtual hosts. >>> ## >>> >>> # >>> # Some MIME-types for downloading Certificates and CRLs >>> # >>> AddType application/x-x509-ca-cert .crt >>> AddType application/x-pkcs7-crl .crl >>> >>> >>> # Pass Phrase Helper: >>> # This helper program stores the token password pins between >>> # restarts of Apache. >>> # Unfortunately the directive is required even if we use no password >>> # (though in such case the program should never be used) >>> NSSPassPhraseHelper /usr/lib/apache2/bin/nss_pcache >>> >>> # Pass Phrase Dialog: >>> # Configure the pass phrase gathering process. >>> # The filtering dialog program (`builtin' is a internal >>> # terminal dialog) has to provide the pass phrase on stdout. >>> #NSSPassPhraseDialog builtin >>> NSSPassPhraseDialog file:/etc/apache2/password.conf >>> >>> # Configure the SSL Session Cache. >>> # NSSSessionCacheSize is the number of entries in the cache. >>> # NSSSessionCacheTimeout is the SSL2 session timeout (in seconds). >>> # NSSSession3CacheTimeout is the SSL3/TLS session timeout (in seconds). >>> NSSSessionCacheSize 10000 >>> NSSSessionCacheTimeout 100 >>> NSSSession3CacheTimeout 86400 >>> >>> #RFC 5077 >>> NSSSessionTickets off >> >> SessionTickets are on not off >> >> NSSSessionTickets on >> > > in my /etc/apache2/extra/httpd-vhosts.conf I also added some mod_nss > parameters for every virtual host. It seems that the problem is here. Because > if I remove the include of httpd-vhosts.conf no segfaults occur. > > here my httpd-vhosts.conf with nss related parameters. Are these > parameters capable for a virtual host configuration?
You've included some directives that are expected to be global: NSSPassPhraseHelper NSSPassPhraseDialog NSSSession*Cache* NSSCertificateDatabase I doubt they hurt anything. I still can't duplicate a crash. I ran it through valgrind to see if there was a memory issue and came up with nothing too. This could be an architecture problem that I just can't see on x86 hardware I suppose. This particular crash seems rather strange too. Within mod_nss enabling this just calls: SSL_OptionSet(mctx->model, SSL_ENABLE_SESSION_TICKETS, mctx->sc->session_tickets); Basically enabling it in the model server socket. I would imagine the crash is probably deeper in NSS. To narrow things down you might try the NSS tool selfserv. It has an option, -u, to enable session tickets. It might eliminate mod_nss as the crash source (or it might implicate it too). rob _______________________________________________ Mod_nss-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/mod_nss-list
