On 24/02/16, Rob Crittenden wrote:
> Oliver Graute wrote:
> > On 23/02/16, Oliver Graute wrote:
> >> On Tue, Feb 23, 2016 at 5:10 PM, Oliver Graute <[email protected]> 
> >> wrote:
> >>> On 23/02/16, Rob Crittenden wrote:
> >>>> Oliver Graute wrote:
> >>>>> On 22/02/16, Rob Crittenden wrote:
> >>>>>> Oliver Graute wrote:
> >>>>>>> Hello,
> >>>>>>>
> >>>>>>> I installed the mod_nss plugin in version 1.0.12 on my apache 
> >>>>>>> webserver,
> >>>>>>> TLS on Port 443 is working fine until I enable the new NSSSession 
> >>>>>>> ticket
> >>>>>>> feature in my nss.conf with:
> >>>>>>>
> >>>>>>> #RFC 5077
> >>>>>>> NSSSessionTickets on
> >>>>>>>
> >>>>>>> then something is broken, I see segfaults in my apache error log:
> >>>>>>>
> >>>>>>> [Fri Feb 19 10:12:15.338660 2016] [mpm_prefork:notice] [pid 413] 
> >>>>>>> AH00163: Apache/2.4.16 (Unix) mod_nss/1.0.12 NSS/3.19.2 Basic ECC 
> >>>>>>> PHP/5.5.10 configured -- resuming normal operations
> >>>>>>> [Fri Feb 19 10:12:15.338843 2016] [mpm_prefork:info] [pid 413] 
> >>>>>>> AH00164: Server built: Feb 22 2016 12:44:38
> >>>>>>> [Fri Feb 19 10:12:15.339046 2016] [core:notice] [pid 413] AH00094: 
> >>>>>>> Command line: '/usr/sbin/httpd -D FOREGROUND -D SSL -D PHP5'
> >>>>>>> [Fri Feb 19 10:12:15.339160 2016] [mpm_prefork:debug] [pid 413] 
> >>>>>>> prefork.c(995): AH00165: Accept mutex: sysvsem (default: sysvsem)
> >>>>>>> [Fri Feb 19 10:12:15.386483 2016] [:debug] [pid 416] 
> >>>>>>> nss_engine_init.c(286): SNI is enabled
> >>>>>>> [Fri Feb 19 10:12:15.386853 2016] [:info] [pid 416] Init: Seeding 
> >>>>>>> PRNG with 136 bytes of entropy
> >>>>>>> [Fri Feb 19 10:12:40.374175 2016] [core:notice] [pid 413] AH00052: 
> >>>>>>> child pid 416 exit signal Segmentation fault (11)
> >>>>>>> [Fri Feb 19 10:12:41.496820 2016] [:debug] [pid 423] 
> >>>>>>> nss_engine_init.c(286): SNI is enabled
> >>>>>>> [Fri Feb 19 10:12:41.497224 2016] [:info] [pid 423] Init: Seeding 
> >>>>>>> PRNG with 136 bytes of entropy
> >>>>>>> [Fri Feb 19 10:12:42.388948 2016] [core:notice] [pid 413] AH00052: 
> >>>>>>> child pid 423 exit signal Segmentation fault (11)
> >>>>>>> [Fri Feb 19 10:12:43.508779 2016] [:debug] [pid 424] 
> >>>>>>> nss_engine_init.c(286): SNI is enabled
> >>>>>>> [Fri Feb 19 10:12:43.509217 2016] [:info] [pid 424] Init: Seeding 
> >>>>>>> PRNG with 136 bytes of entropy
> >>>>>>> [Fri Feb 19 10:12:44.404130 2016] [core:notice] [pid 413] AH00052: 
> >>>>>>> child pid 424 exit signal Segmentation fault (11)
> >>>>>>>
> >>>>>>>
> >>>>>>> and in Chrome Browser I got:
> >>>>>>>
> >>>>>>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
> >>>>>>>
> >>>>>>> I tested also a basic ssl client connection with openssl:
> >>>>>>>
> >>>>>>> openssl s_client -connect 192.168.1.229:443 -state -debug
> >>>>>>>
> >>>>>>> SSL_connect:SSLv3 read server certificate A
> >>>>>>> SSL_connect:SSLv3 read server key exchange A
> >>>>>>> SSL_connect:SSLv3 read server done A
> >>>>>>> write to 0x205dec0 [0x206dd50] (75 bytes => 75 (0x4B))
> >>>>>>> 0000 - 16 03 03 00 46 10 00 00-42 41 04 3d c7 93 63 45   
> >>>>>>> ....F...BA.=..cE
> >>>>>>> 0010 - 79 41 11 bc 06 c0 b7 c6-d1 b5 33 d9 86 a6 d5 e9   
> >>>>>>> yA........3.....
> >>>>>>> 0020 - 36 e4 2b ac 0e bc 70 d6-d6 8c a7 a9 3c dd 1b 0c   
> >>>>>>> 6.+...p.....<...
> >>>>>>> 0030 - 77 48 20 38 dd 1e c9 a1-05 6c 5c b6 c9 f4 99 f2   wH 
> >>>>>>> 8.....l\.....
> >>>>>>> 0040 - 1a 18 ae 81 63 71 65 90-e8 a5 b6                  ....cqe....
> >>>>>>> SSL_connect:SSLv3 write client key exchange A
> >>>>>>> write to 0x205dec0 [0x206dd50] (6 bytes => 6 (0x6))
> >>>>>>> 0000 - 14 03 03 00 01 01                                 ......
> >>>>>>> SSL_connect:SSLv3 write change cipher spec A
> >>>>>>> write to 0x205dec0 [0x206dd50] (45 bytes => 45 (0x2D))
> >>>>>>> 0000 - 16 03 03 00 28 b1 e0 60-8a 2c 97 cf a0 4f 97 ee   
> >>>>>>> ....(..`.,...O..
> >>>>>>> 0010 - cd 8f 05 41 aa 50 a6 73-a3 4c 86 1e 5f 3c 7b 2b   
> >>>>>>> ...A.P.s.L.._<{+
> >>>>>>> 0020 - 2d 7e 6a 68 dc 97 94 9d-91 15 c0 0e 27            -~jh........'
> >>>>>>> SSL_connect:SSLv3 write finished A
> >>>>>>> SSL_connect:SSLv3 flush data
> >>>>>>> read from 0x205dec0 [0x2063f83] (5 bytes => 0 (0x0))
> >>>>>>> SSL_connect:failed in SSLv3 read server session ticket A
> >>>>>>> 140123095688864:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
> >>>>>>> failure:s23_lib.c:177:
> >>>>>>>
> >>>>>>> apache and mod_nss are build from the sources for an embedded yocto 
> >>>>>>> environment.
> >>>>>>>
> >>>>>>> some ideas, whats going on here?
> >>>>>>
> >>>>>> Can you get a stack trace from the core?
> >>>>>
> >>>>> I can give you an strace, see below. Other stack tools are currently not
> >>>>> available, because I need to compile them first for my yocto
> >>>>> environment. If you need something special please tell me.
> >>>>>
> >>>>>> This is Apache 2.4.x?
> >>>>>
> >>>>> yes it is Apache 2.4.16
> >>>>>
> >>>>>> Is it failing on a request or on startup?
> >>>>>
> >>>>> its failing on every https request.
> >>>>
> >>>> strace in this case isn't particularly helpful as it doesn't show where
> >>>> it is crashing.
> >>>>
> >>>> Can I see your nss.conf?
> >>>>
> >>>> What version of NSS are you using?
> >>>
> >>> I'am using nss in version 3.19.2
> >>>
> >>> here my nss.conf
> >>>
> >>> #
> >>> # This is the Apache server configuration file providing SSL support 
> >>> using.
> >>> # the mod_nss plugin.  It contains the configuration directives to 
> >>> instruct
> >>> # the server how to serve pages over an https connection.
> >>> #
> >>> # Do NOT simply read the instructions in here without understanding
> >>> # what they do.  They're here only as hints or reminders.  If you are 
> >>> unsure
> >>> # consult the online docs. You have been warned.
> >>> #
> >>>
> >>> #
> >>> # When we also provide SSL we have to listen to the
> >>> # standard HTTP port (see above) and to the HTTPS port
> >>> #
> >>> # Note: Configurations that use IPv6 but not IPv4-mapped addresses need 
> >>> two
> >>> #       Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
> >>> #
> >>> Listen 443
> >>>
> >>> ##
> >>> ##  SSL Global Context
> >>> ##
> >>> ##  All SSL configuration in this context applies both to
> >>> ##  the main server and all SSL-enabled virtual hosts.
> >>> ##
> >>>
> >>> #
> >>> #   Some MIME-types for downloading Certificates and CRLs
> >>> #
> >>> AddType application/x-x509-ca-cert .crt
> >>> AddType application/x-pkcs7-crl    .crl
> >>>
> >>>
> >>> #   Pass Phrase Helper:
> >>> #   This helper program stores the token password pins between
> >>> #   restarts of Apache.
> >>> # Unfortunately the directive is required even if we use no password
> >>> # (though in such case the program should never be used)
> >>> NSSPassPhraseHelper /usr/lib/apache2/bin/nss_pcache
> >>>
> >>> #   Pass Phrase Dialog:
> >>> #   Configure the pass phrase gathering process.
> >>> #   The filtering dialog program (`builtin' is a internal
> >>> #   terminal dialog) has to provide the pass phrase on stdout.
> >>> #NSSPassPhraseDialog  builtin
> >>> NSSPassPhraseDialog file:/etc/apache2/password.conf
> >>>
> >>> #   Configure the SSL Session Cache.
> >>> #   NSSSessionCacheSize is the number of entries in the cache.
> >>> #   NSSSessionCacheTimeout is the SSL2 session timeout (in seconds).
> >>> #   NSSSession3CacheTimeout is the SSL3/TLS session timeout (in seconds).
> >>> NSSSessionCacheSize 10000
> >>> NSSSessionCacheTimeout 100
> >>> NSSSession3CacheTimeout 86400
> >>>
> >>> #RFC 5077
> >>> NSSSessionTickets off
> >>
> >> SessionTickets are on not off
> >>
> >> NSSSessionTickets on
> >>
> > 
> > in my /etc/apache2/extra/httpd-vhosts.conf I also added some mod_nss
> > parameters for every virtual host. It seems that the problem is here. 
> > Because
> > if I remove the include of httpd-vhosts.conf no segfaults occur.
> > 
> > here my httpd-vhosts.conf with nss related parameters. Are these
> > parameters capable for a virtual host configuration?
> 
> You've included some directives that are expected to be global:
> 
> NSSPassPhraseHelper
> NSSPassPhraseDialog
> NSSSession*Cache*
> NSSCertificateDatabase
> 
> I doubt they hurt anything.

ok thx, I removed these directives from the httpd-vhosts.conf

> 
> I still can't duplicate a crash. I ran it through valgrind to see if
> there was a memory issue and came up with nothing too.
> 
> This could be an architecture problem that I just can't see on x86
> hardware I suppose.

I'am using a arm hardware (imx6)

> This particular crash seems rather strange too. Within mod_nss enabling
> this just calls:
> 
> SSL_OptionSet(mctx->model, SSL_ENABLE_SESSION_TICKETS,
> mctx->sc->session_tickets);
> 
> Basically enabling it in the model server socket. I would imagine the
> crash is probably deeper in NSS.


> To narrow things down you might try the NSS tool selfserv. It has an
> option, -u, to enable session tickets. It might eliminate mod_nss as the
> crash source (or it might implicate it too).


thx for the hint to the NSS selfserv tool.

I'am using it with DSA Keys instead of Eliptic Curve Keys because
selfserf can't handle ECC. (selfserv -Y didn't show me ECC ciphers)

First I generate a new nss db.

certutil -N -d /etc/apache2/nss-conf -f /etc/apache2/password2.conf
certutil -G -k dsa -n localhost -t "TC,," -d /etc/apache2/nss-conf -f 
/etc/apache2/password2.conf
certutil -K -d /etc/apache2/nss-conf -f /etc/apache2/password2.conf
certutil -L -d /etc/apache2/nss-conf -f /etc/apache2/password2.conf
certutil -S -s "CN=localhost" -x -n localhost -t "TC,," -d 
/etc/apache2/nss-conf/ -f /etc/apache2/password2.conf

Then starting selfserv with params:

selfserv -n "localhost" -V tls1.2: -d /etc/apache2/nss-conf/ -f 
/etc/apache2/password2.conf  -p 443 -v -u

selfserv: About to call accept.

Now I perform a https request with the Chrome Browser

GET /test.php HTTP/1.1
Host: 192.168.1.229
Connection: keep-alive
Cache-Control: max-age=0
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like 
Gecko) Chrome/46.0.2490.80 Safari/537.36
DNT: 1
Accept-Encoding: gzip, deflate, sdch
Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4

EOF

it looks for me that it works with selfserv. But I'm not sure if the Session
Ticket works and if it makes a difference not using ECC Keys.

Best Regards,

Oliver

_______________________________________________
Mod_nss-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/mod_nss-list

Reply via email to