Oliver Graute wrote:
> Hello,
>
> I installed the mod_nss plugin in version 1.0.12 on my apache webserver,
> TLS on Port 443 is working fine until I enable the new NSSSession ticket
> feature in my nss.conf with:
>
> #RFC 5077
> NSSSessionTickets on
>
> then something is broken, I see segfaults in my apache error log:
>
> [Fri Feb 19 10:12:15.338660 2016] [mpm_prefork:notice] [pid 413] AH00163:
> Apache/2.4.16 (Unix) mod_nss/1.0.12 NSS/3.19.2 Basic ECC PHP/5.5.10
> configured -- resuming normal operations
> [Fri Feb 19 10:12:15.338843 2016] [mpm_prefork:info] [pid 413] AH00164:
> Server built: Feb 22 2016 12:44:38
> [Fri Feb 19 10:12:15.339046 2016] [core:notice] [pid 413] AH00094: Command
> line: '/usr/sbin/httpd -D FOREGROUND -D SSL -D PHP5'
> [Fri Feb 19 10:12:15.339160 2016] [mpm_prefork:debug] [pid 413]
> prefork.c(995): AH00165: Accept mutex: sysvsem (default: sysvsem)
> [Fri Feb 19 10:12:15.386483 2016] [:debug] [pid 416] nss_engine_init.c(286):
> SNI is enabled
> [Fri Feb 19 10:12:15.386853 2016] [:info] [pid 416] Init: Seeding PRNG with
> 136 bytes of entropy
> [Fri Feb 19 10:12:40.374175 2016] [core:notice] [pid 413] AH00052: child pid
> 416 exit signal Segmentation fault (11)
> [Fri Feb 19 10:12:41.496820 2016] [:debug] [pid 423] nss_engine_init.c(286):
> SNI is enabled
> [Fri Feb 19 10:12:41.497224 2016] [:info] [pid 423] Init: Seeding PRNG with
> 136 bytes of entropy
> [Fri Feb 19 10:12:42.388948 2016] [core:notice] [pid 413] AH00052: child pid
> 423 exit signal Segmentation fault (11)
> [Fri Feb 19 10:12:43.508779 2016] [:debug] [pid 424] nss_engine_init.c(286):
> SNI is enabled
> [Fri Feb 19 10:12:43.509217 2016] [:info] [pid 424] Init: Seeding PRNG with
> 136 bytes of entropy
> [Fri Feb 19 10:12:44.404130 2016] [core:notice] [pid 413] AH00052: child pid
> 424 exit signal Segmentation fault (11)
>
>
> and in Chrome Browser I got:
>
> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
>
> I tested also a basic ssl client connection with openssl:
>
> openssl s_client -connect 192.168.1.229:443 -state -debug
>
> SSL_connect:SSLv3 read server certificate A
> SSL_connect:SSLv3 read server key exchange A
> SSL_connect:SSLv3 read server done A
> write to 0x205dec0 [0x206dd50] (75 bytes => 75 (0x4B))
> 0000 - 16 03 03 00 46 10 00 00-42 41 04 3d c7 93 63 45 ....F...BA.=..cE
> 0010 - 79 41 11 bc 06 c0 b7 c6-d1 b5 33 d9 86 a6 d5 e9 yA........3.....
> 0020 - 36 e4 2b ac 0e bc 70 d6-d6 8c a7 a9 3c dd 1b 0c 6.+...p.....<...
> 0030 - 77 48 20 38 dd 1e c9 a1-05 6c 5c b6 c9 f4 99 f2 wH 8.....l\.....
> 0040 - 1a 18 ae 81 63 71 65 90-e8 a5 b6 ....cqe....
> SSL_connect:SSLv3 write client key exchange A
> write to 0x205dec0 [0x206dd50] (6 bytes => 6 (0x6))
> 0000 - 14 03 03 00 01 01 ......
> SSL_connect:SSLv3 write change cipher spec A
> write to 0x205dec0 [0x206dd50] (45 bytes => 45 (0x2D))
> 0000 - 16 03 03 00 28 b1 e0 60-8a 2c 97 cf a0 4f 97 ee ....(..`.,...O..
> 0010 - cd 8f 05 41 aa 50 a6 73-a3 4c 86 1e 5f 3c 7b 2b ...A.P.s.L.._<{+
> 0020 - 2d 7e 6a 68 dc 97 94 9d-91 15 c0 0e 27 -~jh........'
> SSL_connect:SSLv3 write finished A
> SSL_connect:SSLv3 flush data
> read from 0x205dec0 [0x2063f83] (5 bytes => 0 (0x0))
> SSL_connect:failed in SSLv3 read server session ticket A
> 140123095688864:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:177:
>
> apache and mod_nss are build from the sources for an embedded yocto
> environment.
>
> some ideas, whats going on here?
Can you get a stack trace from the core?
This is Apache 2.4.x?
Is it failing on a request or on startup?
rob
_______________________________________________
Mod_nss-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/mod_nss-list
