Re: NSS 3.12.5: Error '-8023' ... how to track it down?

On 01/17/2011 06:28 PM, Kaspar Brand wrote: On 17.01.2011 13:38, Bernhard Thalmayr wrote: Apache httpd 2.2.17 and what MPM are you using? Worker MPM is used , but is configured so start multiple processes (default) Is it possible that the Connection::initialized boolean might not be

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

On 18.01.2011 12:29, Bernhard Thalmayr wrote: I meant it might be a bug in Agent code to call 'NSS_NoDBInit' ... however this code has been there for some years already. One explanation I can think of is that it would only break with more recent versions of NSS, due to stricter application

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

On 01/18/2011 05:16 PM, Kaspar Brand wrote: On 18.01.2011 12:29, Bernhard Thalmayr wrote: I meant it might be a bug in Agent code to call 'NSS_NoDBInit' ... however this code has been there for some years already. One explanation I can think of is that it would only break with more recent

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

Thanks for your reply Kaspar, please see my comments inline. On 01/16/2011 12:16 PM, Kaspar Brand wrote: On 14.01.2011 10:24, Bernhard Thalmayr wrote: the 'client' is the OpenSSO web-agent (a lib) used by Apache httpd. Just to be sure: we're talking of this code here, right? yes

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

On 17.01.2011 13:38, Bernhard Thalmayr wrote: Apache httpd 2.2.17 and what MPM are you using? Worker MPM is used , but is configured so start multiple processes (default) Is it possible that the Connection::initialized boolean might not be shared among the httpd processes, resulting

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

On 14.01.2011 10:24, Bernhard Thalmayr wrote: the 'client' is the OpenSSO web-agent (a lib) used by Apache httpd. Just to be sure: we're talking of this code here, right? http://sources.forgerock.org/browse/openam/trunk/opensso/products/webagents/am/source/connection.cpp?r=HEADcontent=true

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

Thanks again Robert, please see my comments inline ... On 01/13/2011 10:40 PM, Robert Relyea wrote: --snip-- What is the actual client software you are running? the 'client' is the OpenSSO web-agent (a lib) used by Apache httpd. It merley does the following ...

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

Thanks a lot for the detailed explanation Robert - much appreciated. Please see my comments in line, some stuff deleted for brevity. On 01/12/2011 11:38 PM, Robert Relyea wrote: --- snip --- 331569088[1bd1610]: C_UnwrapKey 331569088[1bd1610]: hSession = 0x6 331569088[1bd1610]: pMechanism =

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

Hi again, today I a built a debug version of NSS 3.12.8 (as I haven't found 3.12.9 yet) The issue is still there, but occours much later then with 3.12.5. Server (with lib using NSS) ran about 1.5 hours before the issue occoured. During this time 911 SSL connections have been done. The last

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

On 01/13/2011 10:46 AM, Bernhard Thalmayr wrote: Hi again, today I a built a debug version of NSS 3.12.8 (as I haven't found 3.12.9 yet) I wouldn't expect 3.12.9 to fix the problem, as you seem to be running into a unique issue. The issue is still there, but occours much later then with

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

On Wed, Jan 12, 2011 at 2:38 PM, Robert Relyea rrel...@redhat.com wrote: On 01/12/2011 01:26 PM, Bernhard Thalmayr wrote: 331569088[1bd1610]: C_UnwrapKey 331569088[1bd1610]:   hSession = 0x6 331569088[1bd1610]:   pMechanism = 0x7fffcd592ea0 331569088[1bd1610]:   hUnwrappingKey = 0x8

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

On Thu, Jan 13, 2011 at 2:53 AM, Bernhard Thalmayr bernhard.thalm...@painstakingminds.com wrote: It might be helpfull if SSLTRACE and PKCS#11 could log a timestamp to help in correlation. You can add 'timestamp' to the NSPR_LOG_MODULES environment variable. See

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

So here we go ... the PCKS#11 logger shows the following 331569088[1bd1610]: C_DigestUpdate 331569088[1bd1610]: hSession = 0x88 331569088[1bd1610]: pPart = 0x6e580a4 331569088[1bd1610]: ulPartLen = 70 331569088[1bd1610]: rv = CKR_OK 331569088[1bd1610]: C_GetMechanismInfo

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

Bernhard wrote: 331569088[1bd1610]: flags = 0x4 331569088[1bd1610]: pApplication = 0331569088331569088[1bd1610]: Notify = 0x13231f31569088[1bd1610]: phSession = 0x7fffc331569088[1bd1610]: phKey = 0x36c1618 331569088[1bd1610]: CKA_CLASS = CKO_SECRET_KEY [8] Was that a copy

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

On 01/12/2011 10:50 PM, Nelson B Bolyard wrote: Bernhard wrote: 331569088[1bd1610]: flags = 0x4 331569088[1bd1610]: pApplication = 0331569088331569088[1bd1610]: Notify = 0x13231f31569088[1bd1610]: phSession = 0x7fffc331569088[1bd1610]: phKey = 0x36c1618 331569088[1bd1610]:

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

On 01/12/2011 10:50 PM, Nelson B Bolyard wrote: Bernhard wrote: 331569088[1bd1610]: flags = 0x4 331569088[1bd1610]: pApplication = 0331569088331569088[1bd1610]: Notify = 0x13231f31569088[1bd1610]: phSession = 0x7fffc331569088[1bd1610]: phKey = 0x36c1618 331569088[1bd1610]:

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

On Wed, Jan 12, 2011 at 2:02 PM, Bernhard Thalmayr bernhard.thalm...@painstakingminds.com wrote: Am'I wright that 'C_DeriveKey' is actually 'NSC_DeriveKey' in http://mxr.mozilla.org/security/source/security/nss/lib/softoken/pkcs11c.c ? Yes. C_DeriveKey is a function pointer. It points to the

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

On 01/12/2011 01:26 PM, Bernhard Thalmayr wrote: So here we go ... the PCKS#11 logger shows the following 331569088[1bd1610]: C_DigestUpdate 331569088[1bd1610]: hSession = 0x88 331569088[1bd1610]: pPart = 0x6e580a4 331569088[1bd1610]: ulPartLen = 70 331569088[1bd1610]: rv = CKR_OK

NSS 3.12.5: Error '-8023' ... how to track it down?

Hi experts, I have apache httpd running with a shared lib using NSS/NSPR. The lib talks to an SSL enabled server using PR_WRITE. Occasionally PR_WRITE returns error '-8023'. OS is CentOS 5.5 64bit. NSS: @(#)NSS 3.12.5.0 Aug 3 2010 17:15:02 NSPR: @(#)NSPR 4.8.2 2010-08-03 17:13:30 I've

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

On 01/11/2011 11:36 AM, Bernhard Thalmayr wrote: Hi experts, I have apache httpd running with a shared lib using NSS/NSPR. The lib talks to an SSL enabled server using PR_WRITE. Occasionally PR_WRITE returns error '-8023'. OS is CentOS 5.5 64bit. NSS: @(#)NSS 3.12.5.0 Aug 3 2010 17:15:02

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

On 1/11/2011 5:36 PM, Bernhard Thalmayr wrote: Hi experts, I have apache httpd running with a shared lib using NSS/NSPR. The lib talks to an SSL enabled server using PR_WRITE. Occasionally PR_WRITE returns error '-8023'. OS is CentOS 5.5 64bit. NSS: @(#)NSS 3.12.5.0 Aug 3 2010 17:15:02

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

Hi Wan-Teh, thanks for your reply. Will it be helpfull to use the 'PKCS #11 Module Logger' before starting with 'printfs'? I tried that and get at least some output in the specified log. -Bernhard On 01/11/2011 08:28 PM, Wan-Teh Chang wrote: Hi Bernhard, The best way to debug this is

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

On 01/11/2011 12:51 PM, Bernhard Thalmayr wrote: Hi Wan-Teh, thanks for your reply. Will it be helpfull to use the 'PKCS #11 Module Logger' before starting with 'printfs'? I tried that and get at least some output in the specified log. -Bernhard yes, that will tell you which PKCS #11