[Mod_nss-list] NSSSessionTickets causes some segfault in error log
Oliver Graute
oliver.graute at gmail.com
Tue Feb 23 16:10:09 UTC 2016
On 23/02/16, Rob Crittenden wrote:
> Oliver Graute wrote:
> > On 22/02/16, Rob Crittenden wrote:
> >> Oliver Graute wrote:
> >>> Hello,
> >>>
> >>> I installed the mod_nss plugin in version 1.0.12 on my apache webserver,
> >>> TLS on Port 443 is working fine until I enable the new NSSSession ticket
> >>> feature in my nss.conf with:
> >>>
> >>> #RFC 5077
> >>> NSSSessionTickets on
> >>>
> >>> then something is broken, I see segfaults in my apache error log:
> >>>
> >>> [Fri Feb 19 10:12:15.338660 2016] [mpm_prefork:notice] [pid 413] AH00163: Apache/2.4.16 (Unix) mod_nss/1.0.12 NSS/3.19.2 Basic ECC PHP/5.5.10 configured -- resuming normal operations
> >>> [Fri Feb 19 10:12:15.338843 2016] [mpm_prefork:info] [pid 413] AH00164: Server built: Feb 22 2016 12:44:38
> >>> [Fri Feb 19 10:12:15.339046 2016] [core:notice] [pid 413] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND -D SSL -D PHP5'
> >>> [Fri Feb 19 10:12:15.339160 2016] [mpm_prefork:debug] [pid 413] prefork.c(995): AH00165: Accept mutex: sysvsem (default: sysvsem)
> >>> [Fri Feb 19 10:12:15.386483 2016] [:debug] [pid 416] nss_engine_init.c(286): SNI is enabled
> >>> [Fri Feb 19 10:12:15.386853 2016] [:info] [pid 416] Init: Seeding PRNG with 136 bytes of entropy
> >>> [Fri Feb 19 10:12:40.374175 2016] [core:notice] [pid 413] AH00052: child pid 416 exit signal Segmentation fault (11)
> >>> [Fri Feb 19 10:12:41.496820 2016] [:debug] [pid 423] nss_engine_init.c(286): SNI is enabled
> >>> [Fri Feb 19 10:12:41.497224 2016] [:info] [pid 423] Init: Seeding PRNG with 136 bytes of entropy
> >>> [Fri Feb 19 10:12:42.388948 2016] [core:notice] [pid 413] AH00052: child pid 423 exit signal Segmentation fault (11)
> >>> [Fri Feb 19 10:12:43.508779 2016] [:debug] [pid 424] nss_engine_init.c(286): SNI is enabled
> >>> [Fri Feb 19 10:12:43.509217 2016] [:info] [pid 424] Init: Seeding PRNG with 136 bytes of entropy
> >>> [Fri Feb 19 10:12:44.404130 2016] [core:notice] [pid 413] AH00052: child pid 424 exit signal Segmentation fault (11)
> >>>
> >>>
> >>> and in Chrome Browser I got:
> >>>
> >>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
> >>>
> >>> I tested also a basic ssl client connection with openssl:
> >>>
> >>> openssl s_client -connect 192.168.1.229:443 -state -debug
> >>>
> >>> SSL_connect:SSLv3 read server certificate A
> >>> SSL_connect:SSLv3 read server key exchange A
> >>> SSL_connect:SSLv3 read server done A
> >>> write to 0x205dec0 [0x206dd50] (75 bytes => 75 (0x4B))
> >>> 0000 - 16 03 03 00 46 10 00 00-42 41 04 3d c7 93 63 45 ....F...BA.=..cE
> >>> 0010 - 79 41 11 bc 06 c0 b7 c6-d1 b5 33 d9 86 a6 d5 e9 yA........3.....
> >>> 0020 - 36 e4 2b ac 0e bc 70 d6-d6 8c a7 a9 3c dd 1b 0c 6.+...p.....<...
> >>> 0030 - 77 48 20 38 dd 1e c9 a1-05 6c 5c b6 c9 f4 99 f2 wH 8.....l\.....
> >>> 0040 - 1a 18 ae 81 63 71 65 90-e8 a5 b6 ....cqe....
> >>> SSL_connect:SSLv3 write client key exchange A
> >>> write to 0x205dec0 [0x206dd50] (6 bytes => 6 (0x6))
> >>> 0000 - 14 03 03 00 01 01 ......
> >>> SSL_connect:SSLv3 write change cipher spec A
> >>> write to 0x205dec0 [0x206dd50] (45 bytes => 45 (0x2D))
> >>> 0000 - 16 03 03 00 28 b1 e0 60-8a 2c 97 cf a0 4f 97 ee ....(..`.,...O..
> >>> 0010 - cd 8f 05 41 aa 50 a6 73-a3 4c 86 1e 5f 3c 7b 2b ...A.P.s.L.._<{+
> >>> 0020 - 2d 7e 6a 68 dc 97 94 9d-91 15 c0 0e 27 -~jh........'
> >>> SSL_connect:SSLv3 write finished A
> >>> SSL_connect:SSLv3 flush data
> >>> read from 0x205dec0 [0x2063f83] (5 bytes => 0 (0x0))
> >>> SSL_connect:failed in SSLv3 read server session ticket A
> >>> 140123095688864:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
> >>>
> >>> apache and mod_nss are build from the sources for an embedded yocto environment.
> >>>
> >>> some ideas, whats going on here?
> >>
> >> Can you get a stack trace from the core?
> >
> > I can give you an strace, see below. Other stack tools are currently not
> > available, because I need to compile them first for my yocto
> > environment. If you need something special please tell me.
> >
> >> This is Apache 2.4.x?
> >
> > yes it is Apache 2.4.16
> >
> >> Is it failing on a request or on startup?
> >
> > its failing on every https request.
>
> strace in this case isn't particularly helpful as it doesn't show where
> it is crashing.
>
> Can I see your nss.conf?
>
> What version of NSS are you using?
I'am using nss in version 3.19.2
here my nss.conf
#
# This is the Apache server configuration file providing SSL support using.
# the mod_nss plugin. It contains the configuration directives to instruct
# the server how to serve pages over an https connection.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
#
Listen 443
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Helper:
# This helper program stores the token password pins between
# restarts of Apache.
# Unfortunately the directive is required even if we use no password
# (though in such case the program should never be used)
NSSPassPhraseHelper /usr/lib/apache2/bin/nss_pcache
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
#NSSPassPhraseDialog builtin
NSSPassPhraseDialog file:/etc/apache2/password.conf
# Configure the SSL Session Cache.
# NSSSessionCacheSize is the number of entries in the cache.
# NSSSessionCacheTimeout is the SSL2 session timeout (in seconds).
# NSSSession3CacheTimeout is the SSL3/TLS session timeout (in seconds).
NSSSessionCacheSize 10000
NSSSessionCacheTimeout 100
NSSSession3CacheTimeout 86400
#RFC 5077
NSSSessionTickets off
#
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. Those platforms usually also provide a non-blocking
# device, /dev/urandom, which may be used instead.
#
# This does not support seeding the RNG with each connection.
NSSRandomSeed startup builtin
#NSSRandomSeed startup file:/dev/random 512
#NSSRandomSeed startup file:/dev/urandom 512
#
# TLS Negotiation configuration under RFC 5746
#
# Only renegotiate if the peer's hello bears the TLS renegotiation_info
# extension. Default off.
NSSRenegotiation off
# Peer must send Signaling Cipher Suite Value (SCSV) or
# Renegotiation Info (RI) extension in ALL handshakes. Default: off
NSSRequireSafeNegotiation off
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
ServerAdmin webmaster at localhost
DocumentRoot "/var/www"
<Directory "/var/www">
Options FollowSymLinks
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Require all granted
</Directory>
# Default syslog facility is local7.
ErrorLog "/var/apache2/logs/nss_log"
LogLevel debug
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
NSSEngine on
# Enable or disables Server Name Identification (SN) extension check for SSL.
NSSSNI off
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_nss documentation for a complete list.
NSSProtocol TLSv1.2
#NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha_256
# SSL Certificate Nickname:
# The nickname of the RSA server certificate you are going to use.
NSSNickname "localhost - xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
# SSL Certificate Nickname:
# The nickname of the ECC server certificate you are going to use, if you
# have an ECC-enabled version of NSS and mod_nss
#NSSECCNickname "Safir:ClefPrivK"
NSSEnforceValidCerts off
# Server Certificate Database:
# The NSS security database directory that holds the certificates and
# keys. The database consists of 3 files: cert9.db, key4.db and pkcs11.txt
# Provide the directory where these files exist.
NSSCertificateDatabase /etc/apache2/nss-conf
# Client Authentication (Type):
# Client certificate verification type. Types are none, optional and
# require.
#NSSVerifyClient require
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "NSSRequireSSL" or "NSSRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
NSSOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
NSSOptions +StdEnvVars
</Files>
<Directory "/usr/cgi-bin">
NSSOptions +StdEnvVars
</Directory>
</VirtualHost>
Best regards,
Oliver
More information about the Mod_nss-list
mailing list