From oliver.graute at gmail.com Tue Mar 1 14:59:09 2016 From: oliver.graute at gmail.com (Oliver Graute) Date: Tue, 1 Mar 2016 15:59:09 +0100 Subject: [Mod_nss-list] NSSSessionTickets causes some segfault in error log In-Reply-To: <20160229154255.GB16783@graute-opti> References: <20160224100216.GA29619@graute-opti> <56CDD887.1000101@redhat.com> <20160225141039.GB29619@graute-opti> <20160225151241.GC29619@graute-opti> <56CF1ECC.4080303@redhat.com> <20160226131912.GD29619@graute-opti> <56D07029.7050202@redhat.com> <20160229082758.GB14634@graute-opti> <56D45B71.2020704@redhat.com> <20160229154255.GB16783@graute-opti> Message-ID: Hello Rob, here the Backtrace I got from gdb gdb httpd GNU gdb (GDB) 7.9.1 Copyright (C) 2015 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "arm-poky-linux-gnueabi". Type "show configuration" for configuration details. For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at: . For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from httpd...(no debugging symbols found)...done. (gdb) run -X -e debug -k start Starting program: /usr/sbin/httpd -X -e debug -k start warning: Unable to find libthread_db matching inferior's thread library, thread debugging will not be available. [Tue Mar 01 08:13:03.030657 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module authn_file_module from /usr/lib/apache2/modules/mod_authn_file.so [Tue Mar 01 08:13:03.079515 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module authn_core_module from /usr/lib/apache2/modules/mod_authn_core.so [Tue Mar 01 08:13:03.132191 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module authz_host_module from /usr/lib/apache2/modules/mod_authz_host.so [Tue Mar 01 08:13:03.184107 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module authz_groupfile_module from /usr/lib/apache2/modules/mod_authz_groupfile.so [Tue Mar 01 08:13:03.234788 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module authz_user_module from /usr/lib/apache2/modules/mod_authz_user.so [Tue Mar 01 08:13:03.291208 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module authz_core_module from /usr/lib/apache2/modules/mod_authz_core.so [Tue Mar 01 08:13:03.346248 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module access_compat_module from /usr/lib/apache2/modules/mod_access_compat.so [Tue Mar 01 08:13:03.403987 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module auth_basic_module from /usr/lib/apache2/modules/mod_auth_basic.so [Tue Mar 01 08:13:03.462869 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module socache_shmcb_module from /usr/lib/apache2/modules/mod_socache_shmcb.so [Tue Mar 01 08:13:03.524206 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module reqtimeout_module from /usr/lib/apache2/modules/mod_reqtimeout.so [Tue Mar 01 08:13:03.587161 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module filter_module from /usr/lib/apache2/modules/mod_filter.so [Tue Mar 01 08:13:03.670177 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module deflate_module from /usr/lib/apache2/modules/mod_deflate.so [Tue Mar 01 08:13:03.737604 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module mime_module from /usr/lib/apache2/modules/mod_mime.so [Tue Mar 01 08:13:03.811455 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module log_config_module from /usr/lib/apache2/modules/mod_log_config.so [Tue Mar 01 08:13:03.878182 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module env_module from /usr/lib/apache2/modules/mod_env.so [Tue Mar 01 08:13:03.952743 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module headers_module from /usr/lib/apache2/modules/mod_headers.so [Tue Mar 01 08:13:04.024100 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module setenvif_module from /usr/lib/apache2/modules/mod_setenvif.so [Tue Mar 01 08:13:04.096323 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module version_module from /usr/lib/apache2/modules/mod_version.so [Tue Mar 01 08:13:04.594068 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module nss_module from /usr/lib/apache2/modules/libmodnss.so [Tue Mar 01 08:13:04.687089 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module mpm_prefork_module from /usr/lib/apache2/modules/mod_mpm_prefork.so [Tue Mar 01 08:13:04.773117 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module unixd_module from /usr/lib/apache2/modules/mod_unixd.so [Tue Mar 01 08:13:04.862035 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module status_module from /usr/lib/apache2/modules/mod_status.so [Tue Mar 01 08:13:04.956650 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module autoindex_module from /usr/lib/apache2/modules/mod_autoindex.so [Tue Mar 01 08:13:05.046425 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module dir_module from /usr/lib/apache2/modules/mod_dir.so [Tue Mar 01 08:13:05.140571 2016] [so:debug] [pid 588] mod_so.c(266): AH01575: loaded module alias_module from /usr/lib/apache2/modules/mod_alias.so [58887.850679] TCP: request_sock_TCP: Possible SYN flooding on port 443. Dropping request. Check SNMP counters. Program received signal SIGSEGV, Segmentation fault. 0x76b366dc in ?? () from /usr/lib/libssl3.so (gdb) where #0 0x76b366dc in ?? () from /usr/lib/libssl3.so #1 0x769ac830 in PR_CallOnceWithArg () from /usr/lib/libnspr4.so #2 0x769ac830 in PR_CallOnceWithArg () from /usr/lib/libnspr4.so #3 0x76b359ac in ?? () from /usr/lib/libssl3.so Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) Best regards, Oliver On Mon, Feb 29, 2016 at 4:42 PM, Oliver Graute wrote: > On 29/02/16, Rob Crittenden wrote: >> Oliver Graute wrote: >> > On 26/02/16, Rob Crittenden wrote: >> >> >> >> If you could build NSS with debugging we would be able to see where it >> >> is failing. I'm not sure where your package is coming from but IIRC to >> >> build with debug you can pass in something at build time, like BUILD_OPT=0 >> > >> > i'am using this yocto recipe: >> > >> > https://git.yoctoproject.org/cgit.cgi/poky/plain/meta/recipes-support/nss/nss_3.21.bb >> > >> > I changed the option >> > >> > BUILD_OPT=0 >> > >> > and rebuild the lib, how can I see the debug stuff? >> >> I'd suggest generating new core then open that in gdb. With the updated >> NSS you should have more details on where it crashed. > > ok I generated a new core and debugged it with gdb. > > But i'am a bit stucked here because my gdb can't do thread debugging > > Unable to find libthread_db matching inferior's thread library, thread debugging will not be available > > I already added > > add-auto-load-safe-path /lib/libthread_db-1.0.so > > to my .gdbinit to fix that, but no success. > > all my gdb says is: > > Program received signal SIGSEGV, Segmentation fault. > 0x76b366dc in ?? () from /usr/lib/libssl3.so > > Best Regards, > > Oliver From rcritten at redhat.com Tue Mar 1 15:54:59 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 1 Mar 2016 10:54:59 -0500 Subject: [Mod_nss-list] NSSSessionTickets causes some segfault in error log In-Reply-To: References: <20160224100216.GA29619@graute-opti> <56CDD887.1000101@redhat.com> <20160225141039.GB29619@graute-opti> <20160225151241.GC29619@graute-opti> <56CF1ECC.4080303@redhat.com> <20160226131912.GD29619@graute-opti> <56D07029.7050202@redhat.com> <20160229082758.GB14634@graute-opti> <56D45B71.2020704@redhat.com> <20160229154255.GB16783@graute-opti> Message-ID: <56D5BB53.2000106@redhat.com> Oliver Graute wrote: > Hello Rob, > > here the Backtrace I got from gdb > > gdb httpd > GNU gdb (GDB) 7.9.1 > Copyright (C) 2015 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. Type "show copying" > and "show warranty" for details. > This GDB was configured as "arm-poky-linux-gnueabi". > Type "show configuration" for configuration details. > For bug reporting instructions, please see: > . > Find the GDB manual and other documentation resources online at: > . > For help, type "help". > Type "apropos word" to search for commands related to "word"... > Reading symbols from httpd...(no debugging symbols found)...done. > (gdb) run -X -e debug -k start > Starting program: /usr/sbin/httpd -X -e debug -k start > warning: Unable to find libthread_db matching inferior's thread > library, thread debugging will not be available. > [Tue Mar 01 08:13:03.030657 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module authn_file_module from > /usr/lib/apache2/modules/mod_authn_file.so > [Tue Mar 01 08:13:03.079515 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module authn_core_module from > /usr/lib/apache2/modules/mod_authn_core.so > [Tue Mar 01 08:13:03.132191 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module authz_host_module from > /usr/lib/apache2/modules/mod_authz_host.so > [Tue Mar 01 08:13:03.184107 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module authz_groupfile_module from > /usr/lib/apache2/modules/mod_authz_groupfile.so > [Tue Mar 01 08:13:03.234788 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module authz_user_module from > /usr/lib/apache2/modules/mod_authz_user.so > [Tue Mar 01 08:13:03.291208 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module authz_core_module from > /usr/lib/apache2/modules/mod_authz_core.so > [Tue Mar 01 08:13:03.346248 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module access_compat_module from > /usr/lib/apache2/modules/mod_access_compat.so > [Tue Mar 01 08:13:03.403987 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module auth_basic_module from > /usr/lib/apache2/modules/mod_auth_basic.so > [Tue Mar 01 08:13:03.462869 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module socache_shmcb_module from > /usr/lib/apache2/modules/mod_socache_shmcb.so > [Tue Mar 01 08:13:03.524206 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module reqtimeout_module from > /usr/lib/apache2/modules/mod_reqtimeout.so > [Tue Mar 01 08:13:03.587161 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module filter_module from > /usr/lib/apache2/modules/mod_filter.so > [Tue Mar 01 08:13:03.670177 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module deflate_module from > /usr/lib/apache2/modules/mod_deflate.so > [Tue Mar 01 08:13:03.737604 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module mime_module from > /usr/lib/apache2/modules/mod_mime.so > [Tue Mar 01 08:13:03.811455 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module log_config_module from > /usr/lib/apache2/modules/mod_log_config.so > [Tue Mar 01 08:13:03.878182 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module env_module from > /usr/lib/apache2/modules/mod_env.so > [Tue Mar 01 08:13:03.952743 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module headers_module from > /usr/lib/apache2/modules/mod_headers.so > [Tue Mar 01 08:13:04.024100 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module setenvif_module from > /usr/lib/apache2/modules/mod_setenvif.so > [Tue Mar 01 08:13:04.096323 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module version_module from > /usr/lib/apache2/modules/mod_version.so > [Tue Mar 01 08:13:04.594068 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module nss_module from > /usr/lib/apache2/modules/libmodnss.so > [Tue Mar 01 08:13:04.687089 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module mpm_prefork_module from > /usr/lib/apache2/modules/mod_mpm_prefork.so > [Tue Mar 01 08:13:04.773117 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module unixd_module from > /usr/lib/apache2/modules/mod_unixd.so > [Tue Mar 01 08:13:04.862035 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module status_module from > /usr/lib/apache2/modules/mod_status.so > [Tue Mar 01 08:13:04.956650 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module autoindex_module from > /usr/lib/apache2/modules/mod_autoindex.so > [Tue Mar 01 08:13:05.046425 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module dir_module from > /usr/lib/apache2/modules/mod_dir.so > [Tue Mar 01 08:13:05.140571 2016] [so:debug] [pid 588] mod_so.c(266): > AH01575: loaded module alias_module from > /usr/lib/apache2/modules/mod_alias.so > [58887.850679] TCP: request_sock_TCP: Possible SYN flooding on port > 443. Dropping request. Check SNMP counters. > > Program received signal SIGSEGV, Segmentation fault. > 0x76b366dc in ?? () from /usr/lib/libssl3.so > (gdb) where > #0 0x76b366dc in ?? () from /usr/lib/libssl3.so > #1 0x769ac830 in PR_CallOnceWithArg () from /usr/lib/libnspr4.so > #2 0x769ac830 in PR_CallOnceWithArg () from /usr/lib/libnspr4.so > #3 0x76b359ac in ?? () from /usr/lib/libssl3.so > Backtrace stopped: previous frame identical to this frame (corrupt stack?) > (gdb) Just an educated guess but looks like it is failing in a call to ssl3_GetSessionTicketKeysPKCS11() which calls: if (PR_CallOnceWithArg(&generate_session_keys_once, ssl3_GenerateSessionTicketKeysPKCS11, ss) != PR_SUCCESS) return SECFailure; Unfortunately the symbols are still missing from your build so its hard to know why. rob From oliver.graute at gmail.com Wed Mar 2 16:23:39 2016 From: oliver.graute at gmail.com (Oliver Graute) Date: Wed, 2 Mar 2016 17:23:39 +0100 Subject: [Mod_nss-list] NSSSessionTickets causes some segfault in error log In-Reply-To: <56D5BB53.2000106@redhat.com> References: <20160225141039.GB29619@graute-opti> <20160225151241.GC29619@graute-opti> <56CF1ECC.4080303@redhat.com> <20160226131912.GD29619@graute-opti> <56D07029.7050202@redhat.com> <20160229082758.GB14634@graute-opti> <56D45B71.2020704@redhat.com> <20160229154255.GB16783@graute-opti> <56D5BB53.2000106@redhat.com> Message-ID: <20160302162339.GA5843@graute-opti> > > Just an educated guess but looks like it is failing in a call to > ssl3_GetSessionTicketKeysPKCS11() which calls: > > if (PR_CallOnceWithArg(&generate_session_keys_once, > ssl3_GenerateSessionTicketKeysPKCS11, ss) != PR_SUCCESS) > return SECFailure; > > Unfortunately the symbols are still missing from your build so its hard > to know why. Hello, after I disabled the stripping in my Yocto Environment I got finaly some debug symbols in my gdb on the target. according to the gdb output (see below) the SegFault is located in: nss/lib/ssl/ssl3ext.c:166 static PRStatus ssl3_GenerateSessionTicketKeysPKCS11(void *data) { SECStatus rv; sslSocket *ss = (sslSocket *)data; SECKEYPrivateKey *svrPrivKey = ss->serverCerts[kt_rsa].SERVERKEY; SECKEYPublicKey *svrPubKey = ss->serverCerts[kt_rsa].serverKeyPair->pubKey; it looks for me that the access to the array goes wrong here (kt_rsa) I wonder why he tries to access a rsa cert here, instead of some ECC certs. Should I file a bug for this? if yes where is the right place? Probably a fix for me is to replace kt_rsa with kt_ecdh here. I'll try it tomorrow. Best regards, Oliver gdb httpd GNU gdb (GDB) 7.9.1 Copyright (C) 2015 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "arm-poky-linux-gnueabi". Type "show configuration" for configuration details. For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at: . For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from httpd...done. (gdb) run -X -e debug -k start Starting program: /usr/sbin/httpd -X -e debug -k start [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/libthread_db.so.1". [Wed Mar 02 14:44:57.512652 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module authn_file_module from /usr/lib/apache2/modules/mod_authn_file.so [Wed Mar 02 14:44:57.568812 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module authn_core_module from /usr/lib/apache2/modules/mod_authn_core.so [Wed Mar 02 14:44:57.624501 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module authz_host_module from /usr/lib/apache2/modules/mod_authz_host.so [Wed Mar 02 14:44:57.685207 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module authz_groupfile_module from /usr/lib/apache2/modules/mod_authz_groupfile.so [Wed Mar 02 14:44:57.742440 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module authz_user_module from /usr/lib/apache2/modules/mod_authz_user.so [Wed Mar 02 14:44:57.807374 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module authz_core_module from /usr/lib/apache2/modules/mod_authz_core.so [Wed Mar 02 14:44:57.868316 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module access_compat_module from /usr/lib/apache2/modules/mod_access_compat.so [Wed Mar 02 14:44:57.932376 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module auth_basic_module from /usr/lib/apache2/modules/mod_auth_basic.so [Wed Mar 02 14:44:58.000811 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module socache_shmcb_module from /usr/lib/apache2/modules/mod_socache_shmcb.so [Wed Mar 02 14:44:58.069304 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module reqtimeout_module from /usr/lib/apache2/modules/mod_reqtimeout.so [Wed Mar 02 14:44:58.138680 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module filter_module from /usr/lib/apache2/modules/mod_filter.so [Wed Mar 02 14:44:58.247928 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module deflate_module from /usr/lib/apache2/modules/mod_deflate.so [Wed Mar 02 14:44:58.322509 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module mime_module from /usr/lib/apache2/modules/mod_mime.so [Wed Mar 02 14:44:58.408413 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module log_config_module from /usr/lib/apache2/modules/mod_log_config.so [Wed Mar 02 14:44:58.481900 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module env_module from /usr/lib/apache2/modules/mod_env.so [Wed Mar 02 14:44:58.564765 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module headers_module from /usr/lib/apache2/modules/mod_headers.so [Wed Mar 02 14:44:58.643176 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module setenvif_module from /usr/lib/apache2/modules/mod_setenvif.so [Wed Mar 02 14:44:58.723306 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module version_module from /usr/lib/apache2/modules/mod_version.so [Wed Mar 02 14:45:00.884109 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module nss_module from /usr/lib/apache2/modules/libmodnss.so [Wed Mar 02 14:45:00.987275 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module mpm_prefork_module from /usr/lib/apache2/modules/mod_mpm_prefork.so [Wed Mar 02 14:45:01.079230 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module unixd_module from /usr/lib/apache2/modules/mod_unixd.so [Wed Mar 02 14:45:01.177941 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module status_module from /usr/lib/apache2/modules/mod_status.so [Wed Mar 02 14:45:01.281979 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module autoindex_module from /usr/lib/apache2/modules/mod_autoindex.so [Wed Mar 02 14:45:01.378092 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module dir_module from /usr/lib/apache2/modules/mod_dir.so [Wed Mar 02 14:45:01.476646 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module alias_module from /usr/lib/apache2/modules/mod_alias.so [ 2985.141330] TCP: request_sock_TCP: Possible SYN flooding on port 443. Dropping request. Check SNMP counters. Program received signal SIGSEGV, Segmentation fault. ssl3_GenerateSessionTicketKeysPKCS11 (data=0x17b040) at ssl3ext.c:166 166 ssl3ext.c: No such file or directory. (gdb) backtrace #0 ssl3_GenerateSessionTicketKeysPKCS11 (data=0x17b040) at ssl3ext.c:166 #1 0x769ac830 in PR_CallOnceWithArg ( once=0x76b5e04c , func=0x76b366d0 , arg=arg at entry=0x17b040) at /home/graute/5411_IBIS/yocto/build-imx6ulevk/tmp/work/cortexa7hf-vfp-neon-poky-linux-gnueabi/nspr/4.10.8-r1/nspr-4.10.8/nspr/pr/src/misc/prinit.c:804 #2 0x76b359ac in ssl3_GetSessionTicketKeysPKCS11 (ss=ss at entry=0x17b040, aes_key=0x7effea44, aes_key at entry=0x7effea3c, mac_key=0x7effea48, mac_key at entry=0x7effea40) at ssl3ext.c:197 #3 0x76b37980 in ssl3_SendNewSessionTicket (ss=ss at entry=0x17b040) at ssl3ext.c:1132 #4 0x76b2d5bc in ssl3_HandleFinished (hashes=, length=, b=0x18284c ")|\217\266\373f\216\206vq?\r\004\254\250\254\301\344\373\037\261}*d\252\027\022\005\035\202\240\340\065v\214\225M\036^p\002!", ss=0x17b040) at ssl3con.c:11293 #5 ssl3_HandleHandshakeMessage (ss=ss at entry=0x17b040, b=0x18284c ")|\217\266\373f\216\206vq?\r\004\254\250\254\301\344\373\037\261}*d\252\027\022\005\035\202\240\340\065v\214\225M\036^p\002!", length=) at ssl3con.c:11649 #6 0x76b2f914 in ssl3_HandleHandshake (origBuf=0xd, ss=0x17b040) at ssl3con.c:11723 ---Type to continue, or q to quit--- #7 ssl3_HandleRecord (ss=ss at entry=0x17b040, cText=cText at entry=0x7efff7ec, databuf=0xd, databuf at entry=0x17b2c0) at ssl3con.c:12392 #8 0x76b30be8 in ssl3_GatherCompleteHandshake (ss=0x17b040, flags=0) at ssl3gthr.c:378 #9 0x76b31764 in ssl_GatherRecord1stHandshake (ss=0x17b040) at sslcon.c:1213 #10 0x76b39d28 in ssl_Do1stHandshake (ss=ss at entry=0x17b040) at sslsecur.c:109 #11 0x76b3afc0 in ssl_SecureRecv (ss=0x17b040, buf=0x187088 "", len=8192, flags=0) at sslsecur.c:1227 #12 0x76b3ea50 in ssl_Read (fd=, buf=0x187088, len=8192) at sslsock.c:2397 #13 0x76b6c4e4 in nss_io_input_read (inctx=inctx at entry=0x187068, buf=buf at entry=0x187088 "", len=len at entry=0x7efff8c4) at /home/graute/5411_IBIS/yocto/build-imx6ulevk/tmp/work/cortexa7hf-vfp-neon-poky-linux-gnueabi/modnss/1.0.12-r0/mod_nss-1.0.12/nss_engine_io.c:353 #14 0x76b6d190 in nss_io_input_getline (len=0x7efff8b8, buf=0x187088 "", inctx=0x187068) at /home/graute/5411_IBIS/yocto/build-imx6ulevk/tmp/work/cortexa7hf-vfp-neon-poky-linux-gnueabi/modnss/1.0.12-r0/mod_nss-1.0.12/nss_engine_io.c:460 #15 nss_io_filter_input (f=0x189090, bb=0x18df58, mode=, block=, readbytes=0) at /home/graute/5411_IBIS/yocto/build-imx6ulevk/tmp/work/cortexa7hf-vfp-neon-poky-linux-gnueabi/modnss/1.0.12-r0/mod_nss-1.0.12/nss_engine_io.c:790 #16 0x0002d9a0 in ap_rgetline_core (s=s at entry=0x18d0d0, n=20, read=0x18d0b8, From rcritten at redhat.com Wed Mar 2 16:31:03 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 2 Mar 2016 11:31:03 -0500 Subject: [Mod_nss-list] NSSSessionTickets causes some segfault in error log In-Reply-To: <20160302162339.GA5843@graute-opti> References: <20160225141039.GB29619@graute-opti> <20160225151241.GC29619@graute-opti> <56CF1ECC.4080303@redhat.com> <20160226131912.GD29619@graute-opti> <56D07029.7050202@redhat.com> <20160229082758.GB14634@graute-opti> <56D45B71.2020704@redhat.com> <20160229154255.GB16783@graute-opti> <56D5BB53.2000106@redhat.com> <20160302162339.GA5843@graute-opti> Message-ID: <56D71547.4060504@redhat.com> Oliver Graute wrote: >> >> Just an educated guess but looks like it is failing in a call to >> ssl3_GetSessionTicketKeysPKCS11() which calls: >> >> if (PR_CallOnceWithArg(&generate_session_keys_once, >> ssl3_GenerateSessionTicketKeysPKCS11, ss) != PR_SUCCESS) >> return SECFailure; >> >> Unfortunately the symbols are still missing from your build so its hard >> to know why. > > Hello, > > after I disabled the stripping in my Yocto Environment I got finaly some > debug symbols in my gdb on the target. > > according to the gdb output (see below) the SegFault is located in: > > nss/lib/ssl/ssl3ext.c:166 > > static PRStatus > ssl3_GenerateSessionTicketKeysPKCS11(void *data) > { > SECStatus rv; > sslSocket *ss = (sslSocket *)data; > SECKEYPrivateKey *svrPrivKey = ss->serverCerts[kt_rsa].SERVERKEY; > SECKEYPublicKey *svrPubKey = ss->serverCerts[kt_rsa].serverKeyPair->pubKey; > > > it looks for me that the access to the array goes wrong here (kt_rsa) > I wonder why he tries to access a rsa cert here, instead of some ECC certs. > > Should I file a bug for this? if yes where is the right place? > > Probably a fix for me is to replace kt_rsa with kt_ecdh here. I'll try > it tomorrow. Yes, I'd suggest you file a bug on it. The NSS bug tracker is at https://bugzilla.mozilla.org/ rob > > Best regards, > > Oliver > > > gdb httpd > GNU gdb (GDB) 7.9.1 > Copyright (C) 2015 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. Type "show copying" > and "show warranty" for details. > This GDB was configured as "arm-poky-linux-gnueabi". > Type "show configuration" for configuration details. > For bug reporting instructions, please see: > . > Find the GDB manual and other documentation resources online at: > . > For help, type "help". > Type "apropos word" to search for commands related to "word"... > Reading symbols from httpd...done. > (gdb) run -X -e debug -k start > Starting program: /usr/sbin/httpd -X -e debug -k start > [Thread debugging using libthread_db enabled] > Using host libthread_db library "/lib/libthread_db.so.1". > [Wed Mar 02 14:44:57.512652 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module authn_file_module from /usr/lib/apache2/modules/mod_authn_file.so > [Wed Mar 02 14:44:57.568812 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module authn_core_module from /usr/lib/apache2/modules/mod_authn_core.so > [Wed Mar 02 14:44:57.624501 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module authz_host_module from /usr/lib/apache2/modules/mod_authz_host.so > [Wed Mar 02 14:44:57.685207 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module authz_groupfile_module from /usr/lib/apache2/modules/mod_authz_groupfile.so > [Wed Mar 02 14:44:57.742440 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module authz_user_module from /usr/lib/apache2/modules/mod_authz_user.so > [Wed Mar 02 14:44:57.807374 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module authz_core_module from /usr/lib/apache2/modules/mod_authz_core.so > [Wed Mar 02 14:44:57.868316 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module access_compat_module from /usr/lib/apache2/modules/mod_access_compat.so > [Wed Mar 02 14:44:57.932376 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module auth_basic_module from /usr/lib/apache2/modules/mod_auth_basic.so > [Wed Mar 02 14:44:58.000811 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module socache_shmcb_module from /usr/lib/apache2/modules/mod_socache_shmcb.so > [Wed Mar 02 14:44:58.069304 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module reqtimeout_module from /usr/lib/apache2/modules/mod_reqtimeout.so > [Wed Mar 02 14:44:58.138680 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module filter_module from /usr/lib/apache2/modules/mod_filter.so > [Wed Mar 02 14:44:58.247928 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module deflate_module from /usr/lib/apache2/modules/mod_deflate.so > [Wed Mar 02 14:44:58.322509 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module mime_module from /usr/lib/apache2/modules/mod_mime.so > [Wed Mar 02 14:44:58.408413 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module log_config_module from /usr/lib/apache2/modules/mod_log_config.so > [Wed Mar 02 14:44:58.481900 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module env_module from /usr/lib/apache2/modules/mod_env.so > [Wed Mar 02 14:44:58.564765 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module headers_module from /usr/lib/apache2/modules/mod_headers.so > [Wed Mar 02 14:44:58.643176 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module setenvif_module from /usr/lib/apache2/modules/mod_setenvif.so > [Wed Mar 02 14:44:58.723306 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module version_module from /usr/lib/apache2/modules/mod_version.so > [Wed Mar 02 14:45:00.884109 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module nss_module from /usr/lib/apache2/modules/libmodnss.so > [Wed Mar 02 14:45:00.987275 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module mpm_prefork_module from /usr/lib/apache2/modules/mod_mpm_prefork.so > [Wed Mar 02 14:45:01.079230 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module unixd_module from /usr/lib/apache2/modules/mod_unixd.so > [Wed Mar 02 14:45:01.177941 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module status_module from /usr/lib/apache2/modules/mod_status.so > [Wed Mar 02 14:45:01.281979 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module autoindex_module from /usr/lib/apache2/modules/mod_autoindex.so > [Wed Mar 02 14:45:01.378092 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module dir_module from /usr/lib/apache2/modules/mod_dir.so > [Wed Mar 02 14:45:01.476646 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module alias_module from /usr/lib/apache2/modules/mod_alias.so > [ 2985.141330] TCP: request_sock_TCP: Possible SYN flooding on port 443. Dropping request. Check SNMP counters. > > Program received signal SIGSEGV, Segmentation fault. > ssl3_GenerateSessionTicketKeysPKCS11 (data=0x17b040) at ssl3ext.c:166 > 166 ssl3ext.c: No such file or directory. > > (gdb) backtrace > #0 ssl3_GenerateSessionTicketKeysPKCS11 (data=0x17b040) at ssl3ext.c:166 > #1 0x769ac830 in PR_CallOnceWithArg ( > once=0x76b5e04c , > func=0x76b366d0 , > arg=arg at entry=0x17b040) > at /home/graute/5411_IBIS/yocto/build-imx6ulevk/tmp/work/cortexa7hf-vfp-neon-poky-linux-gnueabi/nspr/4.10.8-r1/nspr-4.10.8/nspr/pr/src/misc/prinit.c:804 > #2 0x76b359ac in ssl3_GetSessionTicketKeysPKCS11 (ss=ss at entry=0x17b040, > aes_key=0x7effea44, aes_key at entry=0x7effea3c, mac_key=0x7effea48, > mac_key at entry=0x7effea40) at ssl3ext.c:197 > #3 0x76b37980 in ssl3_SendNewSessionTicket (ss=ss at entry=0x17b040) > at ssl3ext.c:1132 > #4 0x76b2d5bc in ssl3_HandleFinished (hashes=, > length=, > b=0x18284c ")|\217\266\373f\216\206vq?\r\004\254\250\254\301\344\373\037\261}*d\252\027\022\005\035\202\240\340\065v\214\225M\036^p\002!", ss=0x17b040) > at ssl3con.c:11293 > #5 ssl3_HandleHandshakeMessage (ss=ss at entry=0x17b040, > b=0x18284c ")|\217\266\373f\216\206vq?\r\004\254\250\254\301\344\373\037\261}*d\252\027\022\005\035\202\240\340\065v\214\225M\036^p\002!", > length=) at ssl3con.c:11649 > #6 0x76b2f914 in ssl3_HandleHandshake (origBuf=0xd, ss=0x17b040) > at ssl3con.c:11723 > ---Type to continue, or q to quit--- > #7 ssl3_HandleRecord (ss=ss at entry=0x17b040, cText=cText at entry=0x7efff7ec, > databuf=0xd, databuf at entry=0x17b2c0) at ssl3con.c:12392 > #8 0x76b30be8 in ssl3_GatherCompleteHandshake (ss=0x17b040, flags=0) > at ssl3gthr.c:378 > #9 0x76b31764 in ssl_GatherRecord1stHandshake (ss=0x17b040) at sslcon.c:1213 > #10 0x76b39d28 in ssl_Do1stHandshake (ss=ss at entry=0x17b040) at sslsecur.c:109 > #11 0x76b3afc0 in ssl_SecureRecv (ss=0x17b040, buf=0x187088 "", len=8192, > flags=0) at sslsecur.c:1227 > #12 0x76b3ea50 in ssl_Read (fd=, buf=0x187088, len=8192) > at sslsock.c:2397 > #13 0x76b6c4e4 in nss_io_input_read (inctx=inctx at entry=0x187068, > buf=buf at entry=0x187088 "", len=len at entry=0x7efff8c4) > at /home/graute/5411_IBIS/yocto/build-imx6ulevk/tmp/work/cortexa7hf-vfp-neon-poky-linux-gnueabi/modnss/1.0.12-r0/mod_nss-1.0.12/nss_engine_io.c:353 > #14 0x76b6d190 in nss_io_input_getline (len=0x7efff8b8, buf=0x187088 "", > inctx=0x187068) > at /home/graute/5411_IBIS/yocto/build-imx6ulevk/tmp/work/cortexa7hf-vfp-neon-poky-linux-gnueabi/modnss/1.0.12-r0/mod_nss-1.0.12/nss_engine_io.c:460 > #15 nss_io_filter_input (f=0x189090, bb=0x18df58, mode=, > block=, readbytes=0) > at /home/graute/5411_IBIS/yocto/build-imx6ulevk/tmp/work/cortexa7hf-vfp-neon-poky-linux-gnueabi/modnss/1.0.12-r0/mod_nss-1.0.12/nss_engine_io.c:790 > #16 0x0002d9a0 in ap_rgetline_core (s=s at entry=0x18d0d0, n=20, read=0x18d0b8, > > _______________________________________________ > Mod_nss-list mailing list > Mod_nss-list at redhat.com > https://www.redhat.com/mailman/listinfo/mod_nss-list > From oliver.graute at gmail.com Thu Mar 3 08:04:34 2016 From: oliver.graute at gmail.com (Oliver Graute) Date: Thu, 3 Mar 2016 09:04:34 +0100 Subject: [Mod_nss-list] NSSSessionTickets causes some segfault in error log In-Reply-To: <56D71547.4060504@redhat.com> References: <56CF1ECC.4080303@redhat.com> <20160226131912.GD29619@graute-opti> <56D07029.7050202@redhat.com> <20160229082758.GB14634@graute-opti> <56D45B71.2020704@redhat.com> <20160229154255.GB16783@graute-opti> <56D5BB53.2000106@redhat.com> <20160302162339.GA5843@graute-opti> <56D71547.4060504@redhat.com> Message-ID: <20160303080434.GA14698@graute-opti> On 02/03/16, Rob Crittenden wrote: > Oliver Graute wrote: > >> > >> Just an educated guess but looks like it is failing in a call to > >> ssl3_GetSessionTicketKeysPKCS11() which calls: > >> > >> if (PR_CallOnceWithArg(&generate_session_keys_once, > >> ssl3_GenerateSessionTicketKeysPKCS11, ss) != PR_SUCCESS) > >> return SECFailure; > >> > >> Unfortunately the symbols are still missing from your build so its hard > >> to know why. > > > > Hello, > > > > after I disabled the stripping in my Yocto Environment I got finaly some > > debug symbols in my gdb on the target. > > > > according to the gdb output (see below) the SegFault is located in: > > > > nss/lib/ssl/ssl3ext.c:166 > > > > static PRStatus > > ssl3_GenerateSessionTicketKeysPKCS11(void *data) > > { > > SECStatus rv; > > sslSocket *ss = (sslSocket *)data; > > SECKEYPrivateKey *svrPrivKey = ss->serverCerts[kt_rsa].SERVERKEY; > > SECKEYPublicKey *svrPubKey = ss->serverCerts[kt_rsa].serverKeyPair->pubKey; > > > > > > it looks for me that the access to the array goes wrong here (kt_rsa) > > I wonder why he tries to access a rsa cert here, instead of some ECC certs. > > > > Should I file a bug for this? if yes where is the right place? > > > > Probably a fix for me is to replace kt_rsa with kt_ecdh here. I'll try > > it tomorrow. > > Yes, I'd suggest you file a bug on it. The NSS bug tracker is at > https://bugzilla.mozilla.org/ I filed a bug for this issue here: https://bugzilla.mozilla.org/show_bug.cgi?id=1253175 Best regards, Oliver From oliver.graute at gmail.com Fri Mar 4 07:40:53 2016 From: oliver.graute at gmail.com (Oliver Graute) Date: Fri, 4 Mar 2016 08:40:53 +0100 Subject: [Mod_nss-list] how to export some x509v3 extensions with NSSOptions +StdEnvVars Message-ID: <20160304074053.GA27307@graute-opti> Hello, I'am using the following x509v3 extensions in my client certificate. [ x509v3 ] basicConstraints = critical,CA:FALSE nsCertType = client keyUsage = digitalSignature,nonRepudiation,keyEncipherment extendedKeyUsage = clientAuth, serverAuth, emailProtection keyUsage = critical,digitalSignature subjectKeyIdentifier = hash authorityKeyIdentifier = keyid crlDistributionPoints = crlDistributionPoint0_sect 1.3.6.1.3.1.1.1 = ASN1:UTF8String:POSEUR Is it possible to export these x509v3 extensions with NSSOptions +StdEnvVars or any other NSSOption? especially I need to export the "1.3.6.1.3.1.1.1 = ASN1:UTF8String:POSEUR" in my php environment. Is it possible to configure or patch mod_nss to achive this? where is the right place to adapt the code for this? Best regards, Oliver From rcritten at redhat.com Fri Mar 4 15:21:57 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 4 Mar 2016 10:21:57 -0500 Subject: [Mod_nss-list] how to export some x509v3 extensions with NSSOptions +StdEnvVars In-Reply-To: <20160304074053.GA27307@graute-opti> References: <20160304074053.GA27307@graute-opti> Message-ID: <56D9A815.1060006@redhat.com> Oliver Graute wrote: > Hello, > > I'am using the following x509v3 extensions in my client certificate. > > [ x509v3 ] > basicConstraints = critical,CA:FALSE > nsCertType = client > keyUsage = digitalSignature,nonRepudiation,keyEncipherment > extendedKeyUsage = clientAuth, serverAuth, emailProtection > keyUsage = critical,digitalSignature > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid > crlDistributionPoints = crlDistributionPoint0_sect > 1.3.6.1.3.1.1.1 = ASN1:UTF8String:POSEUR > > Is it possible to export these x509v3 extensions with NSSOptions > +StdEnvVars or any other NSSOption? > > especially I need to export the "1.3.6.1.3.1.1.1 = > ASN1:UTF8String:POSEUR" in my php environment. > > Is it possible to configure or patch mod_nss to achive this? where is > the right place to adapt the code for this? It isn't exported today. You have a couple of options: 1. you should have the full cert available in PHP. You could use that to pull out the extensions yourself assuming PHP has the tools need to to parse x509 certs. 2. tweak nss_engine_vars.c to be able to pull out generic or specific extensions. You'd want to cross-check with mod_ssl to see if there is already a "standard" for how the variables would be named. This would be much harder than #1. I'm working on extracting a subset of SAN now but that's it. rob From oliver.graute at gmail.com Mon Mar 7 07:14:59 2016 From: oliver.graute at gmail.com (Oliver Graute) Date: Mon, 7 Mar 2016 08:14:59 +0100 Subject: [Mod_nss-list] how to export some x509v3 extensions with NSSOptions +StdEnvVars In-Reply-To: <56D9A815.1060006@redhat.com> References: <20160304074053.GA27307@graute-opti> <56D9A815.1060006@redhat.com> Message-ID: <20160307071459.GA19820@graute-opti> On 04/03/16, Rob Crittenden wrote: > Oliver Graute wrote: > > Hello, > > > > I'am using the following x509v3 extensions in my client certificate. > > > > [ x509v3 ] > > basicConstraints = critical,CA:FALSE > > nsCertType = client > > keyUsage = digitalSignature,nonRepudiation,keyEncipherment > > extendedKeyUsage = clientAuth, serverAuth, emailProtection > > keyUsage = critical,digitalSignature > > subjectKeyIdentifier = hash > > authorityKeyIdentifier = keyid > > crlDistributionPoints = crlDistributionPoint0_sect > > 1.3.6.1.3.1.1.1 = ASN1:UTF8String:POSEUR > > > > Is it possible to export these x509v3 extensions with NSSOptions > > +StdEnvVars or any other NSSOption? > > > > especially I need to export the "1.3.6.1.3.1.1.1 = > > ASN1:UTF8String:POSEUR" in my php environment. > > > > Is it possible to configure or patch mod_nss to achive this? where is > > the right place to adapt the code for this? > > It isn't exported today. You have a couple of options: > > 1. you should have the full cert available in PHP. You could use that to > pull out the extensions yourself assuming PHP has the tools need to to > parse x509 certs. yes php has the tools to parse that x509 cert. Openssl_x509_parse() can do that job. But then I need to link against openssl what I want to avoid. Is it possible to link mod_php against nss? > 2. tweak nss_engine_vars.c to be able to pull out generic or specific > extensions. You'd want to cross-check with mod_ssl to see if there is > already a "standard" for how the variables would be named. This would be > much harder than #1. I'll look into it. Best regards, Oliver From rcritten at redhat.com Mon Mar 7 13:59:36 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 7 Mar 2016 08:59:36 -0500 Subject: [Mod_nss-list] how to export some x509v3 extensions with NSSOptions +StdEnvVars In-Reply-To: <20160307071459.GA19820@graute-opti> References: <20160304074053.GA27307@graute-opti> <56D9A815.1060006@redhat.com> <20160307071459.GA19820@graute-opti> Message-ID: <56DD8948.1090505@redhat.com> Oliver Graute wrote: > On 04/03/16, Rob Crittenden wrote: >> Oliver Graute wrote: >>> Hello, >>> >>> I'am using the following x509v3 extensions in my client certificate. >>> >>> [ x509v3 ] >>> basicConstraints = critical,CA:FALSE >>> nsCertType = client >>> keyUsage = digitalSignature,nonRepudiation,keyEncipherment >>> extendedKeyUsage = clientAuth, serverAuth, emailProtection >>> keyUsage = critical,digitalSignature >>> subjectKeyIdentifier = hash >>> authorityKeyIdentifier = keyid >>> crlDistributionPoints = crlDistributionPoint0_sect >>> 1.3.6.1.3.1.1.1 = ASN1:UTF8String:POSEUR >>> >>> Is it possible to export these x509v3 extensions with NSSOptions >>> +StdEnvVars or any other NSSOption? >>> >>> especially I need to export the "1.3.6.1.3.1.1.1 = >>> ASN1:UTF8String:POSEUR" in my php environment. >>> >>> Is it possible to configure or patch mod_nss to achive this? where is >>> the right place to adapt the code for this? >> >> It isn't exported today. You have a couple of options: >> >> 1. you should have the full cert available in PHP. You could use that to >> pull out the extensions yourself assuming PHP has the tools need to to >> parse x509 certs. > > yes php has the tools to parse that x509 cert. Openssl_x509_parse() can > do that job. But then I need to link against openssl what I want to avoid. > Is it possible to link mod_php against nss? I don't know. If PHP has an ASN.1 parser you could parse the cert yourself though this would probably be fairly painful. >> 2. tweak nss_engine_vars.c to be able to pull out generic or specific >> extensions. You'd want to cross-check with mod_ssl to see if there is >> already a "standard" for how the variables would be named. This would be >> much harder than #1. > > I'll look into it. > > Best regards, > > Oliver > > _______________________________________________ > Mod_nss-list mailing list > Mod_nss-list at redhat.com > https://www.redhat.com/mailman/listinfo/mod_nss-list > From rcritten at redhat.com Mon Mar 7 15:32:33 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 7 Mar 2016 10:32:33 -0500 Subject: [Mod_nss-list] mod_nss 1.0.13 released Message-ID: <56DD9F11.2060207@redhat.com> I released mod_nss 1.0.13 this morning. The major changes are: * Check for Apache user owner/group read permissions of NSS database at startup * Update default ciphers to something more modern and secure * Check for host and netstat commands in gencert before trying to use them * Don't ignore NSSProtocol when NSSFIPS is enabled * Use proper shell syntax to avoid creating /0 in gencert * Add server support for DHE ciphers * Extract SAN from server/client certificates into env * Fix memory leaks and other coding issues caught by clang analyzer rob From vcizek at suse.com Thu Mar 17 14:54:29 2016 From: vcizek at suse.com (Vitezslav Cizek) Date: Thu, 17 Mar 2016 15:54:29 +0100 Subject: [Mod_nss-list] [PATCH] migrate.pl improvements Message-ID: <20160317145429.GC25485@kolac.suse.cz> Hi, I can't log in to fedorahosted for some reason, so I can't create a ticket there. I'm attaching a patch for the migrate.pl script. The changes are: * Use a whitelist instead of a blacklist for migrated directives, because more of them are specific to mod_ssl than common * Don't translate SSLCipherSuite, we support OpenSSL strings now * Add input (-r) and output options (-w) for the configuration files, instead of using ssl.conf and nss.conf * Commented lines are now recognized even if they begin with whitespace * The script keeps nestable apache configuration block directives * Print more verbose disclaimer * Set NSSProtocol unconditionally -- Vita Cizek -------------- next part -------------- A non-text attachment was scrubbed... Name: mod_nss-migrate.pl.patch Type: text/x-patch Size: 11813 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: From rcritten at redhat.com Thu Mar 17 15:41:57 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 Mar 2016 11:41:57 -0400 Subject: [Mod_nss-list] [PATCH] migrate.pl improvements In-Reply-To: <20160317145429.GC25485@kolac.suse.cz> References: <20160317145429.GC25485@kolac.suse.cz> Message-ID: <56EAD045.6010302@redhat.com> Vitezslav Cizek wrote: > Hi, > I can't log in to fedorahosted for some reason, so I can't create a > ticket there. > > I'm attaching a patch for the migrate.pl script. > > The changes are: > * Use a whitelist instead of a blacklist for migrated directives, > because more of them are specific to mod_ssl than common > * Don't translate SSLCipherSuite, we support OpenSSL strings now > * Add input (-r) and output options (-w) for the configuration files, > instead of using ssl.conf and nss.conf > * Commented lines are now recognized even if they begin with whitespace > * The script keeps nestable apache configuration block directives > * Print more verbose disclaimer > * Set NSSProtocol unconditionally Thanks for the patch! I created https://fedorahosted.org/mod_nss/ticket/25 to track this. Some comments: I think it would be best to completely drop get_ciphers and the lines that were calling it. There is a problem though. In Fedora/RHEL/CentOS there is a movement towards a system-level SSL/TLS configuration. This leaves an unusable configuration of: NSSCipherSuite PROFILE=SYSTEM NSSProxyCipherSuite PROFILE=SYSTEM This is because NSS is almost, but not quite, there when it comes to system-level config and it is going to be configured differently. The OpenSSL policy file in Fedora is /etc/crypto-policies/back-ends/openssl.config. I don't know how safe it is to slurp that in and use it. On my box it is just a cipher string. So either the system config needs to be read and the values replaced or get_ciphers needs to be updated big time. I'd prefer the former. Need to force a value for NSSProxyProtocol like NSSProtocol. I think SSLFIPS can be removed from the whitelist. The header written to the mod_nss output file needs to be changed because the comments are no longer omitted. regards rob From vcizek at suse.com Thu Mar 17 16:16:36 2016 From: vcizek at suse.com (Vitezslav Cizek) Date: Thu, 17 Mar 2016 17:16:36 +0100 Subject: [Mod_nss-list] [PATCH] migrate.pl improvements In-Reply-To: <20160317145429.GC25485@kolac.suse.cz> References: <20160317145429.GC25485@kolac.suse.cz> Message-ID: <20160317161636.GD25485@kolac.suse.cz> * Dne ?tvrtek 17. b?ezen 2016, 15:54:29 [CET] Vitezslav Cizek napsal: > Hi, > I can't log in to fedorahosted for some reason, so I can't create a > ticket there. > > I'm attaching a patch for the migrate.pl script. > > The changes are: > * Use a whitelist instead of a blacklist for migrated directives, > because more of them are specific to mod_ssl than common > * Don't translate SSLCipherSuite, we support OpenSSL strings now > * Add input (-r) and output options (-w) for the configuration files, > instead of using ssl.conf and nss.conf > * Commented lines are now recognized even if they begin with whitespace > * The script keeps nestable apache configuration block directives > * Print more verbose disclaimer > * Set NSSProtocol unconditionally Attaching a new patch that fixes a logical error that slipped in when moving from the blacklist approach to whitelist. -- Vita Cizek -------------- next part -------------- A non-text attachment was scrubbed... Name: mod_nss-migrate.pl.patch Type: text/x-patch Size: 12343 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: From vcizek at suse.com Fri Mar 18 14:36:15 2016 From: vcizek at suse.com (Vitezslav Cizek) Date: Fri, 18 Mar 2016 15:36:15 +0100 Subject: [Mod_nss-list] [PATCH] migrate.pl improvements In-Reply-To: <56EAD045.6010302@redhat.com> References: <20160317145429.GC25485@kolac.suse.cz> <56EAD045.6010302@redhat.com> Message-ID: <20160318143615.GA13138@kolac.suse.cz> * Dne ?tvrtek 17. b?ezen 2016, 16:41:57 [CET] Rob Crittenden napsal: > Vitezslav Cizek wrote: > >Hi, > >I can't log in to fedorahosted for some reason, so I can't create a > >ticket there. > > > >I'm attaching a patch for the migrate.pl script. > > > >The changes are: > >* Use a whitelist instead of a blacklist for migrated directives, > >because more of them are specific to mod_ssl than common > >* Don't translate SSLCipherSuite, we support OpenSSL strings now > >* Add input (-r) and output options (-w) for the configuration files, > >instead of using ssl.conf and nss.conf > >* Commented lines are now recognized even if they begin with whitespace > >* The script keeps nestable apache configuration block directives > >* Print more verbose disclaimer > >* Set NSSProtocol unconditionally > > Thanks for the patch! I created https://fedorahosted.org/mod_nss/ticket/25 > to track this. Thanks, I updated the patch in there. > Some comments: > > I think it would be best to completely drop get_ciphers and the lines that > were calling it. > > There is a problem though. I sort of expected that this step may cause some problems, that's why I left the code in, but commented it out. > In Fedora/RHEL/CentOS there is a movement towards a > system-level SSL/TLS configuration. This leaves an unusable configuration of: > > NSSCipherSuite PROFILE=SYSTEM > NSSProxyCipherSuite PROFILE=SYSTEM > > This is because NSS is almost, but not quite, there when it comes to > system-level config and it is going to be configured differently. > > The OpenSSL policy file in Fedora is > /etc/crypto-policies/back-ends/openssl.config. I don't know how safe it is > to slurp that in and use it. On my box it is just a cipher string. > > So either the system config needs to be read and the values replaced or > get_ciphers needs to be updated big time. I'd prefer the former. If centralized cipher settings are in place, then the migrate.pl script should definitely be aware of them. This is however Fedora/RHEL specific. I think, we can keep the cipher string on other distributions. > Need to force a value for NSSProxyProtocol like NSSProtocol. > > I think SSLFIPS can be removed from the whitelist. Done. > The header written to the mod_nss output file needs to be changed because > the comments are no longer omitted. Yes, that was an oversight. > rob -- Vita Cizek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: From rcritten at redhat.com Fri Mar 18 14:44:34 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Mar 2016 10:44:34 -0400 Subject: [Mod_nss-list] [PATCH] migrate.pl improvements In-Reply-To: <20160318143615.GA13138@kolac.suse.cz> References: <20160317145429.GC25485@kolac.suse.cz> <56EAD045.6010302@redhat.com> <20160318143615.GA13138@kolac.suse.cz> Message-ID: <56EC1452.5020209@redhat.com> Vitezslav Cizek wrote: > * Dne ?tvrtek 17. b?ezen 2016, 16:41:57 [CET] Rob Crittenden napsal: >> Vitezslav Cizek wrote: >>> Hi, >>> I can't log in to fedorahosted for some reason, so I can't create a >>> ticket there. >>> >>> I'm attaching a patch for the migrate.pl script. >>> >>> The changes are: >>> * Use a whitelist instead of a blacklist for migrated directives, >>> because more of them are specific to mod_ssl than common >>> * Don't translate SSLCipherSuite, we support OpenSSL strings now >>> * Add input (-r) and output options (-w) for the configuration files, >>> instead of using ssl.conf and nss.conf >>> * Commented lines are now recognized even if they begin with whitespace >>> * The script keeps nestable apache configuration block directives >>> * Print more verbose disclaimer >>> * Set NSSProtocol unconditionally >> >> Thanks for the patch! I created https://fedorahosted.org/mod_nss/ticket/25 >> to track this. > > Thanks, I updated the patch in there. Ok thanks, I'll take a look. > >> Some comments: >> >> I think it would be best to completely drop get_ciphers and the lines that >> were calling it. >> >> There is a problem though. > > I sort of expected that this step may cause some problems, that's why > I left the code in, but commented it out. > >> In Fedora/RHEL/CentOS there is a movement towards a >> system-level SSL/TLS configuration. This leaves an unusable configuration of: >> >> NSSCipherSuite PROFILE=SYSTEM >> NSSProxyCipherSuite PROFILE=SYSTEM >> >> This is because NSS is almost, but not quite, there when it comes to >> system-level config and it is going to be configured differently. >> >> The OpenSSL policy file in Fedora is >> /etc/crypto-policies/back-ends/openssl.config. I don't know how safe it is >> to slurp that in and use it. On my box it is just a cipher string. >> >> So either the system config needs to be read and the values replaced or >> get_ciphers needs to be updated big time. I'd prefer the former. > > If centralized cipher settings are in place, then the migrate.pl script > should definitely be aware of them. > This is however Fedora/RHEL specific. > I think, we can keep the cipher string on other distributions. Yup. I think we can just look for PROFILE=SYSTEM and slurp in /etc/crypto-policies/back-ends/openssl.config. I can add this on after your patch if you'd prefer. >> Need to force a value for NSSProxyProtocol like NSSProtocol. >> >> I think SSLFIPS can be removed from the whitelist. > > Done. > >> The header written to the mod_nss output file needs to be changed because >> the comments are no longer omitted. > > Yes, that was an oversight. > >> rob > From vcizek at suse.com Fri Mar 18 20:03:39 2016 From: vcizek at suse.com (Vitezslav Cizek) Date: Fri, 18 Mar 2016 21:03:39 +0100 Subject: [Mod_nss-list] [PATCH] migrate.pl improvements In-Reply-To: <56EC1452.5020209@redhat.com> References: <20160317145429.GC25485@kolac.suse.cz> <56EAD045.6010302@redhat.com> <20160318143615.GA13138@kolac.suse.cz> <56EC1452.5020209@redhat.com> Message-ID: <20160318200339.GA23016@kolac.suse.cz> Hi Rob, * Dne P?tek 18. b?ezen 2016, 15:44:34 [CET] Rob Crittenden napsal: > > >>Thanks for the patch! I created https://fedorahosted.org/mod_nss/ticket/25 > >>to track this. > > > >Thanks, I updated the patch in there. > > Ok thanks, I'll take a look. The new patch incorporates suggestions from your first email. > >>Some comments: > >> > >>I think it would be best to completely drop get_ciphers and the lines that > >>were calling it. > >> > >>There is a problem though. > > > >I sort of expected that this step may cause some problems, that's why > >I left the code in, but commented it out. > > > >>In Fedora/RHEL/CentOS there is a movement towards a > >>system-level SSL/TLS configuration. This leaves an unusable configuration of: > >> > >>NSSCipherSuite PROFILE=SYSTEM > >>NSSProxyCipherSuite PROFILE=SYSTEM > >> > >>This is because NSS is almost, but not quite, there when it comes to > >>system-level config and it is going to be configured differently. > >> > >>The OpenSSL policy file in Fedora is > >>/etc/crypto-policies/back-ends/openssl.config. I don't know how safe it is > >>to slurp that in and use it. On my box it is just a cipher string. > >> > >>So either the system config needs to be read and the values replaced or > >>get_ciphers needs to be updated big time. I'd prefer the former. > > > >If centralized cipher settings are in place, then the migrate.pl script > >should definitely be aware of them. > >This is however Fedora/RHEL specific. > >I think, we can keep the cipher string on other distributions. > > Yup. I think we can just look for PROFILE=SYSTEM and slurp in > /etc/crypto-policies/back-ends/openssl.config. I can add this on after your > patch if you'd prefer. I wouldn't, feel free to modify the patch. -- Vita Cizek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: From rcritten at redhat.com Fri Mar 18 21:25:13 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Mar 2016 17:25:13 -0400 Subject: [Mod_nss-list] [PATCH] migrate.pl improvements In-Reply-To: <20160318200339.GA23016@kolac.suse.cz> References: <20160317145429.GC25485@kolac.suse.cz> <56EAD045.6010302@redhat.com> <20160318143615.GA13138@kolac.suse.cz> <56EC1452.5020209@redhat.com> <20160318200339.GA23016@kolac.suse.cz> Message-ID: <56EC7239.9030303@redhat.com> Vitezslav Cizek wrote: > Hi Rob, > > * Dne P?tek 18. b?ezen 2016, 15:44:34 [CET] Rob Crittenden napsal: >> >>>> Thanks for the patch! I created https://fedorahosted.org/mod_nss/ticket/25 >>>> to track this. >>> >>> Thanks, I updated the patch in there. >> >> Ok thanks, I'll take a look. > > The new patch incorporates suggestions from your first email. > >>>> Some comments: >>>> >>>> I think it would be best to completely drop get_ciphers and the lines that >>>> were calling it. >>>> >>>> There is a problem though. >>> >>> I sort of expected that this step may cause some problems, that's why >>> I left the code in, but commented it out. >>> >>>> In Fedora/RHEL/CentOS there is a movement towards a >>>> system-level SSL/TLS configuration. This leaves an unusable configuration of: >>>> >>>> NSSCipherSuite PROFILE=SYSTEM >>>> NSSProxyCipherSuite PROFILE=SYSTEM >>>> >>>> This is because NSS is almost, but not quite, there when it comes to >>>> system-level config and it is going to be configured differently. >>>> >>>> The OpenSSL policy file in Fedora is >>>> /etc/crypto-policies/back-ends/openssl.config. I don't know how safe it is >>>> to slurp that in and use it. On my box it is just a cipher string. >>>> >>>> So either the system config needs to be read and the values replaced or >>>> get_ciphers needs to be updated big time. I'd prefer the former. >>> >>> If centralized cipher settings are in place, then the migrate.pl script >>> should definitely be aware of them. >>> This is however Fedora/RHEL specific. >>> I think, we can keep the cipher string on other distributions. >> >> Yup. I think we can just look for PROFILE=SYSTEM and slurp in >> /etc/crypto-policies/back-ends/openssl.config. I can add this on after your >> patch if you'd prefer. > > I wouldn't, feel free to modify the patch. > Ok. I need to remove/comment out SSLRandomSeed connect builtin too. I'm going to try to make some of the wording less platform-specific. I've been guilty of this too :-( I might convert this into a generated file so configure can set this up properly. What do you think? The alternative is distro-specific patches that change the paths. Given the infrequency that this is updated it might be preferable. rob From rcritten at redhat.com Fri Mar 18 22:20:46 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Mar 2016 18:20:46 -0400 Subject: [Mod_nss-list] [PATCH] migrate.pl improvements In-Reply-To: <56EC7239.9030303@redhat.com> References: <20160317145429.GC25485@kolac.suse.cz> <56EAD045.6010302@redhat.com> <20160318143615.GA13138@kolac.suse.cz> <56EC1452.5020209@redhat.com> <20160318200339.GA23016@kolac.suse.cz> <56EC7239.9030303@redhat.com> Message-ID: <56EC7F3E.8000201@redhat.com> Rob Crittenden wrote: > Vitezslav Cizek wrote: >> Hi Rob, >> >> * Dne P?tek 18. b?ezen 2016, 15:44:34 [CET] Rob Crittenden napsal: >>> >>>>> Thanks for the patch! I created >>>>> https://fedorahosted.org/mod_nss/ticket/25 >>>>> to track this. >>>> >>>> Thanks, I updated the patch in there. >>> >>> Ok thanks, I'll take a look. >> >> The new patch incorporates suggestions from your first email. >> >>>>> Some comments: >>>>> >>>>> I think it would be best to completely drop get_ciphers and the >>>>> lines that >>>>> were calling it. >>>>> >>>>> There is a problem though. >>>> >>>> I sort of expected that this step may cause some problems, that's why >>>> I left the code in, but commented it out. >>>> >>>>> In Fedora/RHEL/CentOS there is a movement towards a >>>>> system-level SSL/TLS configuration. This leaves an unusable >>>>> configuration of: >>>>> >>>>> NSSCipherSuite PROFILE=SYSTEM >>>>> NSSProxyCipherSuite PROFILE=SYSTEM >>>>> >>>>> This is because NSS is almost, but not quite, there when it comes to >>>>> system-level config and it is going to be configured differently. >>>>> >>>>> The OpenSSL policy file in Fedora is >>>>> /etc/crypto-policies/back-ends/openssl.config. I don't know how >>>>> safe it is >>>>> to slurp that in and use it. On my box it is just a cipher string. >>>>> >>>>> So either the system config needs to be read and the values >>>>> replaced or >>>>> get_ciphers needs to be updated big time. I'd prefer the former. >>>> >>>> If centralized cipher settings are in place, then the migrate.pl script >>>> should definitely be aware of them. >>>> This is however Fedora/RHEL specific. >>>> I think, we can keep the cipher string on other distributions. >>> >>> Yup. I think we can just look for PROFILE=SYSTEM and slurp in >>> /etc/crypto-policies/back-ends/openssl.config. I can add this on >>> after your >>> patch if you'd prefer. >> >> I wouldn't, feel free to modify the patch. >> > > Ok. I need to remove/comment out SSLRandomSeed connect builtin too. > > I'm going to try to make some of the wording less platform-specific. > I've been guilty of this too :-( I might convert this into a generated > file so configure can set this up properly. What do you think? The > alternative is distro-specific patches that change the paths. Given the > infrequency that this is updated it might be preferable. Here is what I came up with. I dropped a bit of info from the summary after conversion because it was distro specific and I didn't really see the need. Why would a VirtualHost be ok in mod_ssl and not mod_nss? I also dropped get_ciphers(). It will be in git if there is ever a need to revive it. This should apply on top of your latest patch. Let me know what you think. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Handle-migrating-Fedora-specific-policy-cleanup-outp.patch Type: text/x-diff Size: 7692 bytes Desc: not available URL: From vcizek at suse.com Mon Mar 21 08:52:41 2016 From: vcizek at suse.com (Vitezslav Cizek) Date: Mon, 21 Mar 2016 09:52:41 +0100 Subject: [Mod_nss-list] [PATCH] migrate.pl improvements In-Reply-To: <56EC7F3E.8000201@redhat.com> References: <20160317145429.GC25485@kolac.suse.cz> <56EAD045.6010302@redhat.com> <20160318143615.GA13138@kolac.suse.cz> <56EC1452.5020209@redhat.com> <20160318200339.GA23016@kolac.suse.cz> <56EC7239.9030303@redhat.com> <56EC7F3E.8000201@redhat.com> Message-ID: <20160321085241.GA15953@kolac.suse.cz> Hi Rob, * Dne P?tek 18. b?ezen 2016, 23:20:46 [CET] Rob Crittenden napsal: > Rob Crittenden wrote: > >Vitezslav Cizek wrote: > >>Hi Rob, > >> > >>* Dne P?tek 18. b?ezen 2016, 15:44:34 [CET] Rob Crittenden napsal: > >>> > >>>>>Thanks for the patch! I created > >>>>>https://fedorahosted.org/mod_nss/ticket/25 > >>>>>to track this. > >>>> > >>>>Thanks, I updated the patch in there. > >>> > >>>Ok thanks, I'll take a look. > >> > >>The new patch incorporates suggestions from your first email. > >> > >>>>>Some comments: > >>>>> > >>>>>I think it would be best to completely drop get_ciphers and the > >>>>>lines that > >>>>>were calling it. > >>>>> > >>>>>There is a problem though. > >>>> > >>>>I sort of expected that this step may cause some problems, that's why > >>>>I left the code in, but commented it out. > >>>> > >>>>>In Fedora/RHEL/CentOS there is a movement towards a > >>>>>system-level SSL/TLS configuration. This leaves an unusable > >>>>>configuration of: > >>>>> > >>>>>NSSCipherSuite PROFILE=SYSTEM > >>>>>NSSProxyCipherSuite PROFILE=SYSTEM > >>>>> > >>>>>This is because NSS is almost, but not quite, there when it comes to > >>>>>system-level config and it is going to be configured differently. > >>>>> > >>>>>The OpenSSL policy file in Fedora is > >>>>>/etc/crypto-policies/back-ends/openssl.config. I don't know how > >>>>>safe it is > >>>>>to slurp that in and use it. On my box it is just a cipher string. > >>>>> > >>>>>So either the system config needs to be read and the values > >>>>>replaced or > >>>>>get_ciphers needs to be updated big time. I'd prefer the former. > >>>> > >>>>If centralized cipher settings are in place, then the migrate.pl script > >>>>should definitely be aware of them. > >>>>This is however Fedora/RHEL specific. > >>>>I think, we can keep the cipher string on other distributions. > >>> > >>>Yup. I think we can just look for PROFILE=SYSTEM and slurp in > >>>/etc/crypto-policies/back-ends/openssl.config. I can add this on > >>>after your > >>>patch if you'd prefer. > >> > >>I wouldn't, feel free to modify the patch. > >> > > > >Ok. I need to remove/comment out SSLRandomSeed connect builtin too. > > > >I'm going to try to make some of the wording less platform-specific. > >I've been guilty of this too :-( I might convert this into a generated > >file so configure can set this up properly. What do you think? The > >alternative is distro-specific patches that change the paths. Given the > >infrequency that this is updated it might be preferable. > > Here is what I came up with. > > I dropped a bit of info from the summary after conversion because it was > distro specific and I didn't really see the need. Why would a VirtualHost be > ok in mod_ssl and not mod_nss? It originated from our old patch, so, yes, it was distro specific. > I also dropped get_ciphers(). It will be in git if there is ever a need to > revive it. Ok, we have no need for it now anyway. > This should apply on top of your latest patch. Let me know what you think. The patch is good for me. -- Vita Cizek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: From lcohen at novetta.com Tue Mar 29 17:10:53 2016 From: lcohen at novetta.com (Cohen, Laurence) Date: Tue, 29 Mar 2016 13:10:53 -0400 Subject: [Mod_nss-list] Redirect to Maintenance Page Message-ID: Hi everyone, I have what I hope is a simple question with a simple answer that I'm just overlooking. I have a need to temporarily put our application in maintenance mode, and display a static page from our web server stating that the application is temporarily unavailable. The Web Server is Apache 2.2, and it contains Include lines for rewrite.conf and nss.conf. Here are those files respectively. rewrite.conf # When maintenance mode is enabled, ALL requests are redirected to the # maintenance page, except for the page itself and the images on the page. RewriteEngine on RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] RewriteCond %{SERVER_PROTOCOL} !https RewriteCond %{REQUEST_URI} !^/favicon.ico RewriteCond %{REQUEST_URI} !^/dseLogo.png RewriteCond %{REQUEST_URI} !^/maintenance.html$ RewriteRule ^/(.*)$ https://testweb01.novetta.com/maintenance.html [L,R] nss.conf Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl NSSPassPhraseDialog file:/etc/httpd/.password.conf #NSSPassPhraseDialog builtin NSSPassPhraseHelper /usr/sbin/nss_pcache NSSSessionCacheSize 10000 NSSSessionCacheTimeout 100 NSSSession3CacheTimeout 86400 NSSSessionTickets off NSSRandomSeed startup builtin DocumentRoot "/var/www/docroot" NSSProxyCheckPeerCN Off NSSEngine on NSSProxyEngine on NSSEnforceValidCerts off NSSRenegotiation on NSSRequireSafeNegotiation on NSSCipherSuite +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProxyCipherSuite +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol TLSv1 NSSNickname Server-Cert NSSCertificateDatabase /etc/httpd/alias NSSFIPS on NSSOCSP off ProxyPreserveHost On NSSRenegBufferSize 26214400 NSSVerifyClient optional NSSOptions +ExportCertData +StdEnvVars ProxyPass https://testweb01.novetta.com/maintenance.html ProxyPassReverse https://testweb01.novetta.com/maintenance.html NSSOptions +StdEnvVars NSSOptions +StdEnvVars # initialize the SSL headers to a blank value to avoid http header forgeries RequestHeader set SSL_CLIENT_CERT "" RequestHeader set SSL_CIPHER "" RequestHeader set SSL_SESSION_ID "" RequestHeader set SSL_CIPHER_USEKEYSIZE "" RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s" RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s" RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s" CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_CLIENT_CERT}x %{SSL_CLIENT_S_DN}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ErrorLog /etc/httpd/logs/error_log TransferLog /etc/httpd/logs/access_log LogLevel info Finally, here is the maintenance page in docroot DoD Data Services Environment Maintenance



The Data Services Environment is temporarily unavailable while site maintenance is being performed.


What I'm getting in the error log when I try to bring this up in a browser is the following. [Sat Mar 26 05:11:22 2016] [info] Connection to child 5 established (server testweb01.novetta.com:443, client x.x.16.58) [Sat Mar 26 05:11:23 2016] [info] Initial (No.1) HTTPS request received for child 5 (server testweb01.novetta.com:443) [Sat Mar 26 05:11:23 2016] [info] Requesting connection re-negotiation [Sat Mar 26 05:11:26 2016] [info] Connection to child 0 established (server testweb01.novetta.com:443, client x.x.238.91) [Sat Mar 26 05:11:26 2016] [info] Connection to child 3 established (server testweb01.novetta.com:443, client x.x.238.91) [Sat Mar 26 05:11:26 2016] [info] SSL input filter read failed. [Sat Mar 26 05:11:26 2016] [error] SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate [Sat Mar 26 05:11:26 2016] [info] Connection to child 3 closed (server testweb01.novetta.com:443, client x.x.238.91) [Sat Mar 26 05:11:26 2016] [info] SSL library error -8172 writing data [Sat Mar 26 05:11:26 2016] [info] SSL Library Error: -8172 Certificate is signed by an untrusted issuer [Sat Mar 26 05:11:26 2016] [error] (20014)Internal error: proxy: pass request body failed to 10.3.238.91:443 (testweb01.novetta.com) [Sat Mar 26 05:11:26 2016] [error] proxy: pass request body failed to x.x..238.91:443 (testweb01.novetta.com) from x.x.16.58 () [Sat Mar 26 05:11:26 2016] [info] Connection to child 5 closed (server... I have tried this with :443 for the port in the nss.conf ProxyPass and ProxyPassReverse statements, but it still doesn't work. Any ideas? Thanks, Larry Cohen -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Mar 29 17:22:23 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2016 13:22:23 -0400 Subject: [Mod_nss-list] Redirect to Maintenance Page In-Reply-To: References: Message-ID: <56FAB9CF.8090207@redhat.com> Cohen, Laurence wrote: > Hi everyone, > > I have what I hope is a simple question with a simple answer that I'm > just overlooking. I have a need to temporarily put our application in > maintenance mode, and display a static page from our web server stating > that the application is temporarily unavailable. > > The Web Server is Apache 2.2, and it contains Include lines for > rewrite.conf and nss.conf. > What I'm getting in the error log when I try to bring this up in a > browser is the following. > > [Sat Mar 26 05:11:22 2016] [info] Connection to child 5 established > (server testweb01.novetta.com:443 , > client x.x.16.58) > [Sat Mar 26 05:11:23 2016] [info] Initial (No.1) HTTPS request received > for child 5 (server testweb01.novetta.com:443 > ) > [Sat Mar 26 05:11:23 2016] [info] Requesting connection re-negotiation > [Sat Mar 26 05:11:26 2016] [info] Connection to child 0 established > (server testweb01.novetta.com:443 , > client x.x.238.91) > [Sat Mar 26 05:11:26 2016] [info] Connection to child 3 established > (server testweb01.novetta.com:443 , > client x.x.238.91) > [Sat Mar 26 05:11:26 2016] [info] SSL input filter read failed. > [Sat Mar 26 05:11:26 2016] [error] SSL Library Error: -12195 Peer does > not recognize and trust the CA that issued your certificate > [Sat Mar 26 05:11:26 2016] [info] Connection to child 3 closed (server > testweb01.novetta.com:443 , client > x.x.238.91) > [Sat Mar 26 05:11:26 2016] [info] SSL library error -8172 writing data > [Sat Mar 26 05:11:26 2016] [info] SSL Library Error: -8172 Certificate > is signed by an untrusted issuer > [Sat Mar 26 05:11:26 2016] [error] (20014)Internal error: proxy: pass > request body failed to 10.3.238.91:443 > (testweb01.novetta.com ) > [Sat Mar 26 05:11:26 2016] [error] proxy: pass request body failed to > x.x..238.91:443 (testweb01.novetta.com ) > from x.x.16.58 () > [Sat Mar 26 05:11:26 2016] [info] Connection to child 5 closed (server... > > I have tried this with :443 for the port in the nss.conf ProxyPass and > ProxyPassReverse statements, but it still doesn't work. Any ideas? The server cert on testweb01.novetta.com was signed by an issuer that your web server doesn't know. You'd need to add that CA to the mod_nss certificate database (and probably restart Apache). rob From lcohen at novetta.com Tue Mar 29 20:39:10 2016 From: lcohen at novetta.com (Cohen, Laurence) Date: Tue, 29 Mar 2016 16:39:10 -0400 Subject: [Mod_nss-list] Redirect to Maintenance Page In-Reply-To: <56FAB9CF.8090207@redhat.com> References: <56FAB9CF.8090207@redhat.com> Message-ID: Thank you for responding. Although this appeared to be a problem with the CA, the reason that error was appearing was because we are using a self-signed certificate. That part of it confused me too, but I realized I could ignore it when I completely removed the ProxyPass and ProxyPassReverse lines from the nss.conf file, and then got another error about /var/www/docroot being denied by rule. I changed the directory rules to look like this: Order allow,deny Allow from all AllowOverride None Options None Order deny,allow Deny from all AllowOverride None Options None Basically I just added the first rule above the bottom, existing rule. The bottom one was disallowing every file on our webserver to be served. Thanks, Larry Cohen On Tue, Mar 29, 2016 at 1:22 PM, Rob Crittenden wrote: > Cohen, Laurence wrote: > >> Hi everyone, >> >> I have what I hope is a simple question with a simple answer that I'm >> just overlooking. I have a need to temporarily put our application in >> maintenance mode, and display a static page from our web server stating >> that the application is temporarily unavailable. >> >> The Web Server is Apache 2.2, and it contains Include lines for >> rewrite.conf and nss.conf. >> > > What I'm getting in the error log when I try to bring this up in a >> browser is the following. >> >> [Sat Mar 26 05:11:22 2016] [info] Connection to child 5 established >> (server testweb01.novetta.com:443 , >> client x.x.16.58) >> [Sat Mar 26 05:11:23 2016] [info] Initial (No.1) HTTPS request received >> for child 5 (server testweb01.novetta.com:443 >> ) >> [Sat Mar 26 05:11:23 2016] [info] Requesting connection re-negotiation >> [Sat Mar 26 05:11:26 2016] [info] Connection to child 0 established >> (server testweb01.novetta.com:443 , >> client x.x.238.91) >> [Sat Mar 26 05:11:26 2016] [info] Connection to child 3 established >> (server testweb01.novetta.com:443 , >> client x.x.238.91) >> [Sat Mar 26 05:11:26 2016] [info] SSL input filter read failed. >> [Sat Mar 26 05:11:26 2016] [error] SSL Library Error: -12195 Peer does >> not recognize and trust the CA that issued your certificate >> [Sat Mar 26 05:11:26 2016] [info] Connection to child 3 closed (server >> testweb01.novetta.com:443 , client >> x.x.238.91) >> [Sat Mar 26 05:11:26 2016] [info] SSL library error -8172 writing data >> [Sat Mar 26 05:11:26 2016] [info] SSL Library Error: -8172 Certificate >> is signed by an untrusted issuer >> [Sat Mar 26 05:11:26 2016] [error] (20014)Internal error: proxy: pass >> request body failed to 10.3.238.91:443 >> (testweb01.novetta.com ) >> [Sat Mar 26 05:11:26 2016] [error] proxy: pass request body failed to >> x.x..238.91:443 (testweb01.novetta.com ) >> from x.x.16.58 () >> [Sat Mar 26 05:11:26 2016] [info] Connection to child 5 closed (server... >> >> I have tried this with :443 for the port in the nss.conf ProxyPass and >> ProxyPassReverse statements, but it still doesn't work. Any ideas? >> > > The server cert on testweb01.novetta.com was signed by an issuer that > your web server doesn't know. You'd need to add that CA to the mod_nss > certificate database (and probably restart Apache). > > rob > -- [image: www.novetta.com] Larry Cohen System Administrator 12021 Sunset Hills Road, Suite 400 Reston, VA 20190 Email lcohen at novetta.com Office 703-885-1064 -------------- next part -------------- An HTML attachment was scrubbed... URL: