Bug 1037606

Summary: nss hangs after receiving close_notify alert from vsftpd on FTPS data connection
Product: [Fedora] Fedora Reporter: Filip Krska <fkrska>
Component: nssAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 19CC: emaldona, eparis, fkrska, hkario, kdudka, kengert, rrelyea
Target Milestone: ---Keywords: Patch, Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nss-3.15.4-1.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 918156 Environment:
Last Closed: 2014-02-03 13:33:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 918156    
Bug Blocks: 895339    

Comment 1 Filip Krska 2014-01-21 12:46:51 UTC 
Seems that with

nss-3.15.4-1.fc20.x86_64

the issue doesn't manifest any more contrary to nss-3.15.2-3.fc20.x86_64 which reproduces the issue.

Tested with curl-7.32.0-3.fc20.x86_64 on client side and vsftpd-2.2.2-11.el6_4.1.x86_64 on server side.

I haven't managed to identify the patch which causes the change in behaviour (hopefully the final fix).

Could you, please, check it and decide whether it can be backported to RHEL 6 (https://bugzilla.redhat.com/show_bug.cgi?id=918156)?
Comment 2 Kai Engert (:kaie) (inactive account) 2014-02-03 13:10:11 UTC 
Filip, it's good news that you can no longer reproduce this bug using NSS 3.15.4

It could mean that one of the recent bugfixes to upstream NSS had this positive side effect.

Questions about RHEL should be discussed in a RHEL bug.
Comment 3 Kai Engert (:kaie) (inactive account) 2014-02-03 13:10:46 UTC 
clearing needinfo
Comment 4 Kai Engert (:kaie) (inactive account) 2014-02-03 13:11:29 UTC 
Filip, because you have reported this bug can no longer be reproduced in Fedora, I'm closing this as worksforme.
Comment 5 Hubert Kario 2014-02-03 13:17:20 UTC 
Still getting -12205 (SSL_ERROR_TOKEN_INSERTION_REMOVAL) when running on Fedora 19.

curl-7.29.0-12.fc19.x86_64
nss-3.15.3.1-1.fc19.x86_64
nss-3.15.3.1-1.fc19.i686
vsftpd-3.0.2-5.fc19.x86_64
Comment 6 Kai Engert (:kaie) (inactive account) 2014-02-03 13:33:41 UTC 
(In reply to Hubert Kario from comment #5)
> Still getting -12205 (SSL_ERROR_TOKEN_INSERTION_REMOVAL) when running on
> Fedora 19.

Hubert, I believe these are two different issues related FTPS.

This one is about software being stuck, but only after the connection has completed correctly, and which has been reported as fixed with NSS 3.15.4

The one you are referring to with SSL_ERROR_TOKEN_INSERTION_REMOVAL, I believe, is a problem with broken functionality.
Comment 7 Kamil Dudka 2014-02-03 14:09:57 UTC 
Still reproducible on up2date Fedora 19:

$ rpm -q libcurl nss vsftpd
libcurl-7.29.0-12.fc19.i686
nss-3.15.3.1-1.fc19.i686
vsftpd-3.0.2-5.fc19.i686


No longer reproducible on Fedora 20:

$ rpm -q libcurl nss vsftpd
libcurl-7.32.0-4.fc20.x86_64
nss-3.15.4-1.fc20.x86_64
vsftpd-3.0.2-6.fc20.x86_64
Comment 8 Kamil Dudka 2014-02-04 15:34:42 UTC 
I tried the latest updates on Fedora 19.  curl hangs with:

nss-3.14.3-13.0.fc19.i686
nss-tools-3.14.3-13.0.fc19.i686
nss-sysinit-3.14.3-13.0.fc19.i686


... but it does not hang with:

nss-3.15.4-1.fc19.i686
nss-tools-3.15.4-1.fc19.i686
nss-sysinit-3.15.4-1.fc19.i686