Bug 1152026

Cloning as a separate bug report.  While the original bug #738456 is fixed, the not yet released version of NSS is said to break applications again.

--- Additional comment from Rich Graves on 2014-09-26 18:15:19 CEST ---

This bug seems to have returned in nss-3.16.1-7.el6_5.x86_64.

--- Additional comment from Rich Graves on 2014-09-26 19:43:06 CEST ---

Yeah, I copy-pasted from the wrong window. The suspicious entry for rhel6 is

* Tue Jul 08 2014 Elio Maldonado <XXX> - 3.16.1-5
- Removed listed but unused patches detected by the rpmdiff test
- Resolves: Bug 1099619

According to the application owner here, 3.16.1-4 seems to be good, 3.16.1-7 bad. I will try to better describe "bad."

The test.php code in bug #738456 comment 18 does *not* reproduce the problem. So it's not the same bug. I will open a new bug later if needed.

--- Additional comment from Rich Graves on 2014-09-26 21:48:02 CEST ---

The verbose PHP error log looks the same as it did for this bug. We will try to create a minimal test case.

ldap_create
ldap_url_parse_ext(ldaps://ldap0.its.carleton.edu/)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap0.its.carleton.edu:636
ldap_new_socket: 19
ldap_prepare_socket: 19
ldap_connect_to_host: Trying 137.22.94.105:636
ldap_pvt_connect: fd: 19 tm: 20 async: 0
ldap_ndelay_on: 19
ldap_int_poll: fd: 19 tm: 20
ldap_is_sock_ready: 19
ldap_ndelay_off: 19
ldap_pvt_connect: 0
TLS: could not initialize moznss - error -5925:The one-time function was previously called and failed. Its error code is no longer available.
TLS: could not perform TLS system initialization.
TLS: error: could not initialize moznss security context - error -5925:The one-time function was previously called and failed. Its error code is no longer available
TLS: can't create ssl handle.
ldap_err2string
ldap_err2string

--- Additional comment from Craig on 2014-10-01 20:29:23 CEST ---

I have ran into this bug as well, our php ldap thingy suddently stopped working, I thought it was due to other $issues, but running yum downgrade nss* has fixed it.

---> Package nss.x86_64 0:3.16.1-4.el6_5 will be a downgrade
---> Package nss.x86_64 0:3.16.1-7.el6_5 will be erased

The PHP ldap log is:

ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP xxxxx:389
ldap_new_socket: 24
ldap_prepare_socket: 24
ldap_connect_to_host: Trying xxxxx:389
ldap_pvt_connect: fd: 24 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x2b26380 msgid 1
wait4msg ld 0x2b26380 msgid 1 (infinite timeout)
wait4msg continue ld 0x2b26380 msgid 1 all 1
** ld 0x2b26380 Connections:
* host: xxxxx  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Oct  1 19:11:15 2014


** ld 0x2b26380 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x2b26380 request count 1 (abandoned 0)
** ld 0x2b26380 Response Queue:
   Empty
  ld 0x2b26380 response count 0
ldap_chkResponseList ld 0x2b26380 msgid 1 all 1
ldap_chkResponseList returns ld 0x2b26380 NULL
ldap_int_select
read1msg: ld 0x2b26380 msgid 1 all 1
read1msg: ld 0x2b26380 msgid 1 message type extended-result
read1msg: ld 0x2b26380 0 new referrals
read1msg:  mark request completed, ld 0x2b26380 msgid 1
request done: ld 0x2b26380 msgid 1
res_errno: 0, res_error: <Start TLS request accepted.Server willing to negotiate SSL.>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
TLS: error: could not initialize moznss security context - error -5925:The one-time function was previously called and failed. Its error code is no longer available
TLS: can't create ssl handle.
ldap_err2string
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
ldap_create
ldap_extended_operation_s