Bug 1342332

Summary: upgrading nss to 3.24 prevents httpd from starting with "SSL Library Error: -8187 Security library: invalid argument"
Product: [Fedora] Fedora Reporter: Lonni J Friedman <netllama>
Component: nssAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 23CC: baumanmo, emaldona, enrique.bonet, kdudka, kengert, netllama, ngaywood
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-04 23:10:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lonni J Friedman 2016-06-03 02:43:25 UTC 
Description of problem:
Upgrading nss packages from 3.23 to 3.24 prevents httpd(apache) from starting (when configured for SSL), with the following errors:
NSSProtocol:  SSL/TLS protocol initialization failed
SSL Library Error: -8187 Security library: invalid arguments

Downgrading back to 3.23 allows apache to start again.

Version-Release number of selected component (if applicable):
3.24

How reproducible:
100% of the time

Steps to Reproduce:
1. Configure httpd (apache) with an SSL cert
2. Verify that httpd starts up successfully
3. Upgrade all nss packages (using dnf) from 3.23 to 3.24
4. Attempt to (re)start httpd, and it will fail to start
5. Downgrade nss packages back to 3.23
6. httpd starts successfully

Actual results:
httpd fails to start

Expected results:
httpd starts successfully

Additional info:
These packages do not exhibit the bug:
nss-3.23.0-1.0.fc23.i686.rpm                  nss-softokn-freebl-3.23.0-1.0.fc23.i686.rpm
nss-3.23.0-1.0.fc23.x86_64.rpm                nss-softokn-freebl-3.23.0-1.0.fc23.x86_64.rpm
nss-devel-3.23.0-1.0.fc23.i686.rpm            nss-softokn-freebl-devel-3.23.0-1.0.fc23.i686.rpm
nss-devel-3.23.0-1.0.fc23.x86_64.rpm          nss-softokn-freebl-devel-3.23.0-1.0.fc23.x86_64.rpm
nss-pkcs11-devel-3.23.0-1.0.fc23.i686.rpm     nss-sysinit-3.23.0-1.0.fc23.x86_64.rpm
nss-pkcs11-devel-3.23.0-1.0.fc23.x86_64.rpm   nss-tools-3.23.0-1.0.fc23.x86_64.rpm
nss-softokn-3.23.0-1.0.fc23.i686.rpm          nss-util-3.23.0-1.0.fc23.i686.rpm
nss-softokn-3.23.0-1.0.fc23.x86_64.rpm        nss-util-3.23.0-1.0.fc23.x86_64.rpm
nss-softokn-devel-3.23.0-1.0.fc23.i686.rpm    nss-util-devel-3.23.0-1.0.fc23.i686.rpm
nss-softokn-devel-3.23.0-1.0.fc23.x86_64.rpm  nss-util-devel-3.23.0-1.0.fc23.x86_64.rpm

These packages reproduce the bug:
  nss.i686 3.24.0-1.1.fc23                                                nss.x86_64 3.24.0-1.1.fc23                                       
  nss-devel.x86_64 3.24.0-1.1.fc23                                        nss-softokn.i686 3.24.0-1.0.fc23                                 
  nss-softokn.x86_64 3.24.0-1.0.fc23                                      nss-softokn-devel.x86_64 3.24.0-1.0.fc23                         
  nss-softokn-freebl.i686 3.24.0-1.0.fc23                                 nss-softokn-freebl.x86_64 3.24.0-1.0.fc23                        
  nss-softokn-freebl-devel.x86_64 3.24.0-1.0.fc23                         nss-sysinit.x86_64 3.24.0-1.1.fc23                               
  nss-tools.x86_64 3.24.0-1.1.fc23                                        nss-util.i686 3.24.0-1.0.fc23                                    
  nss-util.x86_64 3.24.0-1.0.fc23                                         nss-util-devel.x86_64 3.24.0-1.0.fc23

This system is running httpd-2.4.18-1.fc23.x86_64
Comment 1 Norman Gaywood 2016-06-04 05:23:46 UTC 
I'm seeing this as well. Also effects LDAP connections and so user logins fail.

Two similar systems:

tungir ~ # rpm -q nss
nss-3.23.0-1.0.fc23.x86_64
tungir ~ # ldapsearch -x -ZZZ -LLL uid=ngaywood dn
dn: uid=ngaywood,ou=People,dc=une,dc=edu,dc=au

hopper ~ # rpm -q nss
nss-3.24.0-1.1.fc23.x86_64
hopper ~ # ldapsearch -x -ZZZ -LLL uid=ngaywood dn
ldap_start_tls: Connect error (-11)

Downgrading nss also fixed my problem.
Comment 2 Norman Gaywood 2016-06-04 05:48:45 UTC 
It might be fixed in nss-3.24.0-1.2.fc23

http://koji.fedoraproject.org/koji/buildinfo?buildID=770185

Changelog	* Thu Jun 02 2016 Elio Maldonado <emaldona> - 3.24.0-1.2
- Allow application requests to disable SSL v2 to succeed
- Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails
Comment 3 Norman Gaywood 2016-06-04 05:59:31 UTC 
Yes, confirm that nss-3.24.0-1.2.fc23 fixes it for me:

hopper ~ # rpm -q nss
nss-3.24.0-1.1.fc23.x86_64
hopper ~ # ldapsearch -x -ZZZ -LLL uid=ngaywood dn
ldap_start_tls: Connect error (-11)

hopper ~ # dnf --enablerepo=updates-testing update nss
[snip]

hopper ~ # rpm -q nss
nss-3.24.0-1.2.fc23.x86_64

hopper ~ # ldapsearch -x -ZZZ -LLL uid=ngaywood dn
dn: uid=ngaywood,ou=People,dc=une,dc=edu,dc=au
Comment 4 Norman Gaywood 2016-06-04 06:30:59 UTC 
duplicate of bug 1342158
Comment 5 Lonni J Friedman 2016-06-04 23:10:26 UTC 
confirmed, fixed with "dnf --enablerepo=updates-testing update nss".  thanks @norman!

*** This bug has been marked as a duplicate of bug 1342158 ***