Bug 1404815

Summary: SEC_ERROR_NO_TOKEN error when using SSL and multiple threads
Product: Red Hat Enterprise Linux 7 Reporter: Jan Dobes <jdobes>
Component: curlAssignee: Kamil Dudka <kdudka>
Status: CLOSED ERRATA QA Contact: Karel Srot <ksrot>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: jdobes, kdudka, kengert
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: curl-7.29.0-39.el7 Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of:
: 1413619 (view as bug list) Environment:
Last Closed: 2017-08-01 17:02:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Dobes 2016-12-14 17:44:58 UTC 
Description of problem:
When I'm using pycurl + threading modules with SSL in python, execution will crash with SEC_ERROR_NO_TOKEN error coming from libcurl.

Version-Release number of selected component (if applicable):
python-pycurl-7.19.0-19.el7.x86_64
libcurl-7.29.0-35.el7.x86_64
nss-3.21.3-2.el7_3.x86_64

How reproducible:
almost always

Steps to Reproduce:
1. Try to download multiple files in multiple threads from server requiring SSL client certificates

Actual results:
pycurl perform() calls will crash

Expected results:
works without problems

Additional info:
https://bugzilla.mozilla.org/show_bug.cgi?id=1297397
https://github.com/curl/curl/commit/3a5d5de9ef52ebe8ca2bda2165edc1b34c242e54
Comment 1 Kamil Dudka 2016-12-14 21:34:28 UTC 
(In reply to Jan Dobes from comment #0)
> Description of problem:
> When I'm using pycurl + threading modules with SSL in python, execution will
> crash with SEC_ERROR_NO_TOKEN error coming from libcurl.

Yes, this is a known bug of NSS as you have already figured out.

> How reproducible:
> almost always

It was not that easy to reproduce in my environment when I tried it recently.

> Actual results:
> pycurl perform() calls will crash

If it returns SEC_ERROR_NO_TOKEN, it is not really a crash, just a spurious failure.  A python script may crash if the exception is not handled, but that is another story.

> Additional info:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1297397

We should probably create a RHEL-7 bug for this to force NSS maintainers sponsored by Red Hat to at least have a look.  It is a bug of NSS after all.  If you have a business justification, it would also help.

> https://github.com/curl/curl/commit/3a5d5de9ef52ebe8ca2bda2165edc1b34c242e54

I am fine with including the above patch in a RHEL-7 update.  It will fix only libcurl-based applications though.
Comment 3 Kamil Dudka 2017-01-16 12:26:43 UTC 
follow-up commit upstream:

https://github.com/curl/curl/commit/25ed9ea5
Comment 4 Kai Engert (:kaie) (inactive account) 2017-01-16 14:28:42 UTC 
Kamil, is this issue limited to RHEL 7, not RHEL 6 ?
Comment 5 Kamil Dudka 2017-01-16 14:57:16 UTC 
(In reply to Kai Engert (:kaie) from comment #4)
> Kamil, is this issue limited to RHEL 7, not RHEL 6 ?

The bug in NSS source code must be in both of them but I was debugging it on RHEL-7 only.
Comment 6 Kamil Dudka 2017-01-24 12:35:51 UTC 
This bug neither blocks, nor depends on bug #1413619.  In other words, each of them can fixed without fixing the other bug first.  I am weakening the relation to See Also.
Comment 16 errata-xmlrpc 2017-08-01 17:02:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2016