Bug 446851
Summary: | Enabling FIPS mode does not work in mod_nss | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Rob Crittenden <rcritten> |
Component: | mod_nss | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 9 | CC: | maurizio.antillon |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 1.0.7-6.fc9 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-07-01 05:28:45 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 450349 |
Description
Rob Crittenden
2008-05-16 13:31:06 UTC
I verified this in FC-6 (similar component versions to EL 5 and CentOS 5) and F-7. Looks like the problem is in NSS itself. To prevent hammering on tokens the NSS PKCS#11 interface has a timer for logins so a new one may only take place every 'x' seconds (I didn't look up what 'x' defaults to). Since mod_nss is loaded and unloaded by Apache adn we need to authenticate multiple times basically what we're seeing is we log in ok once and subsequent logins fail because they are coming too fast, hence the certificate can't be found. This patch provides a workaround: Index: nss_engine_pphrase.c =================================================================== RCS file: /cvs/dirsec/mod_nss/nss_engine_pphrase.c,v retrieving revision 1.10 diff -u -r1.10 nss_engine_pphrase.c --- nss_engine_pphrase.c 22 Feb 2007 16:50:14 -0000 1.10 +++ nss_engine_pphrase.c 16 May 2008 13:34:07 -0000 @@ -62,6 +62,8 @@ { PK11SlotInfo *slot = listEntry->slot; + PK11_Logout(slot); + if (PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) { if (slot == PK11_GetInternalKeySlot()) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, File bug against NSS 3.11.7 https://bugzilla.mozilla.org/show_bug.cgi?id=434043 Committed to HEAD: Checking in nss_engine_init.c; /cvs/dirsec/mod_nss/nss_engine_init.c,v <-- nss_engine_init.c new revision: 1.32; previous revision: 1.31 done Checking in nss_engine_pphrase.c; /cvs/dirsec/mod_nss/nss_engine_pphrase.c,v <-- nss_engine_pphrase.c new revision: 1.11; previous revision: 1.10 done Fedora 7 changed to end-of-life (EOL) status on June 13, 2008. Fedora 7 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. New packages still need to be made. mod_nss-1.0.7-6.fc9 has been submitted as an update for Fedora 9 mod_nss-1.0.7-5.fc8 has been submitted as an update for Fedora 8 mod_nss-1.0.7-5.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. mod_nss-1.0.7-6.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. mod_nss-1.0.7-6.fc8 has been submitted as an update for Fedora 8 mod_nss-1.0.7-7.fc9 has been submitted as an update for Fedora 9 mod_nss-1.0.7-6.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. mod_nss-1.0.7-7.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. mod_nss-1.0.7-6.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. |