Bug 618454

Summary: mod_admserv should only clear NSS caches and shutdown if NSS is initialized
Product: [Retired] 389 Reporter: Ulf Weltman <ulf.weltman>
Component: AdminAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: urgent    
Version: 1.2.6CC: amsharma, sblume
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-07 17:12:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 434915, 576869    
Attachments:
Description Flags
fix proposal none

Description Ulf Weltman 2010-07-26 23:54:02 UTC 
mod_admserv attempts to clear SSL cache without checking if NSS has been initialized which causes an assertion to fail in NSS.

#0  0xc000000000325890:0 in kill+0x30 () from /usr/lib/hpux64/libc.so.1
#1  0xc00000000024a1d0:0 in raise+0x30 () from /usr/lib/hpux64/libc.so.1
#2  0xc0000000002e6f90:0 in abort+0x190 () from /usr/lib/hpux64/libc.so.1
#3  0xc000000000b01520:0 in PR_Assert+0xd0 () from /opt/dirsrv/lib/libnspr4.so
#4  0xc000000000ffb750:0 in initSessionCacheLocksLazily+0x100 ()
   from /opt/dirsrv/lib/libssl3.so
#5  0xc000000000b24e80:0 in PR_CallOnce+0xb0 ()
   from /opt/dirsrv/lib/libnspr4.so
#6  0xc000000000ffb850:0 in ssl_InitSessionCacheLocks+0xa0 ()
   from /opt/dirsrv/lib/libssl3.so
#7  0xc000000000ffb940:0 in lock_cache+0x30 () from /opt/dirsrv/lib/libssl3.so
#8  0xc000000000ffd260:0 in SSL_ClearSessionCache+0x20 ()
   from /opt/dirsrv/lib/libssl3.so
#9  0xc00000000094b200:0 in mod_admserv_unload+0x30 ()
   from /opt/dirsrv/lib/modules/mod_admserv.so
#10 0xc000000000762e50:0 in apr_pool_clear () at memory/unix/apr_pools.c:2063
#11 0x4000000000058320:0 in main () at main.c:695
Comment 1 Ulf Weltman 2010-07-26 23:56:02 UTC 
Created attachment 434568 [details]
fix proposal
Comment 2 Rich Megginson 2010-10-01 20:27:45 UTC 
This may be the same as https://bugzilla.redhat.com/show_bug.cgi?id=555296
Comment 3 Rich Megginson 2010-10-20 20:45:23 UTC 
commit 24fd9c4c1af99b2a3c067b633c26c76bf672fb31
Author: Rich Megginson <rmeggins>
Date:   Wed Oct 20 11:14:24 2010 -0600
    Branch: master
    Fix Description: Check NSS_IsInitialized before clearing caches.  We also do
    an NSS_Shutdown here - with the new NSS fips mode, you cannot load the
    softoken after a fork unless you have first shutdown NSS - Apache loads and
    unloads its modules several times during the startup phase, so we have to
    make sure we completely shutdown NSS when the module is unloaded so that we
    can load it again and start the NSS engine when the module is re-loaded.
    Finally, change ldap_unbind_ext_s to just ldap_unbind_ext - ldap_unbind is
    always asynchronous.
    This should also fix https://bugzilla.redhat.com/show_bug.cgi?id=555296
    Platforms tested: RHEL5 x86_64, Fedora 14 x86_64
    Flag Day: no
Comment 4 Rich Megginson 2010-10-20 20:54:32 UTC 
*** Bug 555296 has been marked as a duplicate of this bug. ***
Comment 5 Amita Sharma 2011-05-05 12:23:30 UTC 
[root@rheltest etc]# /usr/lib64/dirsrv/modules/mod_admserv.so
Segmentation fault (core dumped)

[05/May/2011:16:01:45 +051800] - slapd shutting down - signaling operation threads
[05/May/2011:16:01:45 +051800] - slapd shutting down - closing down internal subsystems and plugins
[05/May/2011:16:01:45 +051800] - Waiting for 4 database threads to stop
[05/May/2011:16:01:46 +051800] - All database threads now stopped
[05/May/2011:16:01:46 +051800] - slapd stopped.
[05/May/2011:16:01:53 +051800] - 389-Directory/1.2.8.3 B2011.123.1759 starting up
[05/May/2011:16:01:53 +051800] - slapd started.  Listening on All Interfaces port 389 for LDAP requests
                                                                                                                                           271,1         Bot

Please guide with steps.
Comment 6 Rich Megginson 2011-05-05 14:36:04 UTC 
(In reply to comment #5)
> [root@rheltest etc]# /usr/lib64/dirsrv/modules/mod_admserv.so
> Segmentation fault (core dumped)

Running a shared library directly is not supported.

> 
> [05/May/2011:16:01:45 +051800] - slapd shutting down - signaling operation
> threads
> [05/May/2011:16:01:45 +051800] - slapd shutting down - closing down internal
> subsystems and plugins
> [05/May/2011:16:01:45 +051800] - Waiting for 4 database threads to stop
> [05/May/2011:16:01:46 +051800] - All database threads now stopped
> [05/May/2011:16:01:46 +051800] - slapd stopped.
> [05/May/2011:16:01:53 +051800] - 389-Directory/1.2.8.3 B2011.123.1759 starting
> up
> [05/May/2011:16:01:53 +051800] - slapd started.  Listening on All Interfaces
> port 389 for LDAP requests
>                                                                                
>                                                            271,1         Bot
> 
> Please guide with steps.

Confirm that you can start, stop, restart, and connect to the admin server using the web interface and the console.  Then, configure admin server to use TLS/SSL and try all of the above again.  The crash usually happens during admin server startup or shutdown.
Comment 7 Amita Sharma 2011-05-10 11:48:40 UTC 
When I tried to stop the admin server from the Java Console, it promted back with the below message:
Once the Admin Server is stopped, it can not be started remotly from the console.
Are you sure you want to stop the server? Yes/ No
Clicked yes - Server stopped successfully

then executed /etc/init.d/dirsrv-admin start

then, Configured SSL for Admin-Server
[root@testvm admin-serv]# certutil -d . -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Admin-Cert                                                   u,u,u
CA certificate                                               CT,, 

Stopped the Admin server from Java Console

[root@testvm admin-serv]# /etc/init.d/dirsrv-admin status
dirsrv-admin is stopped

Started from Command line

[root@testvm admin-serv]# /etc/init.d/dirsrv-admin start
Starting dirsrv-admin: 
                                                           [  OK  ]
[root@testvm admin-serv]# 

I did not face any server crash here. Hence marking the bug as VERIFIED.