Bug 677700
Summary: | Lack of interlock between nss processes to pcache causes httpd failure | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Martin Poole <mpoole> | |
Component: | mod_nss | Assignee: | Rob Crittenden <rcritten> | |
Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 6.0 | CC: | benl, dpal, jgalipea, kchamart, shaines | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | mod_nss-1.0.8-11.el6 | Doc Type: | Bug Fix | |
Doc Text: |
During the Apache HTTP Server startup, a race condition could prevent one or more child processes from receiving the token PIN, rendering such processes unable to use SSL. With this update, the race condition no longer occurs, and all child processes of the Apache HTTP Server can enable SSL as expected.
|
Story Points: | --- | |
Clone Of: | 677698 | |||
: | 677701 (view as bug list) | Environment: | ||
Last Closed: | 2011-05-19 14:15:08 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 677698 | |||
Bug Blocks: | 677701 |
Description
Martin Poole
2011-02-15 16:00:46 UTC
*** Bug 678681 has been marked as a duplicate of this bug. *** I had some problems reliably reproducing the error. I ended up doing this: # while [ true ]; do service httpd restart; sleep 5; done And in another window: tail -f /var/log/httpd/error_log | grep 70007 With the patch in place I let this run an hour and never saw an occurrence. I also ran this to ensure all the children initialized properly: # /usr/lib64/nss/unsupported-tools/strsclnt -p 8443 -d /etc/httpd/alias -P 90 test.example.com -c 10000 -t 100 There were no errors about SSL being disabled in the error log. Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: During the Apache HTTP Server startup, a race condition could prevent one or more child processes from receiving the token PIN, rendering such processes unable to use SSL. With this update, the race condition no longer occurs, and all child processes of the Apache HTTP Server can enable SSL as expected. when I run the never ending while loop for httpd restart for a while, I notice these in the httpd/error_log .. can these be ignored? ---------------------------------------------- [Mon Apr 25 00:36:48 2011] [warn] mod_wsgi: Runtime using Python/2.6.6. [Mon Apr 25 00:36:48 2011] [notice] Apache/2.2.15 (Unix) DAV/2 mod_nss/2.2.15 NSS/3.12.9.0 mod_ssl/2.2.15 OpenSSL/1.0.0-fips mod_wsgi/3.2 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations [Mon Apr 25 00:36:53 2011] [error] Exception KeyError: KeyError(139642094028768,) in <module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored [Mon Apr 25 00:36:53 2011] [error] Exception KeyError: KeyError(139642094028768,) in <module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored [Mon Apr 25 00:36:53 2011] [error] Exception KeyError: KeyError(139642094028768,) in <module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored [Mon Apr 25 00:36:53 2011] [error] Exception KeyError: KeyError(139642094028768,) in <module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored [Mon Apr 25 00:36:53 2011] [error] Exception KeyError: KeyError(139642094028768,) in <module 'threading' from '/usr/lib64/python2.6/threading.pyc'> ignored ---------------------------------------------- Probably, those aren't being generated by mod_nss directly in any case. Do you have a mod_wsgi application defined? This is a fairly stock RHEL 6.1. No other apps are defined. Ok, in any case these are python errors so probably unrelated to mod_nss. Ok, I ignored the above errors. Other than that, I noticed no errors in the httpd error_log. As an aside, I tried this: 1. Placed this directive -- 'NSSFIPS on' in /etc/httpd/conf.d/nss.conf 2. Set a password for mod_nss dbs in -- /etc/httpd/alias/ # certutil -W /etc/httpd/alias/ 3. service httpd restart Result: ================================================================== [root@shark alias]# service httpd restart Stopping httpd: [ OK ] Starting httpd: Please enter password for "NSS FIPS 140-2 Certificate DB" token: [ OK ] ================================================================== [root@shark alias]# tail /var/log/httpd/error_log [Fri Apr 29 01:33:22 2011] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Fri Apr 29 01:33:22 2011] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Fri Apr 29 01:33:22 2011] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Fri Apr 29 01:33:22 2011] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Fri Apr 29 01:33:22 2011] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Fri Apr 29 01:33:22 2011] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Fri Apr 29 01:33:22 2011] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Fri Apr 29 01:33:22 2011] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [Fri Apr 29 01:33:22 2011] [warn] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling. [Fri Apr 29 01:33:22 2011] [warn] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling. [root@shark alias]# ================================================================== Also ran 'strsclnt' tool as mentioned by Rob. ################################################## [root@shark alias]# /usr/lib64/nss/unsupported-tools/strsclnt -p 8443 -d /etc/httpd/alias -P 90 shark.lab.eng.pnq.redhat.com -c 10000 -t 100 strsclnt: -- SSL: Server Certificate Validated. . . . strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: 1000 cache hits; 9000 cache misses, 0 cache not reusable 0 stateless resumes ################################################## Rob, does this makes sense? Rob confirmed the above is correct on IRC (#secinterop) Turning it to VERIFIED. Version info: =================================== [root@shark ~]# rpm -q mod_nss mod_nss-1.0.8-12.el6.x86_64 [root@shark ~]# =================================== An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0735.html |