Description of problem: Upgrading nss packages from 3.23 to 3.24 prevents httpd(apache) from starting (when configured for SSL), with the following errors: NSSProtocol: SSL/TLS protocol initialization failed SSL Library Error: -8187 Security library: invalid arguments Downgrading back to 3.23 allows apache to start again. Version-Release number of selected component (if applicable): 3.24 How reproducible: 100% of the time Steps to Reproduce: 1. Configure httpd (apache) with an SSL cert 2. Verify that httpd starts up successfully 3. Upgrade all nss packages (using dnf) from 3.23 to 3.24 4. Attempt to (re)start httpd, and it will fail to start 5. Downgrade nss packages back to 3.23 6. httpd starts successfully Actual results: httpd fails to start Expected results: httpd starts successfully Additional info: These packages do not exhibit the bug: nss-3.23.0-1.0.fc23.i686.rpm nss-softokn-freebl-3.23.0-1.0.fc23.i686.rpm nss-3.23.0-1.0.fc23.x86_64.rpm nss-softokn-freebl-3.23.0-1.0.fc23.x86_64.rpm nss-devel-3.23.0-1.0.fc23.i686.rpm nss-softokn-freebl-devel-3.23.0-1.0.fc23.i686.rpm nss-devel-3.23.0-1.0.fc23.x86_64.rpm nss-softokn-freebl-devel-3.23.0-1.0.fc23.x86_64.rpm nss-pkcs11-devel-3.23.0-1.0.fc23.i686.rpm nss-sysinit-3.23.0-1.0.fc23.x86_64.rpm nss-pkcs11-devel-3.23.0-1.0.fc23.x86_64.rpm nss-tools-3.23.0-1.0.fc23.x86_64.rpm nss-softokn-3.23.0-1.0.fc23.i686.rpm nss-util-3.23.0-1.0.fc23.i686.rpm nss-softokn-3.23.0-1.0.fc23.x86_64.rpm nss-util-3.23.0-1.0.fc23.x86_64.rpm nss-softokn-devel-3.23.0-1.0.fc23.i686.rpm nss-util-devel-3.23.0-1.0.fc23.i686.rpm nss-softokn-devel-3.23.0-1.0.fc23.x86_64.rpm nss-util-devel-3.23.0-1.0.fc23.x86_64.rpm These packages reproduce the bug: nss.i686 3.24.0-1.1.fc23 nss.x86_64 3.24.0-1.1.fc23 nss-devel.x86_64 3.24.0-1.1.fc23 nss-softokn.i686 3.24.0-1.0.fc23 nss-softokn.x86_64 3.24.0-1.0.fc23 nss-softokn-devel.x86_64 3.24.0-1.0.fc23 nss-softokn-freebl.i686 3.24.0-1.0.fc23 nss-softokn-freebl.x86_64 3.24.0-1.0.fc23 nss-softokn-freebl-devel.x86_64 3.24.0-1.0.fc23 nss-sysinit.x86_64 3.24.0-1.1.fc23 nss-tools.x86_64 3.24.0-1.1.fc23 nss-util.i686 3.24.0-1.0.fc23 nss-util.x86_64 3.24.0-1.0.fc23 nss-util-devel.x86_64 3.24.0-1.0.fc23 This system is running httpd-2.4.18-1.fc23.x86_64
I'm seeing this as well. Also effects LDAP connections and so user logins fail. Two similar systems: tungir ~ # rpm -q nss nss-3.23.0-1.0.fc23.x86_64 tungir ~ # ldapsearch -x -ZZZ -LLL uid=ngaywood dn dn: uid=ngaywood,ou=People,dc=une,dc=edu,dc=au hopper ~ # rpm -q nss nss-3.24.0-1.1.fc23.x86_64 hopper ~ # ldapsearch -x -ZZZ -LLL uid=ngaywood dn ldap_start_tls: Connect error (-11) Downgrading nss also fixed my problem.
It might be fixed in nss-3.24.0-1.2.fc23 http://koji.fedoraproject.org/koji/buildinfo?buildID=770185 Changelog * Thu Jun 02 2016 Elio Maldonado <emaldona> - 3.24.0-1.2 - Allow application requests to disable SSL v2 to succeed - Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails
Yes, confirm that nss-3.24.0-1.2.fc23 fixes it for me: hopper ~ # rpm -q nss nss-3.24.0-1.1.fc23.x86_64 hopper ~ # ldapsearch -x -ZZZ -LLL uid=ngaywood dn ldap_start_tls: Connect error (-11) hopper ~ # dnf --enablerepo=updates-testing update nss [snip] hopper ~ # rpm -q nss nss-3.24.0-1.2.fc23.x86_64 hopper ~ # ldapsearch -x -ZZZ -LLL uid=ngaywood dn dn: uid=ngaywood,ou=People,dc=une,dc=edu,dc=au
duplicate of bug 1342158
confirmed, fixed with "dnf --enablerepo=updates-testing update nss". thanks @norman! *** This bug has been marked as a duplicate of bug 1342158 ***