Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1342332 - upgrading nss to 3.24 prevents httpd from starting with "SSL Library Error: -8187 Security library: invalid argument"
Summary: upgrading nss to 3.24 prevents httpd from starting with "SSL Library Error: -...
Keywords:
Status: CLOSED DUPLICATE of bug 1342158
Alias: None
Product: Fedora
Classification: Fedora
Component: nss
Version: 23
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Elio Maldonado Batiz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-03 02:43 UTC by Lonni J Friedman
Modified: 2016-06-04 23:10 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-04 23:10:26 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1342158 0 unspecified CLOSED nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails 2021-02-22 00:41:40 UTC

Description Lonni J Friedman 2016-06-03 02:43:25 UTC
Description of problem:
Upgrading nss packages from 3.23 to 3.24 prevents httpd(apache) from starting (when configured for SSL), with the following errors:
NSSProtocol:  SSL/TLS protocol initialization failed
SSL Library Error: -8187 Security library: invalid arguments

Downgrading back to 3.23 allows apache to start again.

Version-Release number of selected component (if applicable):
3.24

How reproducible:
100% of the time

Steps to Reproduce:
1. Configure httpd (apache) with an SSL cert
2. Verify that httpd starts up successfully
3. Upgrade all nss packages (using dnf) from 3.23 to 3.24
4. Attempt to (re)start httpd, and it will fail to start
5. Downgrade nss packages back to 3.23
6. httpd starts successfully

Actual results:
httpd fails to start

Expected results:
httpd starts successfully

Additional info:
These packages do not exhibit the bug:
nss-3.23.0-1.0.fc23.i686.rpm                  nss-softokn-freebl-3.23.0-1.0.fc23.i686.rpm
nss-3.23.0-1.0.fc23.x86_64.rpm                nss-softokn-freebl-3.23.0-1.0.fc23.x86_64.rpm
nss-devel-3.23.0-1.0.fc23.i686.rpm            nss-softokn-freebl-devel-3.23.0-1.0.fc23.i686.rpm
nss-devel-3.23.0-1.0.fc23.x86_64.rpm          nss-softokn-freebl-devel-3.23.0-1.0.fc23.x86_64.rpm
nss-pkcs11-devel-3.23.0-1.0.fc23.i686.rpm     nss-sysinit-3.23.0-1.0.fc23.x86_64.rpm
nss-pkcs11-devel-3.23.0-1.0.fc23.x86_64.rpm   nss-tools-3.23.0-1.0.fc23.x86_64.rpm
nss-softokn-3.23.0-1.0.fc23.i686.rpm          nss-util-3.23.0-1.0.fc23.i686.rpm
nss-softokn-3.23.0-1.0.fc23.x86_64.rpm        nss-util-3.23.0-1.0.fc23.x86_64.rpm
nss-softokn-devel-3.23.0-1.0.fc23.i686.rpm    nss-util-devel-3.23.0-1.0.fc23.i686.rpm
nss-softokn-devel-3.23.0-1.0.fc23.x86_64.rpm  nss-util-devel-3.23.0-1.0.fc23.x86_64.rpm

These packages reproduce the bug:
  nss.i686 3.24.0-1.1.fc23                                                nss.x86_64 3.24.0-1.1.fc23                                       
  nss-devel.x86_64 3.24.0-1.1.fc23                                        nss-softokn.i686 3.24.0-1.0.fc23                                 
  nss-softokn.x86_64 3.24.0-1.0.fc23                                      nss-softokn-devel.x86_64 3.24.0-1.0.fc23                         
  nss-softokn-freebl.i686 3.24.0-1.0.fc23                                 nss-softokn-freebl.x86_64 3.24.0-1.0.fc23                        
  nss-softokn-freebl-devel.x86_64 3.24.0-1.0.fc23                         nss-sysinit.x86_64 3.24.0-1.1.fc23                               
  nss-tools.x86_64 3.24.0-1.1.fc23                                        nss-util.i686 3.24.0-1.0.fc23                                    
  nss-util.x86_64 3.24.0-1.0.fc23                                         nss-util-devel.x86_64 3.24.0-1.0.fc23

This system is running httpd-2.4.18-1.fc23.x86_64

Comment 1 Norman Gaywood 2016-06-04 05:23:46 UTC
I'm seeing this as well. Also effects LDAP connections and so user logins fail.

Two similar systems:

tungir ~ # rpm -q nss
nss-3.23.0-1.0.fc23.x86_64
tungir ~ # ldapsearch -x -ZZZ -LLL uid=ngaywood dn
dn: uid=ngaywood,ou=People,dc=une,dc=edu,dc=au

hopper ~ # rpm -q nss
nss-3.24.0-1.1.fc23.x86_64
hopper ~ # ldapsearch -x -ZZZ -LLL uid=ngaywood dn
ldap_start_tls: Connect error (-11)

Downgrading nss also fixed my problem.

Comment 2 Norman Gaywood 2016-06-04 05:48:45 UTC
It might be fixed in nss-3.24.0-1.2.fc23

http://koji.fedoraproject.org/koji/buildinfo?buildID=770185

Changelog	* Thu Jun 02 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-1.2
- Allow application requests to disable SSL v2 to succeed
- Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails

Comment 3 Norman Gaywood 2016-06-04 05:59:31 UTC
Yes, confirm that nss-3.24.0-1.2.fc23 fixes it for me:

hopper ~ # rpm -q nss
nss-3.24.0-1.1.fc23.x86_64
hopper ~ # ldapsearch -x -ZZZ -LLL uid=ngaywood dn
ldap_start_tls: Connect error (-11)

hopper ~ # dnf --enablerepo=updates-testing update nss
[snip]

hopper ~ # rpm -q nss
nss-3.24.0-1.2.fc23.x86_64

hopper ~ # ldapsearch -x -ZZZ -LLL uid=ngaywood dn
dn: uid=ngaywood,ou=People,dc=une,dc=edu,dc=au

Comment 4 Norman Gaywood 2016-06-04 06:30:59 UTC
duplicate of bug 1342158

Comment 5 Lonni J Friedman 2016-06-04 23:10:26 UTC
confirmed, fixed with "dnf --enablerepo=updates-testing update nss".  thanks @norman!

*** This bug has been marked as a duplicate of bug 1342158 ***


Note You need to log in before you can comment on or make changes to this bug.