Hide Forgot
Description of problem: mod_nss continues to startup even with invalid protocol parameter for NSSProtocol. For example: NSSProtocol +TLSv1.2 The above would render the error message below and then mod_nss would continue to startup, support all protocols (sslv3->tlsv1.2). [Wed Oct 26 17:31:34.561906 2016] [:warn] [pid 2085] NSSProtocol: Unknown protocol '+tlsv1.2' not supported Version-Release number of selected component (if applicable): mod_nss-1.0.11-6.el7.x86_64 How reproducible: Always. Steps to Reproduce: 1. yum install httpd mod_nss 2. sed -i 's/^NSSProtocol.*/NSSProtocol +TLSv1.2/' /etc/httpd/conf.d/nss.conf 3. systemctl restart httpd 4. openssl s_client -connect localhost:8443 -ssl3 Actual results: All protocols are supported Expected results: mod_nss would halt startup of httpd if there is an invalid protocol.
Verified using mod_nss version :: mod_nss-1.0.14-10.el7.x86_64 [root@ipaserver01 ~]# sed -i 's/^NSSProtocol.*/NSSProtocol +TLSv1.2/' /etc/httpd/conf.d/nss.conf [root@ipaserver01 ~]# systemctl restart httpd Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details. [root@ipaserver01 ~]# tail -1 /var/log/httpd/error_log [Fri May 26 07:43:24.891331 2017] [:warn] [pid 16254] NSSProtocol: Unknown protocol '+tlsv1.2' not supported [root@ipaserver01 ~]# rpm -qa mod_nss httpd mod_nss-1.0.14-10.el7.x86_64 httpd-2.4.6-67.el7.x86_64 Marking BZ as verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2009