Bug 444348 - mod_nss fails to process any request
mod_nss fails to process any request
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: mod_nss (Show other bugs)
rawhide
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Rob Crittenden
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-27 11:17 EDT by Rob Crittenden
Modified: 2008-05-01 08:52 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-01 08:52:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
initial progress (20.65 KB, patch)
2008-04-27 12:19 EDT, Rob Crittenden
no flags Details | Diff
Proposed final patch (20.41 KB, patch)
2008-04-28 09:29 EDT, Rob Crittenden
no flags Details | Diff
final patch (21.49 KB, patch)
2008-04-28 12:29 EDT, Rob Crittenden
no flags Details | Diff

  None (edit)
Description Rob Crittenden 2008-04-27 11:17:35 EDT
Description of problem:

Every request to mod_nss fails with the error:
[Fri Apr 25 17:48:09 2008] [error] SSL Library Error: -12215 MD5 digest function
failed

Version-Release number of selected component (if applicable):

mod_nss-1.0.7-3.fc9
nss-3.11.99.5-2.fc9
Comment 1 Rob Crittenden 2008-04-27 11:19:55 EDT
The NSS team tells me that I need to make sure I do and NSS_Shutdown and Init in
each new fork(). It is a newly enforced provision in the NSS softtokn but has
long been a requirement of PKCS#11 (new init required after a fork). Hardware
tokens would already be requiring this.
Comment 2 Rob Crittenden 2008-04-27 12:19:50 EDT
Created attachment 303918 [details]
initial progress

I'm attaching my initial progress in case anyone else wants to look at this.

I have the server basically working using both the threaded and forked mpm but
have one error in each.

On the forked side every time a child exits NSS_Shutdown() is failing. If the
SSL cache is not enabled then it will shut down just fine. Still investigating
this. To see this error you need to either set MaxRequestsPerChild lower or run
ab: ab -f TLS1 -n 5000 -c 40 https://localhost/

On the threaded side an NSS_Shutdown() error is thrown in nss_init_ModuleKill()
because we really don't need to call it there. I've left it there for now.
Comment 3 Rob Crittenden 2008-04-28 09:29:55 EDT
Created attachment 303971 [details]
Proposed final patch

This patch works well for me with both threaded and forked mpms and doesn't
leak memory as far as I can tell.

I used the NSS strsclnt tool on it to check for leaks and general crashy-ness
and it looks ok.
Comment 4 Rob Crittenden 2008-04-28 12:29:40 EDT
Created attachment 304004 [details]
final patch

This is the final patch that was committed.

I needed to change the way init was done a little so that we could exit
gracefully if an NSS call failed (and prevent an ugly loop).

I also updated the .spec to change the location of libnssckbi.so from
/usr/lib[64] to /lib/[64].

And since NSS_Initialize() needs to be called after root has dropped privs
Apache needs to be able to read the NSS cert and key databases so I added a
%post script to ensure that the apache group has read access. This will fix new
and updated installations.
Comment 5 W. Michael Petullo 2008-05-01 05:22:27 EDT
I just tried httpd-2.2.8-3.ppc. This version seems to fix this problem on
PowerPC. Bug #439829 documents a similar problem fixed in another package.

Note You need to log in before you can comment on or make changes to this bug.