Bug 618454 - mod_admserv should only clear NSS caches and shutdown if NSS is initialized
Summary: mod_admserv should only clear NSS caches and shutdown if NSS is initialized
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: 389
Classification: Retired
Component: Admin
Version: 1.2.6
Hardware: All
OS: All
urgent
medium
Target Milestone: ---
Assignee: Rich Megginson
QA Contact: Viktor Ashirov
URL:
Whiteboard:
: 555296 (view as bug list)
Depends On:
Blocks: 434915 389_1.2.7
TreeView+ depends on / blocked
 
Reported: 2010-07-26 23:54 UTC by Ulf Weltman
Modified: 2015-12-07 17:12 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-07 17:12:03 UTC


Attachments (Terms of Use)
fix proposal (1000 bytes, patch)
2010-07-26 23:56 UTC, Ulf Weltman
no flags Details | Diff

Description Ulf Weltman 2010-07-26 23:54:02 UTC
mod_admserv attempts to clear SSL cache without checking if NSS has been initialized which causes an assertion to fail in NSS.

#0  0xc000000000325890:0 in kill+0x30 () from /usr/lib/hpux64/libc.so.1
#1  0xc00000000024a1d0:0 in raise+0x30 () from /usr/lib/hpux64/libc.so.1
#2  0xc0000000002e6f90:0 in abort+0x190 () from /usr/lib/hpux64/libc.so.1
#3  0xc000000000b01520:0 in PR_Assert+0xd0 () from /opt/dirsrv/lib/libnspr4.so
#4  0xc000000000ffb750:0 in initSessionCacheLocksLazily+0x100 ()
   from /opt/dirsrv/lib/libssl3.so
#5  0xc000000000b24e80:0 in PR_CallOnce+0xb0 ()
   from /opt/dirsrv/lib/libnspr4.so
#6  0xc000000000ffb850:0 in ssl_InitSessionCacheLocks+0xa0 ()
   from /opt/dirsrv/lib/libssl3.so
#7  0xc000000000ffb940:0 in lock_cache+0x30 () from /opt/dirsrv/lib/libssl3.so
#8  0xc000000000ffd260:0 in SSL_ClearSessionCache+0x20 ()
   from /opt/dirsrv/lib/libssl3.so
#9  0xc00000000094b200:0 in mod_admserv_unload+0x30 ()
   from /opt/dirsrv/lib/modules/mod_admserv.so
#10 0xc000000000762e50:0 in apr_pool_clear () at memory/unix/apr_pools.c:2063
#11 0x4000000000058320:0 in main () at main.c:695

Comment 1 Ulf Weltman 2010-07-26 23:56:02 UTC
Created attachment 434568 [details]
fix proposal

Comment 2 Rich Megginson 2010-10-01 20:27:45 UTC
This may be the same as https://bugzilla.redhat.com/show_bug.cgi?id=555296

Comment 3 Rich Megginson 2010-10-20 20:45:23 UTC
commit 24fd9c4c1af99b2a3c067b633c26c76bf672fb31
Author: Rich Megginson <rmeggins@redhat.com>
Date:   Wed Oct 20 11:14:24 2010 -0600
    Branch: master
    Fix Description: Check NSS_IsInitialized before clearing caches.  We also do
    an NSS_Shutdown here - with the new NSS fips mode, you cannot load the
    softoken after a fork unless you have first shutdown NSS - Apache loads and
    unloads its modules several times during the startup phase, so we have to
    make sure we completely shutdown NSS when the module is unloaded so that we
    can load it again and start the NSS engine when the module is re-loaded.
    Finally, change ldap_unbind_ext_s to just ldap_unbind_ext - ldap_unbind is
    always asynchronous.
    This should also fix https://bugzilla.redhat.com/show_bug.cgi?id=555296
    Platforms tested: RHEL5 x86_64, Fedora 14 x86_64
    Flag Day: no

Comment 4 Rich Megginson 2010-10-20 20:54:32 UTC
*** Bug 555296 has been marked as a duplicate of this bug. ***

Comment 5 Amita Sharma 2011-05-05 12:23:30 UTC
[root@rheltest etc]# /usr/lib64/dirsrv/modules/mod_admserv.so
Segmentation fault (core dumped)

[05/May/2011:16:01:45 +051800] - slapd shutting down - signaling operation threads
[05/May/2011:16:01:45 +051800] - slapd shutting down - closing down internal subsystems and plugins
[05/May/2011:16:01:45 +051800] - Waiting for 4 database threads to stop
[05/May/2011:16:01:46 +051800] - All database threads now stopped
[05/May/2011:16:01:46 +051800] - slapd stopped.
[05/May/2011:16:01:53 +051800] - 389-Directory/1.2.8.3 B2011.123.1759 starting up
[05/May/2011:16:01:53 +051800] - slapd started.  Listening on All Interfaces port 389 for LDAP requests
                                                                                                                                           271,1         Bot

Please guide with steps.

Comment 6 Rich Megginson 2011-05-05 14:36:04 UTC
(In reply to comment #5)
> [root@rheltest etc]# /usr/lib64/dirsrv/modules/mod_admserv.so
> Segmentation fault (core dumped)

Running a shared library directly is not supported.

> 
> [05/May/2011:16:01:45 +051800] - slapd shutting down - signaling operation
> threads
> [05/May/2011:16:01:45 +051800] - slapd shutting down - closing down internal
> subsystems and plugins
> [05/May/2011:16:01:45 +051800] - Waiting for 4 database threads to stop
> [05/May/2011:16:01:46 +051800] - All database threads now stopped
> [05/May/2011:16:01:46 +051800] - slapd stopped.
> [05/May/2011:16:01:53 +051800] - 389-Directory/1.2.8.3 B2011.123.1759 starting
> up
> [05/May/2011:16:01:53 +051800] - slapd started.  Listening on All Interfaces
> port 389 for LDAP requests
>                                                                                
>                                                            271,1         Bot
> 
> Please guide with steps.

Confirm that you can start, stop, restart, and connect to the admin server using the web interface and the console.  Then, configure admin server to use TLS/SSL and try all of the above again.  The crash usually happens during admin server startup or shutdown.

Comment 7 Amita Sharma 2011-05-10 11:48:40 UTC
When I tried to stop the admin server from the Java Console, it promted back with the below message:
Once the Admin Server is stopped, it can not be started remotly from the console.
Are you sure you want to stop the server? Yes/ No
Clicked yes - Server stopped successfully

then executed /etc/init.d/dirsrv-admin start

then, Configured SSL for Admin-Server
[root@testvm admin-serv]# certutil -d . -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Admin-Cert                                                   u,u,u
CA certificate                                               CT,, 

Stopped the Admin server from Java Console

[root@testvm admin-serv]# /etc/init.d/dirsrv-admin status
dirsrv-admin is stopped

Started from Command line

[root@testvm admin-serv]# /etc/init.d/dirsrv-admin start
Starting dirsrv-admin: 
                                                           [  OK  ]
[root@testvm admin-serv]# 

I did not face any server crash here. Hence marking the bug as VERIFIED.


Note You need to log in before you can comment on or make changes to this bug.