[Nut-upsuser] SSL only working in DEBUG mode

Emilien Kia kiae.dev at gmail.com
Fri Mar 20 15:40:12 UTC 2015 

Some precisions:

we are not alone, some projects had similar problem:
http://bugs.bitlbee.org/bitlbee/ticket/785
And the problem is really coming from NSS initialization. Discussion about
the issue here : http://osdir.com/ml/mozilla.crypto/2002-08/msg00016.html

There is a workaround to use NSS with fork but it is more setting a flag to
share some resources (primarily sockets) but must (re)initialize NSS
library on all children.

AFAIK why we initialize NSS library before becoming user and forking is to
be able to access and read certificates and keys which is readable only by
root and should not be readable in userland. This behavior is this because
it was the behavior used when using OpenSSL. Modifying this behavior
implies to modify key/certificate storage and acces right policy.

Emilien


2015-03-20 15:12 GMT+01:00 Emilien Kia <kiae.dev at gmail.com>:

> Hello all,
>
> With a really fast lookup, I think it is probably a problem of NSS
> initialization (key loading...) .
> As the problem occurs only when upsd is forked and as nss is initialized (
> https://github.com/networkupstools/nut/blob/master/server/upsd.c#L1008)before
> upsd deamonify (
> https://github.com/networkupstools/nut/blob/master/server/upsd.c#L1035),
> I suspect NSS to not be fork-safe.
>
> I will intend to look more deeply.
>
> Best regards,
>
> Emilien
>
>
> 2015-03-13 13:30 GMT+01:00 Charles Lepple <clepple at gmail.com>:
>
>> On Mar 12, 2015, at 11:55 PM, Melkor Lord <melkor.lord at gmail.com> wrote:
>>
>> >
>> > On Mon, Mar 2, 2015 at 2:39 AM, Charles Lepple <clepple at gmail.com>
>> wrote:
>> >
>> > > I thought start-stop-daemon was involved because it closes
>> stdin/stdout file
>> > > descriptors after exec()'ing the daemon. I tried "--no-close" option
>> to no
>> > > avail. After that, I validated the init script working fine with
>> > > UPSD_OPTIONS="-D" in /etc/nut/nut.conf.
>> >
>> > Not strictly the same as closing the file descriptors, but I tried the
>> > following:
>> >
>> >   /sbin/upsd -D >/dev/null 2>&1 < /dev/null
>> >
>> > And it still worked. So I need to recompile with debugging symbols -
>> > the Ubuntu packages did not have them.
>> >
>> > Sorry to bug you again with this issue but is there any improvement on
>> the matter?
>>
>> No, not yet.
>>
>> Recompiling with debugging symbols did not reveal anything new. We have
>> reached out to the engineer who wrote the NSS code for NUT.
>>
>> --
>> Charles Lepple
>> clepple at gmail
>>
>>
>>
>>
>> _______________________________________________
>> Nut-upsuser mailing list
>> Nut-upsuser at lists.alioth.debian.org
>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/nut-upsuser
>>
>
>
-------------- section suivante --------------
Une pi�ce jointe HTML a �t� nettoy�e...
URL: <http://lists.alioth.debian.org/pipermail/nut-upsuser/attachments/20150320/daa93ce2/attachment.html>

More information about the Nut-upsuser mailing list