View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0012937||CentOS-7||nss||public||2017-03-09 15:41||2017-03-23 22:46|
|Target Version||Fixed in Version|
|Summary||0012937: nss upgrade crashes php processes which curl with ssl|
|Description||On a system running one of these kernels:|
The NSS package released yesterday (nss-3.28.2-1.6.el7_3.x86_64) causes SSL errors on systems that haven't rebooted with newer kernels.
|Steps To Reproduce||Test program in a web accessible directory:|
$ cat /var/www/apps/www/test2.php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://www.google.com");
$result = curl_exec($ch);
$ curl -k -v https://localhost/test2.php
* About to connect() to localhost port 443 (#0)
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=wsgdev01.its.carleton.edu,OU=Web Services Group,O=Carleton College,STREET=1 North College St.,L=Northfield,ST=MN,postalCode=55057,C=US
* start date: Oct 19 00:00:00 2016 GMT
* expire date: Oct 19 23:59:59 2019 GMT
* common name: wsgdev01.its.carleton.edu
* issuer: CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US
> GET /test2.php HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost
> Accept: */*
* Empty reply from server
* Connection #0 to host localhost left intact
curl: (52) Empty reply from server
$ php -v
Cannot load Xdebug - extension already loaded
PHP 5.6.30 (cli) (built: Jan 19 2017 10:06:57)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
with Xdebug v2.5.0, Copyright (c) 2002-2016, by Derick Rethans
|Additional Information||I rebooted one system with an older kernel, and it loaded with 3.10.0-514.10.2.el7.x86_64|
and the issue went away, without downgrading the nss packages.
|Tags||No tags attached.|
|I thought I tried restarting httpd first, and it didn't work. Revisiting this approach after our production service was fixed, a full httpd restart resolves the issue following nss updates, too.|
PHP supplied with CentOS 7 is PHP 5.4.16, not PHP 5.6.30 .
Did you compile PHP yourself? Or 3rd party PHP.rpm?
If you just "reload"ed the httpd, it may won't pick wo the updated *.so
and may behave weird. You needed, as you wrote, full restart.
Maybe old *.so were lurking in the memory.
[SOLVED] I had the same problem after yum-cron updated my system yesterday. TrevorH from the forum suggested an apache reboot, which fixed the problem. For details, see https://www.centos.org/forums/viewtopic.php?f=47&t=61677&p=260112#p260112
Maybe it's a bug that a reboot is needed, but at least there is a workaround to the basic problem WITHOUT downgrading.