2017-12-12 10:08 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0012937CentOS-7nsspublic2017-03-23 22:46
PlatformCentOS7OSCentOS7OS Version3.10.0-514.6.1.e
Product Version7.3.1611 
Target VersionFixed in Version 
Summary0012937: nss upgrade crashes php processes which curl with ssl
DescriptionOn a system running one of these kernels:

The NSS package released yesterday (nss-3.28.2-1.6.el7_3.x86_64) causes SSL errors on systems that haven't rebooted with newer kernels.
Steps To ReproduceTest program in a web accessible directory:
$ cat /var/www/apps/www/test2.php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://www.google.com");
$result = curl_exec($ch);

$ curl -k -v https://localhost/test2.php
* About to connect() to localhost port 443 (#0)
* Trying
* Connected to localhost ( port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=wsgdev01.its.carleton.edu,OU=Web Services Group,O=Carleton College,STREET=1 North College St.,L=Northfield,ST=MN,postalCode=55057,C=US
* start date: Oct 19 00:00:00 2016 GMT
* expire date: Oct 19 23:59:59 2019 GMT
* common name: wsgdev01.its.carleton.edu
* issuer: CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US
> GET /test2.php HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost
> Accept: */*
* Empty reply from server
* Connection #0 to host localhost left intact
curl: (52) Empty reply from server

$ php -v
Cannot load Xdebug - extension already loaded
PHP 5.6.30 (cli) (built: Jan 19 2017 10:06:57)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
    with Xdebug v2.5.0, Copyright (c) 2002-2016, by Derick Rethans
Additional InformationI rebooted one system with an older kernel, and it loaded with 3.10.0-514.10.2.el7.x86_64
and the issue went away, without downgrading the nss packages.
TagsNo tags attached.
Attached Files




laupow (reporter)

I thought I tried restarting httpd first, and it didn't work. Revisiting this approach after our production service was fixed, a full httpd restart resolves the issue following nss updates, too.


kabe (reporter)

PHP supplied with CentOS 7 is PHP 5.4.16, not PHP 5.6.30 .
Did you compile PHP yourself? Or 3rd party PHP.rpm?

If you just "reload"ed the httpd, it may won't pick wo the updated *.so
and may behave weird. You needed, as you wrote, full restart.
Maybe old *.so were lurking in the memory.


EdIcon (reporter)

[SOLVED] I had the same problem after yum-cron updated my system yesterday. TrevorH from the forum suggested an apache reboot, which fixed the problem. For details, see https://www.centos.org/forums/viewtopic.php?f=47&t=61677&p=260112#p260112

Maybe it's a bug that a reboot is needed, but at least there is a workaround to the basic problem WITHOUT downgrading.

-Issue History
Date Modified Username Field Change
2017-03-09 15:41 laupow New Issue
2017-03-09 16:02 laupow Note Added: 0028811
2017-03-10 04:21 kabe Note Added: 0028820
2017-03-10 12:29 EdIcon Note Added: 0028823
+Issue History