View Issue Details

IDProjectCategoryView StatusLast Update
0012937CentOS-7nsspublic2017-03-23 22:46
Status newResolutionopen 
PlatformCentOS7OSCentOS7OS Version3.10.0-514.6.1.e
Product Version7.3.1611 
Target VersionFixed in Version 
Summary0012937: nss upgrade crashes php processes which curl with ssl
DescriptionOn a system running one of these kernels:

The NSS package released yesterday (nss-3.28.2-1.6.el7_3.x86_64) causes SSL errors on systems that haven't rebooted with newer kernels.
Steps To ReproduceTest program in a web accessible directory:
$ cat /var/www/apps/www/test2.php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "");
$result = curl_exec($ch);

$ curl -k -v https://localhost/test2.php
* About to connect() to localhost port 443 (#0)
* Trying
* Connected to localhost ( port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject:,OU=Web Services Group,O=Carleton College,STREET=1 North College St.,L=Northfield,ST=MN,postalCode=55057,C=US
* start date: Oct 19 00:00:00 2016 GMT
* expire date: Oct 19 23:59:59 2019 GMT
* common name:
* issuer: CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US
> GET /test2.php HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost
> Accept: */*
* Empty reply from server
* Connection #0 to host localhost left intact
curl: (52) Empty reply from server

$ php -v
Cannot load Xdebug - extension already loaded
PHP 5.6.30 (cli) (built: Jan 19 2017 10:06:57)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
    with Xdebug v2.5.0, Copyright (c) 2002-2016, by Derick Rethans
Additional InformationI rebooted one system with an older kernel, and it loaded with 3.10.0-514.10.2.el7.x86_64
and the issue went away, without downgrading the nss packages.
TagsNo tags attached.




2017-03-09 16:02

reporter   ~0028811

I thought I tried restarting httpd first, and it didn't work. Revisiting this approach after our production service was fixed, a full httpd restart resolves the issue following nss updates, too.


2017-03-10 04:21

reporter   ~0028820

PHP supplied with CentOS 7 is PHP 5.4.16, not PHP 5.6.30 .
Did you compile PHP yourself? Or 3rd party PHP.rpm?

If you just "reload"ed the httpd, it may won't pick wo the updated *.so
and may behave weird. You needed, as you wrote, full restart.
Maybe old *.so were lurking in the memory.


2017-03-10 12:29

reporter   ~0028823

[SOLVED] I had the same problem after yum-cron updated my system yesterday. TrevorH from the forum suggested an apache reboot, which fixed the problem. For details, see

Maybe it's a bug that a reboot is needed, but at least there is a workaround to the basic problem WITHOUT downgrading.

Issue History

Date Modified Username Field Change
2017-03-09 15:41 laupow New Issue
2017-03-09 16:02 laupow Note Added: 0028811
2017-03-10 04:21 kabe Note Added: 0028820
2017-03-10 12:29 EdIcon Note Added: 0028823