Followup-For: Bug #643948 Package: libgcrypt11 Version: 1.5.3-2 On Thu, 2013-05-23 at 20:34 +0200, Arthur de Jong wrote: > Today, for the first time I ran into this problem on my own system. From > the logs:
Again a crash today, from syslog: Nov 30 19:05:09 sorbet nslcd[2307]: version 0.9.1 starting Nov 30 19:05:14 sorbet nslcd[2307]: accepting connections Nov 30 19:05:15 sorbet nslcd[2307]: Libgcrypt notice: state transition Power-On => Fatal-Error Nov 30 19:05:15 sorbet nslcd[2307]: Libgcrypt error: invalid state transition Fatal-Error => Fatal-Error Nov 30 19:05:15 sorbet nslcd[2307]: Libgcrypt terminated the application Nov 30 19:05:15 sorbet nslcd[2307]: Libgcrypt error: invalid state transition Fatal-Error => Fatal-Error Nov 30 19:05:15 sorbet nslcd[2307]: Libgcrypt terminated the application Nov 30 19:05:15 sorbet nslcd[2307]: Libgcrypt error: fatal error in file visibility.c, line 1283, function gcry_create_nonce: called in non-operational state I can't find many more avenues to investigate this, except digging through the code. I would appreciate a few pointers though. So far my system doesn't seem to be in FIPS mode (I certainly didn't consciously configured it that way): $ cat /proc/sys/crypto/fips_enabled 0 $ cat /etc/gcrypt/fips_enabled cat: /etc/gcrypt/fips_enabled: No such file or directory $ grep -r GCRYCTL_FORCE_FIPS_MODE nss-pam-ldapd openldap [nothing] The nslcd process is multi-threaded so there could be a case where multiple threads are started and are initialising gnutls and in turn gcrypt and some race condition is happening. For this I could add some code, as a workaround, to nslcd that would initialise gcrypt before going multi-threaded (however, that would probably cause problems for libldap that probably want to do the same). The difficult bit is that this is not easy to reproduce. This seems to happen once every few months at most and so far only during boot. The only similar issue I could find was this (also without resolution): http://jira.freeswitch.org/browse/FS-3438 Any input on how to move forward with this, test workarounds, gather more information or make this easier to reproduce is appreciated. Thanks, Versions of relevant packages: ii libc6 2.17-97 ii libgssapi-krb5-2 1.11.3+dfsg-3 ii libldap-2.4-2 2.4.31-1+nmu2+b1 ii libgcrypt11 1.5.3-2 ii libgnutls26 2.12.23-8 ii libsasl2-2 2.1.25.dfsg1-17 ii libgpg-error0 1.12-0.2 ii multiarch-support 2.17-97 -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
