Thanks for your reply Kaspar, please see my comments inline.
On 01/16/2011 12:16 PM, Kaspar Brand wrote:
On 14.01.2011 10:24, Bernhard Thalmayr wrote:
the 'client' is the OpenSSO web-agent (a lib) used by Apache httpd.
Just to be sure: we're talking of this code here, right?
yes
http://sources.forgerock.org/browse/openam/trunk/opensso/products/webagents/am/source/connection.cpp?r=HEAD&content=true
Maybe Bob or Nelson can spot a problem when skimming over that code...?
I have another question/thought, however: what version of Apache httpd
Apache httpd 2.2.17
and what MPM are you using?
Worker MPM is used , but is configured so start multiple processes (default)
Is it possible that the
Connection::initialized boolean might not be shared among the httpd
processes, resulting in multiple (concurrent) NSS initializations?
Would this be a problem? The Agent codes has always worked this way for
multi-process servers.
Also, are "CertDir" and "dbPrefix" set in your configuration?
They are not set.
If not,
Connection::initialize() would call NSS_NoDB_Init, which isn't intended
for SSL operations, from what I understand
(http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html#1234224).
Hmm if this is true then the Agent code should exit and should not call
'NSS_NoDB_Init'. However how could 911 handshakes be made if this holds
true?
Thanks,
Bernhard
Kaspar
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
