On 17.01.2011 13:38, Bernhard Thalmayr wrote: > Apache httpd 2.2.17 > >> and what MPM are you using? > > Worker MPM is used , but is configured so start multiple processes (default) > > Is it possible that the >> Connection::initialized boolean might not be shared among the httpd >> processes, resulting in multiple (concurrent) NSS initializations? > > Would this be a problem? The Agent codes has always worked this way for > multi-process servers.
Not sure. But when you say "has always worked this way for multi-process servers", does this mean it worked with previous Apache httpd versions? Did you also try with the prefork MPM (which is the default for the CentOS-bundled version of httpd)? >> Also, are "CertDir" and "dbPrefix" set in your configuration? > > They are not set. > > If not, >> Connection::initialize() would call NSS_NoDB_Init, which isn't intended >> for SSL operations, from what I understand >> (http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html#1234224). > > > Hmm if this is true then the Agent code should exit and should not call > 'NSS_NoDB_Init'. However how could 911 handshakes be made if this holds > true? Well, unless I'm completely misreading the following code, Connection::initialize will proceed with NSS_NoDB_Init if certDir is not set: > if (certDir.length() != 0) { > Log::log(Log::ALL_MODULES, Log::LOG_DEBUG, > "Connection::initialize() " > "calling NSS_Initialize() with directory = \"%s\" and " > "prefix = \"%s\"", certDir.c_str(), dbPrefix.c_str()); > nssMethodName = "NSS_Initialize"; > secStatus = NSS_Initialize(certDir.c_str(), dbPrefix.c_str(), > dbPrefix.c_str(), "secmod.db", > NSS_INIT_READONLY|NSS_INIT_FORCEOPEN); > } else { > Log::log(Log::ALL_MODULES, Log::LOG_DEBUG, > "Connection::initialize() " > "CertDir and dbPrefix EMPTY -- Calling NSS_NoDB_Init"); > nssMethodName = "NSS_NoDB_Init"; > secStatus = NSS_NoDB_Init(NULL); > } Kaspar -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
