Nut upsuser - Mar 2015 - SSL only working in DEBUG mode

On Mar 12, 2015, at 11:55 PM, Melkor Lord <melkor.lord at gmail.com>
wrote:
> 
> On Mon, Mar 2, 2015 at 2:39 AM, Charles Lepple <clepple at gmail.com>
wrote:
> 
> > I thought start-stop-daemon was involved because it closes
stdin/stdout file
> > descriptors after exec()'ing the daemon. I tried
"--no-close" option to no
> > avail. After that, I validated the init script working fine with
> > UPSD_OPTIONS="-D" in /etc/nut/nut.conf.
> 
> Not strictly the same as closing the file descriptors, but I tried the
> following:
> 
>   /sbin/upsd -D >/dev/null 2>&1 < /dev/null
> 
> And it still worked. So I need to recompile with debugging symbols -
> the Ubuntu packages did not have them.
> 
> Sorry to bug you again with this issue but is there any improvement on the
matter?
No, not yet.

Recompiling with debugging symbols did not reveal anything new. We have reached
out to the engineer who wrote the NSS code for NUT.

-- 
Charles Lepple
clepple at gmail

Hello all,

With a really fast lookup, I think it is probably a problem of NSS
initialization (key loading...) .
As the problem occurs only when upsd is forked and as nss is initialized (
https://github.com/networkupstools/nut/blob/master/server/upsd.c#L1008)before
upsd deamonify (
https://github.com/networkupstools/nut/blob/master/server/upsd.c#L1035), I
suspect NSS to not be fork-safe.

I will intend to look more deeply.

Best regards,

Emilien


2015-03-13 13:30 GMT+01:00 Charles Lepple <clepple at gmail.com>:
> On Mar 12, 2015, at 11:55 PM, Melkor Lord <melkor.lord at gmail.com>
wrote:
>
> >
> > On Mon, Mar 2, 2015 at 2:39 AM, Charles Lepple <clepple at
gmail.com>
> wrote:
> >
> > > I thought start-stop-daemon was involved because it closes
> stdin/stdout file
> > > descriptors after exec()'ing the daemon. I tried
"--no-close" option
> to no
> > > avail. After that, I validated the init script working fine with
> > > UPSD_OPTIONS="-D" in /etc/nut/nut.conf.
> >
> > Not strictly the same as closing the file descriptors, but I tried the
> > following:
> >
> >   /sbin/upsd -D >/dev/null 2>&1 < /dev/null
> >
> > And it still worked. So I need to recompile with debugging symbols -
> > the Ubuntu packages did not have them.
> >
> > Sorry to bug you again with this issue but is there any improvement on
> the matter?
>
> No, not yet.
>
> Recompiling with debugging symbols did not reveal anything new. We have
> reached out to the engineer who wrote the NSS code for NUT.
>
> --
> Charles Lepple
> clepple at gmail
>
>
>
>
> _______________________________________________
> Nut-upsuser mailing list
> Nut-upsuser at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/nut-upsuser
>
-------------- section suivante --------------
Une pi?ce jointe HTML a ?t? nettoy?e...
URL:
<http://lists.alioth.debian.org/pipermail/nut-upsuser/attachments/20150320/3e6efb00/attachment.html>

Some precisions:

we are not alone, some projects had similar problem:
http://bugs.bitlbee.org/bitlbee/ticket/785
And the problem is really coming from NSS initialization. Discussion about
the issue here : http://osdir.com/ml/mozilla.crypto/2002-08/msg00016.html

There is a workaround to use NSS with fork but it is more setting a flag to
share some resources (primarily sockets) but must (re)initialize NSS
library on all children.

AFAIK why we initialize NSS library before becoming user and forking is to
be able to access and read certificates and keys which is readable only by
root and should not be readable in userland. This behavior is this because
it was the behavior used when using OpenSSL. Modifying this behavior
implies to modify key/certificate storage and acces right policy.

Emilien


2015-03-20 15:12 GMT+01:00 Emilien Kia <kiae.dev at gmail.com>:
> Hello all,
>
> With a really fast lookup, I think it is probably a problem of NSS
> initialization (key loading...) .
> As the problem occurs only when upsd is forked and as nss is initialized (
>
https://github.com/networkupstools/nut/blob/master/server/upsd.c#L1008)before
> upsd deamonify (
> https://github.com/networkupstools/nut/blob/master/server/upsd.c#L1035),
> I suspect NSS to not be fork-safe.
>
> I will intend to look more deeply.
>
> Best regards,
>
> Emilien
>
>
> 2015-03-13 13:30 GMT+01:00 Charles Lepple <clepple at gmail.com>:
>
>> On Mar 12, 2015, at 11:55 PM, Melkor Lord <melkor.lord at
gmail.com> wrote:
>>
>> >
>> > On Mon, Mar 2, 2015 at 2:39 AM, Charles Lepple <clepple at
gmail.com>
>> wrote:
>> >
>> > > I thought start-stop-daemon was involved because it closes
>> stdin/stdout file
>> > > descriptors after exec()'ing the daemon. I tried
"--no-close" option
>> to no
>> > > avail. After that, I validated the init script working fine
with
>> > > UPSD_OPTIONS="-D" in /etc/nut/nut.conf.
>> >
>> > Not strictly the same as closing the file descriptors, but I tried
the
>> > following:
>> >
>> >   /sbin/upsd -D >/dev/null 2>&1 < /dev/null
>> >
>> > And it still worked. So I need to recompile with debugging symbols
-
>> > the Ubuntu packages did not have them.
>> >
>> > Sorry to bug you again with this issue but is there any
improvement on
>> the matter?
>>
>> No, not yet.
>>
>> Recompiling with debugging symbols did not reveal anything new. We have
>> reached out to the engineer who wrote the NSS code for NUT.
>>
>> --
>> Charles Lepple
>> clepple at gmail
>>
>>
>>
>>
>> _______________________________________________
>> Nut-upsuser mailing list
>> Nut-upsuser at lists.alioth.debian.org
>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/nut-upsuser
>>
>
>
-------------- section suivante --------------
Une pi?ce jointe HTML a ?t? nettoy?e...
URL:
<http://lists.alioth.debian.org/pipermail/nut-upsuser/attachments/20150320/daa93ce2/attachment.html>