NSS vs OpenSSL

Mark Williams markhw at vt.edu
Sat Apr 22 00:22:53 CEST 2017 

I’m working on a new FRS-3.0.13 config, and started getting errors from raddebug along the lines of "TLS: could not shutdown NSS…”. I remembered seeing some comments in the config files which suggested NSS resulted in fiery explosions and potential loss of limbs. A quick google search on the error messages turned up a few forum posts mentioning the exact messages I was getting, and even a link to some wiki commentary about the problem (and more mention of bad juju).

http://wiki.freeradius.org/modules/Rlm_ldap#errors-with-ldap-over-tls-connections

Printing the shared library dependencies revealed the following:

$ ldd /usr/lib64/libldap* | grep ssl
	libssl3.so => /lib64/libssl3.so (0x00007fefd95ea000)
	libssl3.so => /lib64/libssl3.so (0x00007f2df88bb000)
	libssl3.so => /lib64/libssl3.so (0x00007f3192055000)
	libssl3.so => /lib64/libssl3.so (0x00007fd99a617000)
	libssl3.so => /lib64/libssl3.so (0x00007f8bb0703000)
	libssl3.so => /lib64/libssl3.so (0x00007fb6b917c000)

$ ldd /usr/lib64/libssl3.so
	linux-vdso.so.1 =>  (0x00007fff3abf6000)
	libnss3.so => /lib64/libnss3.so (0x00007f25c5a5b000)
-->	libnssutil3.so => /lib64/libnssutil3.so (0x00007f25c582e000)
	libplc4.so => /lib64/libplc4.so (0x00007f25c5629000)
	libplds4.so => /lib64/libplds4.so (0x00007f25c5425000)
	libnspr4.so => /lib64/libnspr4.so (0x00007f25c51e6000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f25c4fca000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007f25c4dc6000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f25c4a04000)
	libz.so.1 => /lib64/libz.so.1 (0x00007f25c47ee000)
	librt.so.1 => /lib64/librt.so.1 (0x00007f25c45e6000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f25c5fd0000)


I could set lifetimes and timeouts for the ldap connections to zero, but that doesn’t really solve the problem. I’m still mastering the Linux environment, but I imagine that I could install libldap from source, compile it to use openssl, give it a new prefix, and then have FR use that library without conflicting with the rest of the system?? Am I on the correct path here? Has anyone here done something like this?

=======================
Mark Williams
markhw at vt.edu (2A83CAC8)



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170421/a9facaa2/attachment.sig>

More information about the Freeradius-Users mailing list