|Summary:||net/chrony Not working with NSS|
|Product:||Ports & Packages||Reporter:||OlivierW <olivierw1+bugzilla-freebsd>|
|Component:||Individual Port(s)||Assignee:||freebsd-ports-bugs (Nobody) <ports-bugs>|
|Severity:||Affects Only Me||CC:||freebsd, jcfyecrayz, nbari, yonas|
Description OlivierW 2017-11-24 12:23:56 UTC
Hello, A few weeks ago I had Chrony, installed from base, working without any problem. Since a few days, it doesn't even start, and the problem may comes from NSS enabled by default (cf. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217691 ). At boot time, in /var/log/messages I have this error: "(chronyd), uid 849: exited on signal 6" Here are some commands causing problems: # chronyd -d 2017-11-24T12:06:37Z chronyd version 3.1 starting (+CMDMON +NTP +REFCLOCK -RTC +PRIVDROP -SCFILTER +SECHASH -SIGND +ASYNCDNS +IPV6 -DEBUG) Assertion failed: (MD5_hash >= 0), function UTI_IPToRefid, file util.c, line 373. Abandon # chronyc keygen 73 SHA1 256 Unknown hash function SHA1 # chronyc keygen 73 MD5 256 Unknown hash function MD5 Now, I have just compiled Chrony without NSS and it starts and works fine. I just can't use the hash functions but I don't need them. Best Regards, Olivier
Comment 1 Yonas Yanfa 2017-11-24 17:38:35 UTC
@John Hein Do you know what might be causing this issue for Olivier?
Comment 2 OlivierW 2017-11-24 18:12:09 UTC
Looks like the same errors: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217615 But in my case, I need IPv6 and no crypto. Maybe there is a strange incompatibility between the two. I'll try to rebuild the other way: enabling NSS and disabling IPv6 for testing.
Comment 3 OlivierW 2017-11-24 20:55:32 UTC
Just tested with NSS and without IPv6, the chrony daemon does start and works. But the commands mentionned in my first post still doesn't work: "# chronyc keygen 73 SHA1 256 Unknown hash function SHA1" Maybe some dependencies are missing for NSS to work properly?
Comment 4 OlivierW 2017-11-24 21:10:07 UTC
Well, I don't know why "chronyc keygen 73 SHA1 256" doesn't work, but for now I'd like chronyd to work and I may have found something. The error comes from: https://github.com/mlichvar/chrony/blob/c9f50fc686d93b982cb0ef72b9e140114fccf53b/util.c#L372 MD5_hash = HSH_GetHashId("MD5"); assert(MD5_hash >= 0); And I found in NSS 3.14 release note: "Support for certificate signatures using the MD5 hash algorithm is now disabled by default.": https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.14_release_notes I'll search how to enable MD5 in NSS and see if that solves the problem. I'll report back later.
Comment 5 OlivierW 2017-11-24 22:05:11 UTC
I've added "NSS_HASH_ALG_SUPPORT=+MD5" in NSS' Makefile (with the others variables in "MAKE_ENV="), but it didn't solve the problem :-( I don't know what to search. I'll go back to disable NSS as I don't need it.
Comment 6 nbari 2018-05-06 11:56:53 UTC
I am having the same issue but when using time.google.com as the servers: 2018-05-06T11:51:41Z chronyd version 3.1 starting (+CMDMON +NTP +REFCLOCK -RTC +PRIVDROP -SCFILTER +SECHASH -SIGND +ASYNCDNS +IPV6 -DEBUG) 2018-05-06T11:51:41Z Frequency 0.090 +/- 0.037 ppm read from /var/db/chrony/drift Assertion failed: (MD5_hash >= 0), function UTI_IPToRefid, file util.c, line 373. Abort with this conf: server time.google.com user chronyd driftfile /var/db/chrony/drift dumponexit dumpdir /var/db/chrony pidfile /var/run/chronyd.pid stratumweight 0 makestep 1.0 3 logchange 0.5 bindcmdaddress 127.0.0.1 bindcmdaddress ::1 allow
Comment 7 nbari 2018-05-06 12:15:33 UTC
disabling IPV6 or NSS helps to start chronyd, but having both is not posible
Comment 8 commit-hook 2018-05-09 03:02:35 UTC
A commit references this bug: Author: tobik Date: Wed May 9 03:01:59 UTC 2018 New revision: 469426 URL: https://svnweb.freebsd.org/changeset/ports/469426 Log: net/chrony: Update to 3.3 - Add explicit DOCS, EXAMPLES options - Replace %%PREFIX%% in sample files - Make sure chronyc is really linked with libedit from ports - Add support for security/nettle and use it by default since chrony crashes on startup when built with NSS.  PR: 227779, 223840  Submitted by: email@example.com Approved by: maintainer Changes: head/net/chrony/Makefile head/net/chrony/distinfo
Comment 9 commit-hook 2020-04-05 21:27:04 UTC
A commit references this bug: Author: mandree Date: Sun Apr 5 21:20:12 UTC 2020 New revision: 530840 URL: https://svnweb.freebsd.org/changeset/ports/530840 Log: net/chrony: make NETTLE build robust, improve rc script, re-enable NSS Changes by Colin T.: * Always require pkgconfig instead of only requiring it for NSS, because otherwise chrony does not link reliably to nettle.  * Add pidfile to rc.d script to stop it from complaining when stopping chronyd.  * Document chronyd_* options in rc.d script.  Changes by Matthias Andree: * Move USES line up to please portlint. * Add HTMLDOCS option, to build and install HTML docs. IMPLIES DOCS. Needs textproc/asciidoctor (rubygem) as build requisite. * Turn CRYPTLIB into a _RADIO to choose at most one from NSS + NETTLE. * Under WITH_DEBUG, add --enable-debug to CONFIGURE_ARGS. * Remove @ (silent) from Makefile commands. * Remove NSS_BROKEN, chrony 3.5 appears to work with NSS. Updates . PR: 244534  PR: 242510  PR: 223840  Submitted by: Colin T. <firstname.lastname@example.org>  Reported by: Matt Smith <email@example.com>  Approved by: maintainer timeout (firstname.lastname@example.org, 36 days) Changes: head/net/chrony/Makefile head/net/chrony/files/chronyd.in head/net/chrony/pkg-plist