Bug 223840

Summary: net/chrony Not working with NSS
Product: Ports & Packages Reporter: OlivierW <olivierw1+bugzilla-freebsd>
Component: Individual Port(s)Assignee: freebsd-ports-bugs (Nobody) <ports-bugs>
Status: Closed FIXED    
Severity: Affects Only Me CC: freebsd, jcfyecrayz, nbari, yonas
Priority: --- Flags: bugzilla: maintainer-feedback? (yonas)
Version: Latest   
Hardware: Any   
OS: Any   

Description OlivierW 2017-11-24 12:23:56 UTC 
Hello,

A few weeks ago I had Chrony, installed from base, working without any problem.
Since a few days, it doesn't even start, and the problem may comes from NSS enabled by default (cf. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217691 ).

At boot time, in /var/log/messages I have this error:
"(chronyd), uid 849: exited on signal 6"


Here are some commands causing problems:

# chronyd -d
2017-11-24T12:06:37Z chronyd version 3.1 starting (+CMDMON +NTP +REFCLOCK -RTC +PRIVDROP -SCFILTER +SECHASH -SIGND +ASYNCDNS +IPV6 -DEBUG)
Assertion failed: (MD5_hash >= 0), function UTI_IPToRefid, file util.c, line 373.
Abandon

# chronyc keygen 73 SHA1 256
Unknown hash function SHA1

# chronyc keygen 73 MD5 256
Unknown hash function MD5


Now, I have just compiled Chrony without NSS and it starts and works fine. I just can't use the hash functions but I don't need them.

Best Regards,
Olivier
Comment 1 Yonas Yanfa 2017-11-24 17:38:35 UTC 
@John Hein Do you know what might be causing this issue for Olivier?
Comment 2 OlivierW 2017-11-24 18:12:09 UTC 
Looks like the same errors: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217615

But in my case, I need IPv6 and no crypto. Maybe there is a strange incompatibility between the two.
I'll try to rebuild the other way: enabling NSS and disabling IPv6 for testing.
Comment 3 OlivierW 2017-11-24 20:55:32 UTC 
Just tested with NSS and without IPv6, the chrony daemon does start and works.
But the commands mentionned in my first post still doesn't work:

"# chronyc keygen 73 SHA1 256
Unknown hash function SHA1"

Maybe some dependencies are missing for NSS to work properly?
Comment 4 OlivierW 2017-11-24 21:10:07 UTC 
Well, I don't know why "chronyc keygen 73 SHA1 256" doesn't work, but for now I'd like chronyd to work and I may have found something.


The error comes from: https://github.com/mlichvar/chrony/blob/c9f50fc686d93b982cb0ef72b9e140114fccf53b/util.c#L372
        MD5_hash = HSH_GetHashId("MD5");
        assert(MD5_hash >= 0);

And I found in NSS 3.14 release note: "Support for certificate signatures using the MD5 hash algorithm is now disabled by default.": https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.14_release_notes

I'll search how to enable MD5 in NSS and see if that solves the problem. I'll report back later.
Comment 5 OlivierW 2017-11-24 22:05:11 UTC 
I've added "NSS_HASH_ALG_SUPPORT=+MD5" in NSS' Makefile (with the others variables in "MAKE_ENV="), but it didn't solve the problem :-(

I don't know what to search. I'll go back to disable NSS as I don't need it.
Comment 6 nbari 2018-05-06 11:56:53 UTC 
I am having the same issue but when using time.google.com as the servers:


2018-05-06T11:51:41Z chronyd version 3.1 starting (+CMDMON +NTP +REFCLOCK -RTC +PRIVDROP -SCFILTER +SECHASH -SIGND +ASYNCDNS +IPV6 -DEBUG)
2018-05-06T11:51:41Z Frequency 0.090 +/- 0.037 ppm read from /var/db/chrony/drift
Assertion failed: (MD5_hash >= 0), function UTI_IPToRefid, file util.c, line 373.
Abort

with this conf:

server time.google.com
user chronyd
driftfile /var/db/chrony/drift
dumponexit
dumpdir /var/db/chrony
pidfile /var/run/chronyd.pid
stratumweight 0
makestep 1.0 3
logchange 0.5
bindcmdaddress 127.0.0.1
bindcmdaddress ::1
allow
Comment 7 nbari 2018-05-06 12:15:33 UTC 
disabling IPV6 or NSS helps to start chronyd, but having both is not posible
Comment 8 commit-hook freebsd_committer freebsd_triage 2018-05-09 03:02:35 UTC 
A commit references this bug:

Author: tobik
Date: Wed May  9 03:01:59 UTC 2018
New revision: 469426
URL: https://svnweb.freebsd.org/changeset/ports/469426

Log:
  net/chrony: Update to 3.3

  - Add explicit DOCS, EXAMPLES options
  - Replace %%PREFIX%% in sample files
  - Make sure chronyc is really linked with libedit from ports
  - Add support for security/nettle and use it by default since chrony crashes
    on startup when built with NSS. [1]

  PR:		227779, 223840 [1]
  Submitted by:	takefu@airport.fm
  Approved by:	maintainer

Changes:
  head/net/chrony/Makefile
  head/net/chrony/distinfo
Comment 9 commit-hook freebsd_committer freebsd_triage 2020-04-05 21:27:04 UTC 
A commit references this bug:

Author: mandree
Date: Sun Apr  5 21:20:12 UTC 2020
New revision: 530840
URL: https://svnweb.freebsd.org/changeset/ports/530840

Log:
  net/chrony: make NETTLE build robust, improve rc script, re-enable NSS

  Changes by Colin T.:
  * Always require pkgconfig instead of only requiring it for NSS,
    because otherwise chrony does not link reliably to nettle. [1]
  * Add pidfile to rc.d script to stop it from complaining when
    stopping chronyd. [1]
  * Document chronyd_* options in rc.d script. [1]

  Changes by Matthias Andree:
  * Move USES line up to please portlint.
  * Add HTMLDOCS option, to build and install HTML docs. IMPLIES DOCS.
    Needs textproc/asciidoctor (rubygem) as build requisite.
  * Turn CRYPTLIB into a _RADIO to choose at most one from NSS + NETTLE.
  * Under WITH_DEBUG, add --enable-debug to CONFIGURE_ARGS.
  * Remove @ (silent) from Makefile commands.
  * Remove NSS_BROKEN, chrony 3.5 appears to work with NSS. Updates [3].

  PR:		244534 [1]
  PR:		242510 [2]
  PR:		223840 [3]
  Submitted by:	Colin T. <bugzilla@nulldir.e4ward.com> [1]
  Reported by:	Matt Smith <freebsd@xtaz.uk> [2]
  Approved by:	maintainer timeout (yonas@fizk.net, 36 days)

Changes:
  head/net/chrony/Makefile
  head/net/chrony/files/chronyd.in
  head/net/chrony/pkg-plist