• Industry Solutions
    • Managed Service Providers
    • Enterprise Solutions
    • Developers & Startups
    • Healthcare
    • Trading and Financial
      • Chicago Managed Trading Servers
      • Trading and Financial Colocation: Chicago & New Jersey
    • IBM AS/400 and iSeries Users
  • Support
    • Register
    • View Tickets
    • Submit a Ticket
    • Knowledgebase
    • News
  • Steadfast Blog
  • Steadfast Podcasts
  • Contact Us
Home
  • Call Us
  • Call | 888.281.9449
  • Login
  • Search

This form logs you into your management portal account. To access your help desk account, click here and use the form to the right of the news.

  • Cloud Hosting
    • Cloud Hosting
    • Private Cloud
    • Hybrid Cloud
    • Public Cloud
    • Cloud Storage
      • Secure File Share
      • Wasabi Cloud Storage
    • Virtual Data Center Platform
  • Managed Hosting
    • Bare Metal Dedicated Servers
      • Deep Learning GPU Dedicated Servers
      • Linux Dedicated Servers
      • Windows Dedicated Servers
    • Virtual Private Servers
    • Data Center Colocation
      • Managed Colocation
      • Chicago: 350 E Cermak
      • Chicago: 725 S Wells
      • Edison, New Jersey
    • Security & Compliance
      • Managed Firewall
      • SSL VPN
      • DDoS Protection
      • Email Security
  • Backup & Disaster Recovery
    • Backup
    • Disaster Recovery
    • Veeam Backup & Replication
    • Veeam Cloud Connect
    • Wasabi Cloud Storage
  • Why Steadfast
    • Why Steadfast?
    • About Steadfast
      • Our History
      • News and Press
    • Data Centers & Network
      • Our Data Centers
      • Our Network
      • Network Test
      • Peering Policy
    • Customer Stories
    • Service Level Agreement
  • Industry Solutions
    • Managed Service Providers
    • Enterprise Solutions
    • Developers & Startups
    • Healthcare
    • Trading and Financial
      • Chicago Managed Trading Servers
      • Trading and Financial Colocation: Chicago & New Jersey
    • IBM AS/400 and iSeries Users
  • Support
    • Register
    • View Tickets
    • Submit a Ticket
    • Knowledgebase
    • News
  • Steadfast Blog
  • Steadfast Podcasts
  • Contact Us
Close
  • Support Home
  • Register
  • Submit a Ticket
  • Knowledgebase
  • News
 Login Subscribe

Log into the help desk to manage support tickets.

Lost password

Subscribe to general maintenance announcements and advisories.


 
 Knowledgebase
39Steadfast Cloud Platform 3Full Management 38Dedicated Servers & Colocation 4Control Panels 19Other
Search
Knowledgebase: Dedicated Servers & Colocation
CentOS 6 Illegal Instruction TLS Bug
Posted by Kevin Stange, Last modified by Josh Simmons on 14 September 2021 09:02 AM

*****Warning: CentOS 6 is now EOL. As CentOS 6 will no longer receive security and other important updates, it is highly recommended that you upgrade to an actively supported operating system*****

Starting with CentOS 6.8, a newly introduced update to NSS causes certain applications to be unable to connect via TLS using GCM ciphers on virtual machines. This article describes the technical problem and how to apply the solution.

Symptoms and Detection

This issue affects virtual machines in very specific cases.  It can be reproduced with a very simple connection test:

# curl https://google.com --ciphers ecdhe_rsa_aes_128_gcm_sha_256
Illegal instruction (core dumped)

This will cause other applications to crash with similar error messages when they attempt to connect to a TLS server or serve a TLS client using any GCM cipher. You can verify that the issue is caused by misdetected hardware capabilities, by repeating the same command with NSS_DISABLE_HW_GCM=1 set:

# NSS_DISABLE_HW_GCM=1 curl https://google.com --ciphers ecdhe_rsa_aes_128_gcm_sha_256
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>

If you use another cipher, there's no problem:

# curl https://google.com --ciphers ecdhe_rsa_aes_128_cbc_sha_256
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>

Solution

Red Hat and CentOS fixed this issue in NSS Softokn version 3.14.3-23.3.el6_8.  To apply this fix on a system that is experiencing the bug, try the following command:

NSS_DISABLE_HW_GCM=1 yum -y update nss-softokn nss-softokn-freebl

References

This issue has been reported and discussed in a number of places.

  • Original Chromium Report
  • Mozilla Bug Report Containing Patch
  • Red Hat Bug Report
  • CentOS Bug Report
  • Red Hat Errata Release
(3 vote(s))
Helpful
Not helpful
Comments (0)

I consent to allow Steadfast to process my data and agree to the Acceptable Use and Privacy Policies

  • 312.602.2689
  • ColoHouse Sales
  • Facebook
  • Twitter
  • YouTube
  • LinkedIn

Services

  • Cloud Hosting
  • Managed Hosting
  • Backup & Disaster Recovery

Solutions By Industry

  • Enterprise Solutions
  • Trading & Financial
  • Healthcare
  • Developers & Startups
© 2023 Steadfast
  • Log In
  • Site Map
  • Legal Info & Privacy Policy