Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1342158
Summary: | nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | thierry bordaz <tbordaz> | ||||
Component: | nss | Assignee: | Elio Maldonado Batiz <emaldona> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 24 | CC: | abokovoy, amessina, awilliam, ehaukjaer, emaldona, kdudka, kengert, kevin, netllama, ngaywood, robatino, sgallagh, terjeros, thomas, umar | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | nss-3.24.0-1.2.fc24, nss-3.24.0-1.2.fc23 nss-3.24.0-1.2.fc24 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2016-06-05 02:54:56 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1342720 | ||||||
Attachments: |
|
Description
thierry bordaz
2016-06-02 14:47:49 UTC
DS upstream ticket is https://fedorahosted.org/389/ticket/48866. DS tries to disable sslv2 but the access fails and so initialization of LDAPS drops See upstream bug. I think upstream should continue to return success from the options set API when you attempt to disable SSL v2. I hope there will be a patch soon. Proposed as a Blocker and Freeze Exception for 24-final by Fedora user sgallagh using the blocker tracking app because: Beta Criterion: "The core functional requirements for all Featured Server Roles must be met, without any workarounds being necessary." The "Domain Controller" role cannot be deployed if the offending 'nss' package is present on the system. (In reply to Kai Engert (:kaie) from comment #2) > See upstream bug. I think upstream should continue to return success from > the options set API when you attempt to disable SSL v2. I hope there will be > a patch soon. Thanks. I think your suggestion on the upstream bug is a sound one. We need to fix nss prior to updating F24, F23, and F22 repositories. 24 is at this point frozen, so there is no possibility the offending nss will go stable unless it itself fixes a blocker or FE bug, which I don't believe it does. So I'd be +1 on this if it were in stable, but as it's in u-t and can't get out, I'm -1. Firefox 47 requires version 24. httpd server does not start with version 24 unless one removes /etc/httpd/conf.d/nss.conf file. The NSS 3.24 package for Fedora could locally carry an upstream patch. It should be a simple patch. If this is urgent, and nobody else is quicker, then I can try to help later today with making the patch. Upstream patch ready and reviewed, available here: Before applying to Fedora, you might want to wait for upstream CI tests to finish, to see if the patch is good. https://bug1277569.bmoattachments.org/attachment.cgi?id=8759229 At least a one-line fix on top is required: https://bug1277569.bmoattachments.org/attachment.cgi?id=8759238 Created attachment 1164233 [details] Kai's upstream commits merged and adapted for fedora Merged https://bug1277569.bmoattachments.org/attachment.cgi?id=8759229 and https://bug1277569.bmoattachments.org/attachment.cgi?id=8759238 and adapted them to the nss-3.24.0 sources as we have them in fedora. Koji build http://koji.fedoraproject.org/koji/buildinfo?buildID=770185 resolved the issue for FreeIPA. (In reply to Anthony Messina from comment #11) > Koji build http://koji.fedoraproject.org/koji/buildinfo?buildID=770185 > resolved the issue for FreeIPA. The nss-3.24.0-1.2.fc23 Koji build (http://koji.fedoraproject.org/koji/buildinfo?buildID=770185) does resolve the FreeIPA issue at least on x86_64, however, anyone using ldapsearch or PHP's ldap tools on another machine running a previous version of NSS will have their connections hang (after entering the password): ldap_start_tls: Connect error (-11) additional info: Start TLS request accepted.Server willing to negotiate SSL. Enter LDAP Password: It seems that all systems must be upgraded to the nss-3.24.0-1.2 builds to avoid these failures. After I upgrade my webserver machine to nss-3.24.0-1.2.fc23, my Apache/PHP ldap operations over TLS no longer failed. nss-3.24.0-1.2.fc24 nss-softokn-3.24.0-1.0.fc24 nss-util-3.24.0-1.0.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-fa807cca6f nss-3.24.0-1.2.fc24 nss-softokn-3.24.0-1.0.fc24 nss-util-3.24.0-1.0.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-fa807cca6f nss-3.24.0-1.2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-db48cd10e9 nss-3.24.0-1.2.fc24, nss-softokn-3.24.0-1.0.fc24, nss-util-3.24.0-1.0.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-fa807cca6f Tests of freeipa are successful with nss-3.24.0-1.2.fc24.x86_64 Test on F23 - Freeipa 4.3.1 - DS 1.3.5.4.1 Freeipa already installed upgrade nss-3.23->nss-3.24.0-1.2.fc24.x86_64 restart DS instance --> nss is correctly initialize nss, LDAPS working (636) Freeipa full install with nss-3.24.0-1.2.fc24.x86_64 Installation complete successfully restart DS instance --> nss is correctly initialize nss, LDAPS working (636) nss-3.24.0-1.2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-db48cd10e9 I'm -1 blocker, -1 FE on this (unless some other blocker forces it to be pulled in). This can be addressed with an update and the broken code isn't in the stable branch yet. Also, I'm very concerned about comment 12. Does it only fail for other versions of 3.24.0 that don't have this fix, or is it literally every version of NSS prior. If it's the latter, this isn't an acceptable fix. (In reply to Stephen Gallagher from comment #19) > Also, I'm very concerned about comment 12. Does it only fail for other > versions of 3.24.0 that don't have this fix, or is it literally every > version of NSS prior. If it's the latter, this isn't an acceptable fix. Upstream version 3.24 is the first and only NSS release that contains the bug. All prior versions still supported SSL v2, and didn't fail on the attempt to disable it. With version 3.24, SSL v2 was completely removed, resulting in the new failure when attempting to disable SSL v2. The fix we're backporting from (unreleased) NSS 3.25 ensures that APIs call to disable SSL v2 will report success. Kai: OK, so if I'm reading that right, comment 12 just means that anyone who picked up nss-3.24.0-1.1 will need to be upgraded together (which is a small number, since it never got out of testing, right?) but anyone going straight from 3.23 to 3.24.0-1.2 (or mixing the two) won't have issues. Oh, hmm... a quick check of Koji says that F23 *did* get the interim change. Which is unfortunate, but I don't think it's fixable. -1 blocker given it never went into f24 stable. Either the fixed version or 3.25 can be pushed in updates. (In reply to Stephen Gallagher from comment #19) > I'm -1 blocker, -1 FE on this (unless some other blocker forces it to be > pulled in). This can be addressed with an update and the broken code isn't > in the stable branch yet. > > Also, I'm very concerned about comment 12. Does it only fail for other > versions of 3.24.0 that don't have this fix, or is it literally every > version of NSS prior. If it's the latter, this isn't an acceptable fix. My comments in comment 12 are only related to F23. Unfortunately, nss-3.24.0-1.1.fc23 was pushed to F23 stable which is how I encountered the FreeIPA issue. Once I saw the Koji build for nss-3.24.0-1.2.fc23, I installed it on my FreeIPA machines which resolved the issue with FreeIPA not starting. That is when I found that my other machines were unable to do ldapsearch or use Apache/PHP to complete ldap operations against my FreeIPA instances -- they were all still at nss-3.24.0-1.1.fc23. Once I upgraded the rest of my machines to nss-3.24.0-1.2.fc23, things are working properly again. The F24 update has been edited, so there's now zero possibility of the affected build reaching stable, so I'm un-proposing this as an F24 blocker. The fact that it reached stable for F23 is unfortunate but nothing to do with the F24 blocker process. *** Bug 1342734 has been marked as a duplicate of this bug. *** *** Bug 1342332 has been marked as a duplicate of this bug. *** nss-3.24.0-1.2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. *** Bug 1341981 has been marked as a duplicate of this bug. *** nss-3.24.0-1.2.fc24, nss-softokn-3.24.0-1.0.fc24, nss-util-3.24.0-1.0.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. *** Bug 1342745 has been marked as a duplicate of this bug. *** |