Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails
Summary: nss-3.24 does no longer support ssl V2, installation of IPA fails because nss...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: nss
Version: 24
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Elio Maldonado Batiz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1341981 1342332 1342734 1342745 (view as bug list)
Depends On:
Blocks: 1342720
TreeView+ depends on / blocked
 
Reported: 2016-06-02 14:47 UTC by thierry bordaz
Modified: 2020-09-13 21:45 UTC (History)
15 users (show)

Fixed In Version: nss-3.24.0-1.2.fc24, nss-3.24.0-1.2.fc23 nss-3.24.0-1.2.fc24
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-05 02:54:56 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
Kai's upstream commits merged and adapted for fedora (3.26 KB, patch)
2016-06-02 21:22 UTC, Elio Maldonado Batiz
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 1926 0 None closed DS fails to start secure port with nss-3.24 2021-01-04 19:06:23 UTC
Mozilla Foundation 1277569 0 -- RESOLVED For compatibility reasons, application attempts to disable the SSL v2 protocol should continue to work. 2021-01-04 19:06:26 UTC
Red Hat Bugzilla 1033024 1 None None None 2022-05-16 11:32:56 UTC

Internal Links: 1033024 1342332

Description thierry bordaz 2016-06-02 14:47:49 UTC
Description of problem:

 Installation of freeipa-server enables LDAPS (port 636), but on restart there is a failure to initialize nss and does not listen on LDAPS

[02/Jun/2016:16:12:32.480224437 +0200] SSL alert: Security Initialization: Failed to disable SSLv2 on the imported socket (Netscape Portable Runtime error -8187 - security library: invalid arguments.)
[02/Jun/2016:16:12:32.485622120 +0200] ERROR: SSL2 Initialization Failed.  Disabling SSL2.

DS LDAPS does not work, so IPA is no working

It works with nss-3.23


Version-Release number of selected component (if applicable):
nss-3.24.0-1.1.fc24.x86_64


How reproducible:
On F24, update nss to install nss 3.24
Install freeipa-server.
THe failure is in PKI component that tries to access through LDAPS that has been disabled because of nss init failure.



Actual results:
freeipa install fails
netstat -ntulp | grep 636 --> no result

Expected results:
freeipa install should succeed
netstat -ntulp | grep 636 --> should should ns-slapd process

Additional info:

Comment 1 thierry bordaz 2016-06-02 14:49:50 UTC
DS upstream ticket is https://fedorahosted.org/389/ticket/48866.
DS tries to disable sslv2 but the access fails and so initialization of LDAPS drops

Comment 2 Kai Engert (:kaie) (inactive account) 2016-06-02 14:54:47 UTC
See upstream bug. I think upstream should continue to return success from the options set API when you attempt to disable SSL v2. I hope there will be a patch soon.

Comment 3 Fedora Blocker Bugs Application 2016-06-02 14:57:44 UTC
Proposed as a Blocker and Freeze Exception for 24-final by Fedora user sgallagh using the blocker tracking app because:

 Beta Criterion:
"The core functional requirements for all Featured Server Roles must be met, without any workarounds being necessary."

The "Domain Controller" role cannot be deployed if the offending 'nss' package is present on the system.

Comment 4 Alexander Bokovoy 2016-06-02 15:01:28 UTC
(In reply to Kai Engert (:kaie) from comment #2)
> See upstream bug. I think upstream should continue to return success from
> the options set API when you attempt to disable SSL v2. I hope there will be
> a patch soon.

Thanks. I think your suggestion on the upstream bug is a sound one. 
We need to fix nss prior to updating F24, F23, and F22 repositories.

Comment 5 Adam Williamson 2016-06-02 15:34:37 UTC
24 is at this point frozen, so there is no possibility the offending nss will go stable unless it itself fixes a blocker or FE bug, which I don't believe it does. So I'd be +1 on this if it were in stable, but as it's in u-t and can't get out, I'm -1.

Comment 6 Sammy 2016-06-02 15:50:20 UTC
Firefox 47 requires version 24. httpd server does not start with version 24
unless one removes /etc/httpd/conf.d/nss.conf file.

Comment 7 Kai Engert (:kaie) (inactive account) 2016-06-02 16:17:15 UTC
The NSS 3.24 package for Fedora could locally carry an upstream patch. It should be a simple patch. If this is urgent, and nobody else is quicker, then I can try to help later today with making the patch.

Comment 8 Kai Engert (:kaie) (inactive account) 2016-06-02 17:22:48 UTC
Upstream patch ready and reviewed, available here:

Before applying to Fedora, you might want to wait for upstream CI tests to finish, to see if the patch is good.

https://bug1277569.bmoattachments.org/attachment.cgi?id=8759229

Comment 9 Kai Engert (:kaie) (inactive account) 2016-06-02 17:39:28 UTC
At least a one-line fix on top is required:
https://bug1277569.bmoattachments.org/attachment.cgi?id=8759238

Comment 10 Elio Maldonado Batiz 2016-06-02 21:22:26 UTC
Created attachment 1164233 [details]
Kai's upstream commits merged and adapted for fedora

Merged https://bug1277569.bmoattachments.org/attachment.cgi?id=8759229
and https://bug1277569.bmoattachments.org/attachment.cgi?id=8759238
and adapted them to the nss-3.24.0 sources as we have them in fedora.

Comment 11 Anthony Messina 2016-06-03 00:38:01 UTC
Koji build http://koji.fedoraproject.org/koji/buildinfo?buildID=770185 resolved the issue for FreeIPA.

Comment 12 Anthony Messina 2016-06-03 01:42:39 UTC
(In reply to Anthony Messina from comment #11)
> Koji build http://koji.fedoraproject.org/koji/buildinfo?buildID=770185
> resolved the issue for FreeIPA.

The nss-3.24.0-1.2.fc23 Koji build (http://koji.fedoraproject.org/koji/buildinfo?buildID=770185) does resolve the FreeIPA issue at least on x86_64, however, anyone using ldapsearch or PHP's ldap tools on another machine running a previous version of NSS will have their connections hang (after entering the password):

ldap_start_tls: Connect error (-11)
    additional info: Start TLS request accepted.Server willing to negotiate SSL.
Enter LDAP Password:

It seems that all systems must be upgraded to the nss-3.24.0-1.2 builds to avoid these failures.  After I upgrade my webserver machine to nss-3.24.0-1.2.fc23, my Apache/PHP ldap operations over TLS no longer failed.

Comment 13 Fedora Update System 2016-06-03 02:39:39 UTC
nss-3.24.0-1.2.fc24 nss-softokn-3.24.0-1.0.fc24 nss-util-3.24.0-1.0.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-fa807cca6f

Comment 14 Fedora Update System 2016-06-03 02:39:50 UTC
nss-3.24.0-1.2.fc24 nss-softokn-3.24.0-1.0.fc24 nss-util-3.24.0-1.0.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-fa807cca6f

Comment 15 Fedora Update System 2016-06-03 02:49:08 UTC
nss-3.24.0-1.2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-db48cd10e9

Comment 16 Fedora Update System 2016-06-03 09:28:01 UTC
nss-3.24.0-1.2.fc24, nss-softokn-3.24.0-1.0.fc24, nss-util-3.24.0-1.0.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-fa807cca6f

Comment 17 thierry bordaz 2016-06-03 09:54:37 UTC
Tests of freeipa are successful with nss-3.24.0-1.2.fc24.x86_64

Test on F23 - Freeipa 4.3.1 - DS 1.3.5.4.1

Freeipa already installed
upgrade nss-3.23->nss-3.24.0-1.2.fc24.x86_64
restart DS instance
--> nss is correctly initialize nss, LDAPS working (636)

Freeipa full install
with nss-3.24.0-1.2.fc24.x86_64
Installation complete successfully
restart DS instance
--> nss is correctly initialize nss, LDAPS working (636)

Comment 18 Fedora Update System 2016-06-03 16:27:03 UTC
nss-3.24.0-1.2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-db48cd10e9

Comment 19 Stephen Gallagher 2016-06-03 20:01:24 UTC
I'm -1 blocker, -1 FE on this (unless some other blocker forces it to be pulled in). This can be addressed with an update and the broken code isn't in the stable branch yet.

Also, I'm very concerned about comment 12. Does it only fail for other versions of 3.24.0 that don't have this fix, or is it literally every version of NSS prior. If it's the latter, this isn't an acceptable fix.

Comment 20 Kai Engert (:kaie) (inactive account) 2016-06-03 20:10:16 UTC
(In reply to Stephen Gallagher from comment #19)
> Also, I'm very concerned about comment 12. Does it only fail for other
> versions of 3.24.0 that don't have this fix, or is it literally every
> version of NSS prior. If it's the latter, this isn't an acceptable fix.

Upstream version 3.24 is the first and only NSS release that contains the bug.

All prior versions still supported SSL v2, and didn't fail on the attempt to disable it.

With version 3.24, SSL v2 was completely removed, resulting in the new failure when attempting to disable SSL v2.

The fix we're backporting from (unreleased) NSS 3.25 ensures that APIs call to disable SSL v2 will report success.

Comment 21 Stephen Gallagher 2016-06-03 20:16:59 UTC
Kai: OK, so if I'm reading that right, comment 12 just means that anyone who picked up nss-3.24.0-1.1 will need to be upgraded together (which is a small number, since it never got out of testing, right?) but anyone going straight from 3.23 to 3.24.0-1.2 (or mixing the two) won't have issues.

Oh, hmm... a quick check of Koji says that F23 *did* get the interim change. Which is unfortunate, but I don't think it's fixable.

Comment 22 Kevin Fenzi 2016-06-03 21:49:27 UTC
-1 blocker given it never went into f24 stable. Either the fixed version or 3.25 can be pushed in updates.

Comment 23 Anthony Messina 2016-06-03 22:08:44 UTC
(In reply to Stephen Gallagher from comment #19)
> I'm -1 blocker, -1 FE on this (unless some other blocker forces it to be
> pulled in). This can be addressed with an update and the broken code isn't
> in the stable branch yet.
> 
> Also, I'm very concerned about comment 12. Does it only fail for other
> versions of 3.24.0 that don't have this fix, or is it literally every
> version of NSS prior. If it's the latter, this isn't an acceptable fix.

My comments in comment 12 are only related to F23.  Unfortunately, nss-3.24.0-1.1.fc23 was pushed to F23 stable which is how I encountered the FreeIPA issue.  Once I saw the Koji build for nss-3.24.0-1.2.fc23, I installed it on my FreeIPA machines which resolved the issue with FreeIPA not starting.

That is when I found that my other machines were unable to do ldapsearch or use Apache/PHP to complete ldap operations against my FreeIPA instances -- they were all still at nss-3.24.0-1.1.fc23.  Once I upgraded the rest of my machines to nss-3.24.0-1.2.fc23, things are working properly again.

Comment 24 Adam Williamson 2016-06-03 22:37:01 UTC
The F24 update has been edited, so there's now zero possibility of the affected build reaching stable, so I'm un-proposing this as an F24 blocker. The fact that it reached stable for F23 is unfortunate but nothing to do with the F24 blocker process.

Comment 25 Jerry James 2016-06-04 20:57:15 UTC
*** Bug 1342734 has been marked as a duplicate of this bug. ***

Comment 26 Lonni J Friedman 2016-06-04 23:10:26 UTC
*** Bug 1342332 has been marked as a duplicate of this bug. ***

Comment 27 Fedora Update System 2016-06-05 02:54:51 UTC
nss-3.24.0-1.2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 28 Kai Engert (:kaie) (inactive account) 2016-06-14 17:06:35 UTC
*** Bug 1341981 has been marked as a duplicate of this bug. ***

Comment 29 Fedora Update System 2016-06-18 18:55:15 UTC
nss-3.24.0-1.2.fc24, nss-softokn-3.24.0-1.0.fc24, nss-util-3.24.0-1.0.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 30 Elio Maldonado Batiz 2016-07-11 20:49:30 UTC
*** Bug 1342745 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.