#48760 NSS -- switching to the sql db
Closed: wontfix 3 years ago Opened 6 years ago by nhosoi.

389-ds-base and 389-admin are using the old format of cert db.
NSS recommends to switch to the sql format having the shared DB feature.


We'll need to update documentation too: I believe that there are environment variables and commandline options that need to change with this.

IE

{{{
export NSS_DEFAULT_DB_TYPE=sql
certutil -L -d /tmp/nss
}}}

vs

{{{
certutil -L -d sql:/tmp/nss
}}}

Replying to [comment:2 firstyear]:

We'll need to update documentation too: I believe that there are environment variables and commandline options that need to change with this.
[...]
Yes, that's right. Thanks for pointing it out, William.

Metadata Update from @firstyear:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.3.6 backlog

5 years ago

Metadata Update from @mreynolds:
- Custom field component reset (from Security - SSL)
- Issue close_status updated to: None
- Issue set to the milestone: 1.3.7 backlog (was: 1.3.6 backlog)

5 years ago

In Fedora 27 NSS is switching over to SQL, so this needs to get into 1.3.7.

Metadata Update from @mreynolds:
- Issue set to the milestone: 1.3.7.0 (was: 1.3.7 backlog)

4 years ago

@mreynolds I have been running this for a while in test envs, and this made it work for me https://pagure.io/389-ds-base/issue/49041

It looks like @nhosoi patch has been lost to the sands of pagure though :(

It's not lost. If you delete 'files/' from the url, it opens:
https://pagure.io/389-ds-base/issue/raw/27db7f791946ab3c099b02d54afc6626111d248b96655d2e3585bf13eb8506a5-0001-Ticket-48760-NSS-switching-to-the-sql-db.patch

I filed a ticket with fedora-infra to fix these links: https://pagure.io/fedora-infrastructure/issue/6091
I'm not sure if a new release was deployed, but looks like we still has this issue.

Okay. Thanks for finding that @vashirov . If @nhosoi doesn't mind, I'll tweak this patch and get it into a committable state.

Metadata Update from @firstyear:
- Issue assigned to firstyear (was: nhosoi)

4 years ago

The second part to this would be enabling SQL by default, I assume for 1.4.x. We also need to turn on nss extract pem by default too ....

Metadata Update from @mreynolds:
- Custom field component adjusted to None
- Custom field reviewstatus adjusted to None
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1485370

4 years ago

For 1.3.7 we need to handle SQL && non-SQL db's.

It looks like this already works.

{root@ldapkdc 14:47} /opt/dirsrv/etc/dirsrv/slapd-localhost I0> ls -al
total 296
drwxr-xr-x. 3 dirsrv dirsrv   212 Sep  5 14:47 .
drwxr-xr-x. 6 root   root      82 Sep  5 14:13 ..
-rw-------. 1 dirsrv dirsrv 28672 Sep  5 14:46 cert9.db
-rw-r--r--. 1 dirsrv dirsrv  1676 Sep  5 11:08 certmap.conf
-rw-------. 1 dirsrv dirsrv 66195 Sep  5 14:47 dse.ldif
-rw-------. 1 dirsrv dirsrv 65505 Sep  5 14:47 dse.ldif.bak
-rw-------. 1 dirsrv dirsrv 69284 Sep  5 14:47 dse.ldif.startOK
-rw-------. 1 dirsrv dirsrv 36864 Sep  5 14:46 key4.db
-rw-r--r--. 1 dirsrv root      90 Sep  5 11:11 pin.txt
-rw-------. 1 dirsrv dirsrv   567 Sep  5 14:47 pkcs11.txt
-rw-r--r--. 1 dirsrv root      64 Sep  5 11:11 pwdfile.txt
drwxr-xr-x. 2 dirsrv dirsrv    25 Sep  5 14:47 schema
-rw-r--r--. 1 dirsrv dirsrv 15142 Sep  5 11:08 slapd-collations.conf
dsctl localhost start
NOTICE: Starting instance with ASAN options
This is probably not what you want. Please contact support.
ASAN options will be copied from your environment
[05/Sep/2017:14:47:40.697868851 +1000] - INFO - Security Initialization - SSL info: Enabling default cipher set.
[05/Sep/2017:14:47:40.716368597 +1000] - INFO - Security Initialization - SSL info: Configured NSS Ciphers
[05/Sep/2017:14:47:40.734611441 +1000] - INFO - Security Initialization - SSL info:     TLS_AES_128_GCM_SHA256: enabled
[05/Sep/2017:14:47:40.748797439 +1000] - INFO - Security Initialization - SSL info:     TLS_CHACHA20_POLY1305_SHA256: enabled
[05/Sep/2017:14:47:40.761643240 +1000] - INFO - Security Initialization - SSL info:     TLS_AES_256_GCM_SHA384: enabled
[05/Sep/2017:14:47:40.774092434 +1000] - INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[05/Sep/2017:14:47:40.792556312 +1000] - INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[05/Sep/2017:14:47:40.811485627 +1000] - INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[05/Sep/2017:14:47:40.827630120 +1000] - INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[05/Sep/2017:14:47:40.840205173 +1000] - INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[05/Sep/2017:14:47:40.852789796 +1000] - INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[05/Sep/2017:14:47:40.868609337 +1000] - INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[05/Sep/2017:14:47:40.887122450 +1000] - INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
[05/Sep/2017:14:47:40.905222368 +1000] - INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[05/Sep/2017:14:47:40.917509977 +1000] - INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[05/Sep/2017:14:47:40.929811940 +1000] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[05/Sep/2017:14:47:40.944601068 +1000] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[05/Sep/2017:14:47:40.962488384 +1000] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[05/Sep/2017:14:47:40.980224641 +1000] - INFO - Security Initialization - SSL info:     TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
[05/Sep/2017:14:47:40.994482510 +1000] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[05/Sep/2017:14:47:41.007129897 +1000] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[05/Sep/2017:14:47:41.019209383 +1000] - INFO - Security Initialization - SSL info:     TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
[05/Sep/2017:14:47:41.037344150 +1000] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[05/Sep/2017:14:47:41.055768062 +1000] - INFO - Security Initialization - SSL info:     TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[05/Sep/2017:14:47:41.072560272 +1000] - INFO - Security Initialization - SSL info:     TLS_RSA_WITH_AES_128_CBC_SHA: enabled
[05/Sep/2017:14:47:41.084650838 +1000] - INFO - Security Initialization - SSL info:     TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
[05/Sep/2017:14:47:41.097369749 +1000] - INFO - Security Initialization - SSL info:     TLS_RSA_WITH_AES_256_CBC_SHA: enabled
[05/Sep/2017:14:47:41.113579621 +1000] - INFO - Security Initialization - SSL info:     TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[05/Sep/2017:14:47:41.144161953 +1000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3
{root@ldapkdc 14:47} /opt/dirsrv/etc/dirsrv/slapd-localhost I0> openssl s_client -connect localhost:636 -showcerts
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
---
Certificate chain
 0 s:/CN=localhost
   i:/CN=localhost
-----BEGIN CERTIFICATE-----
MIICpTCCAY2gAwIBAgIFAKsNPSYwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAxMJ
bG9jYWxob3N0MB4XDTE3MDkwNTA0NDYzNFoXDTE3MTIwNTA0NDYzNFowFDESMBAG
A1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
vAzmRJpNiv3VcNRcH7p94fniQhdFlPORxCLVA0eBx6DWE/oMycP9+EX5vZEHFo8X
Y86zEVhQPdcYIiHEkyQNt2wxhVuN40xi866nnmTPCoSDaoW6FQ+JFsqtH+GfkyVS
LqxWwMTbv4QsuKbF8NWnuB4UqRKx/aIxbdpvqgrsL4fbykTNWoiJNo8oxk7xUbUZ
FqfZU7XEVKl1JQ0IA2nJHxc0YAFr7LVV1iiFd/4TFci6Xf37XsfiM2J81mZRp4n8
HTTHY/D58Mqvra83MvSMnfFx/dP3Z64vwZdWWv0uf1iHV9rd+mYpGYhJpkdO0jxa
O7DFghrMFk0cpLPmdVZH3QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCMpQG4D6PG
ChzfpqEuwu8YCtJhLHcye41bir9QJTIH+U/osGV99aQSsYpr0nKXo76A7SOx0x8D
e3YlXq4ByBkOJztNtvGnvqkDZH/iYzrh8QBH89YLLQL8RIqrxxAqEtyCeLUnfNfH
9hH2U95VErwlZDI1771skvgGKlhVeMIzI/ft8/3dI0su5MfW1VSWhMkFHhoPaJoz
HoPx33wD0QuXlCcFHH2lcZIIMailWDxcYWawMSX1QckNSKXkZnqrFqI7XnpGmea/
6g+9ij0TwkgSNiBUJM7PwmEwoGAtnxCP7B2ayggaX77xhUTy/9ryOAaeS9QffNFt
AjKbjp/wtwQP
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=localhost
issuer=/CN=localhost
---
No client certificate CA names sent
Client Certificate Types: RSA sign, ECDSA sign, DSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:0x04+0x08:0x05+0x08:0x06+0x08:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1180 bytes and written 359 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 6C5E558205C623A9E874401100779944524DB02FCFB3C1AF7DB5691555CF520E
    Session-ID-ctx: 
    Master-Key: C57C617966C9F320173B76EDD4C4105A80EAB0797D5C5931A955F32D9A239015B34A651F31C86776DC4BACD680296486
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1504586883
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
---
^C
{root@ldapkdc 14:48} /opt/dirsrv/etc/dirsrv/slapd-localhost I0> certutil -L -d . -n Server-Cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            00:ab:0d:3d:26
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=localhost"
        Validity:
            Not Before: Tue Sep 05 04:46:34 2017
            Not After : Tue Dec 05 04:46:34 2017
        Subject: "CN=localhost"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    bc:0c:e6:44:9a:4d:8a:fd:d5:70:d4:5c:1f:ba:7d:e1:
                    f9:e2:42:17:45:94:f3:91:c4:22:d5:03:47:81:c7:a0:
                    d6:13:fa:0c:c9:c3:fd:f8:45:f9:bd:91:07:16:8f:17:
                    63:ce:b3:11:58:50:3d:d7:18:22:21:c4:93:24:0d:b7:
                    6c:31:85:5b:8d:e3:4c:62:f3:ae:a7:9e:64:cf:0a:84:
                    83:6a:85:ba:15:0f:89:16:ca:ad:1f:e1:9f:93:25:52:
                    2e:ac:56:c0:c4:db:bf:84:2c:b8:a6:c5:f0:d5:a7:b8:
                    1e:14:a9:12:b1:fd:a2:31:6d:da:6f:aa:0a:ec:2f:87:
                    db:ca:44:cd:5a:88:89:36:8f:28:c6:4e:f1:51:b5:19:
                    16:a7:d9:53:b5:c4:54:a9:75:25:0d:08:03:69:c9:1f:
                    17:34:60:01:6b:ec:b5:55:d6:28:85:77:fe:13:15:c8:
                    ba:5d:fd:fb:5e:c7:e2:33:62:7c:d6:66:51:a7:89:fc:
                    1d:34:c7:63:f0:f9:f0:ca:af:ad:af:37:32:f4:8c:9d:
                    f1:71:fd:d3:f7:67:ae:2f:c1:97:56:5a:fd:2e:7f:58:
                    87:57:da:dd:fa:66:29:19:88:49:a6:47:4e:d2:3c:5a:
                    3b:b0:c5:82:1a:cc:16:4d:1c:a4:b3:e6:75:56:47:dd
                Exponent: 65537 (0x10001)
    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        8c:a5:01:b8:0f:a3:c6:0a:1c:df:a6:a1:2e:c2:ef:18:
        0a:d2:61:2c:77:32:7b:8d:5b:8a:bf:50:25:32:07:f9:
        4f:e8:b0:65:7d:f5:a4:12:b1:8a:6b:d2:72:97:a3:be:
        80:ed:23:b1:d3:1f:03:7b:76:25:5e:ae:01:c8:19:0e:
        27:3b:4d:b6:f1:a7:be:a9:03:64:7f:e2:63:3a:e1:f1:
        00:47:f3:d6:0b:2d:02:fc:44:8a:ab:c7:10:2a:12:dc:
        82:78:b5:27:7c:d7:c7:f6:11:f6:53:de:55:12:bc:25:
        64:32:35:ef:bd:6c:92:f8:06:2a:58:55:78:c2:33:23:
        f7:ed:f3:fd:dd:23:4b:2e:e4:c7:d6:d5:54:96:84:c9:
        05:1e:1a:0f:68:9a:33:1e:83:f1:df:7c:03:d1:0b:97:
        94:27:05:1c:7d:a5:71:92:08:31:a8:a5:58:3c:5c:61:
        66:b0:31:25:f5:41:c9:0d:48:a5:e4:66:7a:ab:16:a2:
        3b:5e:7a:46:99:e6:bf:ea:0f:bd:8a:3d:13:c2:48:12:
        36:20:54:24:ce:cf:c2:61:30:a0:60:2d:9f:10:8f:ec:
        1d:9a:ca:08:1a:5f:be:f1:85:44:f2:ff:da:f2:38:06:
        9e:4b:d4:1f:7c:d1:6d:02:32:9b:8e:9f:f0:b7:04:0f
    Fingerprint (SHA-256):
        88:CC:46:2A:31:2E:1C:CB:E4:55:A2:3E:CC:63:01:6F:EE:8B:70:85:9E:53:92:12:77:0F:8B:81:31:34:4A:79
    Fingerprint (SHA1):
        BA:22:8D:57:79:01:1B:D5:68:31:27:51:A6:83:9B:6C:29:C1:9D:41

    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            Valid CA
            Trusted CA
            User
        Email Flags:
            User
        Object Signing Flags:
            User

Metadata Update from @firstyear:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 years ago

So when NSS make sql the default everything will "just work" from our side :)

BTW, looks like sql as the default was deferred to F28:
https://meetbot.fedoraproject.org/fedora-meeting/2017-08-11/fesco.2017-08-11-16.01.log.html
But it's good that we have it working already :)

From rcrit:

"You might want to consider allowing a prefix in the NSS db path to avoid
requiring an environment variable but otherwise that's great news!"

Noriko's original patch also mentions this:

15 This patch tries these 2 cases.
16 1) #define ENABLE_SQL_PREFIX 1
17 This enables generating "sql:/path/to/certdir".
18 2) / #define ENABLE_SQL_PREFIX 1 /
19 This depends upon the NSS_DEFAULT_DB_TYPE="sql" and use the ordinary
20 path to access the cert db.

I don't think this should be closed out yet.

Metadata Update from @mreynolds:
- Issue status updated to: Open (was: Closed)

4 years ago

That's to override the "current" default scheme.

If NSS swap the scheme to SQL by default, then everything should "just work" as I understand it. That's why I was happy to close this ....

It would be good to test with a build of NSS that uses SQL by default then to validate the assertion?

That's to override the "current" default scheme.
If NSS swap the scheme to SQL by default, then everything should "just work" as I understand it. That's why I was happy to close this ....
It would be good to test with a build of NSS that uses SQL by default then to validate the assertion?

I just don't want any surprises when the switch finally happens. As long DS can handle both DB and SQL seamlessly then I'm happy.

Apparently, there is a case where this does not work :) I will investigate. See https://bugzilla.redhat.com/show_bug.cgi?id=1485370

It could be nss version related as I always tested on fedora, never EL. I suspect in the case we don't have key3.db, we need to check key4.db and then preix sql: to the url.

However, I would have expected NSS lib to do this. Investigation needed.

This is working, closing ticket

Metadata Update from @mreynolds:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1820

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: fixed)

2 years ago

Login to comment on this ticket.

Metadata