389-ds-base

Clone
Source Code
GIT

#49650 lib389 enable_tls doesn't work on F28
Closed: wontfix 5 years ago Opened 5 years ago by spichugi.

Closed: wontfix
Reopen Issue

In the lib389 we have the method inst.enable_tls(). It creates certificates and sets up the server for TLS communication. It works on F27 built from master branch and doesn't work on F28.

It fails with the next message while trying to bind to the server after the restart (and after the setup):

ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL 
routines:tls_process_server_certificate:certificate verify failed (invalid CA certificate)'}

I am still investigating but it looks like we have an issue with client-side authentication (because of the changes between F27 and F28).

F27 logs - https://fedorapeople.org/~spichugi/ssl_pass.log
F28 logs - https://fedorapeople.org/~spichugi/ssl_fail.log

Together with @mhonek we've found the source of the failure. It happens because on F28 openssl fails to verify the certificate.

We should create CA with an appropriate flag. It can be done by setting an X.509 V3 Certificate Type Extension in the certificate to 'certSigning' value.

Metadata Update from @spichugi:
- Custom field component adjusted to None
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None
5 years ago

Metadata Update from @spichugi:
- Custom field reviewstatus adjusted to review (was: None)
5 years ago

commit d214765
Author: Matúš Honěk mhonek@redhat.com
Date: Wed Apr 25 18:50:11 2018 +0200

Metadata Update from @spichugi:
- Custom field reviewstatus adjusted to ack (was: review)
5 years ago

Metadata Update from @spichugi:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
5 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/2709

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: fixed)
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
ack
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.