#7810 [F28] Require NSS with fix for p11-kit issue.
Closed: fixed 2 years ago Opened 2 years ago by cheimes.

Issue

On Fedora 28 NSS 3.40 and 3.41 enable p11-kit proxy. The PKCS#11 proxy loads all PKCS#11 providers including the default SoftHSM2 token. F28's OpenLDAP is patched to use Mozilla NSS. Because the SoftHSM2 token is protected, the OpenLDAP function tlsmc_extract_cacerts() blocks because it is waiting for PIN.

Workaround for Travis CI: Delete the p11-kit policy and regenerate crypto policy:

rm -f /etc/crypto-policies/local.d/nss-p11-kit.config && update-crypto-policies

OpenLDAP debug output:

ldap_url_parse_ext(ldap://master.ipa.test:389/)
TLSMC: MozNSS compatibility interception begins.
tlsmc_intercept_initialization: INFO: entry options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/etc/dirsrv/slapd-IPA-TEST'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/dirsrv/slapd-IPA-TEST'.
tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/dirsrv/slapd-IPA-TEST` prefix ``.
tlsmc_open_nssdb: INFO: initialized MozNSS context.
tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap-tlsmc-slapd-IPA-TEST--CFD75CD2496FD947611EE486C199DB7DE06AF86D5CD28715BAD24414827D1987'.
tlsmc_convert: WARN: will try to create PEM dir.
tlsmc_prepare_dir: INFO: preparing PEM directory `/tmp/openldap-tlsmc-slapd-IPA-TEST--CFD75CD2496FD947611EE486C199DB7DE06AF86D5CD28715BAD24414827D1987'.
tlsmc_prepare_dir: INFO: creating a subdirectory `cacerts'.
tlsmc_prepare_dir: INFO: successfully created PEM directory structure.
   ***NSS 3.40 BLOCKS HERE***
tlsmc_extract_cacerts: INFO: found cert nick=`Server-Cert', _not_ a trusted CA, skipping.
tlsmc_extract_cacerts: INFO: found cert nick=`Self-Signed-CA', a trusted CA.

Steps to Reproduce

See Travis CI

Actual behavior

Test installations on Travis CI block

Expected behavior

No errors

Version/Release/Distribution

nss-3.40.1-1.0.fc28.x86_64

Additional info:

Daiki is working on nss-3.41.0-2.fc28, https://koji.fedoraproject.org/koji/taskinfo?taskID=31441102 . Once the build is available, we can drop the workaround and require latest build of NSS instead.


Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/2679
- Issue priority set to: critical

2 years ago

master:

  • a9f34c7 Disable nss-p11-kit crypto policy for tests

ipa-4-7:

  • ee4c0f0 Disable nss-p11-kit crypto policy for tests

master:

  • d710734 Require 3.41.0-3 on Fedora 28

ipa-4-7:

  • 224e2c4 Require 3.41.0-3 on Fedora 28

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

ipa-4-7:

  • 487ab52 Fix installation when CA subject DN has escapes

master:

  • 74e0908 Globally disable softhsm2 in p11-kit-proxy

ipa-4-7:

  • ae5831b Globally disable softhsm2 in p11-kit-proxy

master:

  • 8f969a5 Restore SELinux context for p11-kit config overrides

ipa-4-8:

  • fd0386f Restore SELinux context for p11-kit config overrides

ipa-4-7:

  • e16099a Restore SELinux context for p11-kit config overrides

Login to comment on this ticket.

Metadata