| Summary: | Adding a CA into blacklist doesn't remove it from extracted/pem/tls-ca-bundled.pem | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nikos Mavrogiannopoulos <nmavrogi> |
| Component: | p11-kit | Assignee: | Stef Walter <stefw> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 20 | CC: | jorton, kengert, mclasen, pwouters, stefw, tmraz |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | p11-kit-0.20.2-1.fc20 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-01-16 07:04:29 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Nikos Mavrogiannopoulos
2013-12-12 15:02:14 UTC
I think the right place to fix this issue is in p11-kit-trust, as it decides which certificates get produced in the "extracted" list. Confirming on Fedora 20. Regression. Patches available upstream for testing. https://bugs.freedesktop.org/show_bug.cgi?id=73558 I cannot verify the fix. If I use p11-kit from the compiled directory I get: p11-kit: couldn't run trust tool: No such file or directory If I install in /usr/local and run the Steps above I see no difference than the version of p11-kit in F20. Hmm, I think you would need to build with at least the following configure options: ./configure --prefix=/usr --with-trust-paths=/etc/pki/ca-trust/source:/usr/share/pki/ca-trust-source But I've added more integration tests which verify this, so I guess I'll just go ahead and release p11-kit 0.20.2 (ie: without these patches) # yum reinstall p11-kit-trust # make installcheck ... sh ./test-extract 1..2 ok 1 test_extract test-extract: blacklist-test.pem contains test_A4R794lRVSwCVinsUsvXDCctIF3lzBdsa1U2lZZQv2Daz4FGiDcA not ok 2 test_blacklist (and with these patches) # make install # make installcheck ... sh ./test-extract 1..2 ok 1 test_extract ok 2 test_blacklist It works for me. p11-kit-0.20.2-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/p11-kit-0.20.2-1.fc20 (In reply to Nikos Mavrogiannopoulos from comment #7) > It works for me. Thanks! I've done a fedora update. Kai and Nikos, if you are able to test it and give it positive feedback (if it works) then we can get this fix out to people. Nikos above problem description is a good test case. Package p11-kit-0.20.2-1.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing p11-kit-0.20.2-1.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-0832/p11-kit-0.20.2-1.fc20 then log in and leave karma (feedback). p11-kit-0.20.2-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |