Bug 1241172
Summary: | Certificate verification fails with multiple https urls [el7/nss] | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | rhbug | |
Component: | nss | Assignee: | nss-nspr-maint <nss-nspr-maint> | |
Status: | CLOSED ERRATA | QA Contact: | Hubert Kario <hkario> | |
Severity: | high | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 7.1 | CC: | alexander.naumann, apmukher, aurelien, ben.r.xiao, bugzilla, d.bz-redhat, desintegr, d.fedora, dossow, emaldona, FlorianFranzen, fredrik, g.d0b3rm4n, hkario, hlx98007, igeorgex, james.hogarth, jbnance, karli.sjoberg, kdudka, kengert, marek, mdsreg_rhbz, me, michal.bruncko, mpoole, mtolson, nkinder, redhatbugs, red-hat-bugzilla, redhat-bugzilla, redhat, robert.scheck, ville, wvoyek, xrobau | |
Target Milestone: | rc | Keywords: | Patch | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | nss-3.21.0-13.el7 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1260678 (view as bug list) | Environment: | ||
Last Closed: | 2016-11-04 03:55:40 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1104597 | |||
Bug Blocks: | 1260678, 1269660 |
Description
rhbug
2015-07-08 16:09:56 UTC
This looks like bug #1104597 (nss bug), will have a look tomorrow. Also seeing this on Fedora 22 with up-to-date standard php and curl packages. (In reply to Kamil Dudka from comment #1) > This looks like bug #1104597 (nss bug), will have a look tomorrow. Confirmed. Attachment #902122 [details] fixes the bug. Flipping the component to nss. I've heard rumours this also affacts RHEL6, so we might require a backport as well then. A patch for this bug (attachment #902122 [details]) was proposed more than a year ago. Could you please have a look at that?
There is a workaround for curl suggested by Mozilla upstream: https://github.com/bagder/curl/commit/958d2ffb New incoming curl package in testing repo seems to fix this issue. (In reply to Stefan Neufeind from comment #5) > I've heard rumours this also affacts RHEL6, so we might require a backport > as well then. I can confirm this for CentOS 6.7. Any ETA on backport? Best Regards Karli Sjöberg Confirmed still an issue in the latest 7, but this ticket appears to say that it's fixed. nss-3.19.1-19.el7_2.x86_64 (In reply to xrobau from comment #12) > but this ticket appears to say that it's fixed. Nobody says this bug has been fixed in RHEL-7. This will be fixed upstream, probably in NSS 3.23 Elio, could you please pick up the upstream patch, and carry it downstream, for the next possible NSS build for RHEL 7.3? Hi is there any information on progress fixing this issue in RHEL? I'm currently in the middle of packaging the owncloud 8.1.6 update for EPEL7 and this bug is causing issues with the owncloud appstore usage in testing. The issue at discussion in the oC community is: https://github.com/owncloud/core/issues/16255 Investigation lead to this PHP bug: https://bugs.php.net/bug.php?id=67639 Which then of course lead to identifying this as the NSS bug root causing it. (In reply to James Hogarth from comment #17) > Investigation lead to this PHP bug: > > https://bugs.php.net/bug.php?id=67639 > > Which then of course lead to identifying this as the NSS bug root causing it. The above example uses libcurl, which is going to have a workaround for this bug of NSS. See bug #1269855, which is already in ON_QA. I will not speak for this NSS bug itself though... Thanks for the pointer to that Kamil Are you aware if this is due to be an update within EL7.2 or will need to wait for the EL7.3 milestone? I'd be extremely grateful if you could verify on your test rig the code at the php bug, which uses libcurl of course so should behave with the curl patch discussed. Owncloud uses guzzlehttp for its requests which ultimately uses the phpcurl libraries so in principal should be fixed by that without needing fix correct the underlying NSS issue. (In reply to James Hogarth from comment #19) > Are you aware if this is due to be an update within EL7.2 or will need to > wait for the EL7.3 milestone? I am not aware of any fix going out sooner than RHEL-7.3. Feel free to escalate the issue via Product Support if the fix is important for your business. > I'd be extremely grateful if you could verify on your test rig the code at > the php bug, which uses libcurl of course so should behave with the curl > patch discussed. You can try the patch that was applied on upstream (lib)curl: https://github.com/curl/curl/commit/958d2ffb There is also a Fedora sibling of the bug that contains more info on the topic: bug #1104597 Cross-filed case 01637758 on the Red Hat customer portal to get this moved on, given there was no visible progress (to us as a customer) for nearly one year now. Concur, it's a bug, it should be fixed, and it's been ignored for 7.1 and 7.2 8-\ It's my understanding that the issue will be fixed on curl side, see bug 1269855. The release of it is scheduled for 7.3.0. The curl-side-fix was released for RHEL-6 in the 6.8.0 release, see bug 1269660. Yes, the curl fix is ready to be released in RHEL-7.3. But please do not use it as an excuse for not releasing or postponing the NSS fix. Applications using NSS for TLS directly will be affected by this bug even after the update of curl.
The NSS fix is a one-line patch (attachment #902122 [details]), submitted for review 2 years ago, with no known downsides so far. I see no valid reason for not including the fix in the RHEL-7.3 update of NSS.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2335.html |