Bug 1364993
Summary: | MS-KKDCP with TLS SNI requires HTTP Host header | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Abhijeet Kasurde <akasurde> | ||||||
Component: | krb5 | Assignee: | Robbie Harwood <rharwood> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 7.3 | CC: | cheimes, dpal, ksiddiqu, pkis | ||||||
Target Milestone: | rc | Keywords: | Regression, TestBlocker | ||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
URL: | https://github.com/krb5/krb5/pull/507 | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | krb5-1.14.1-24.el7 | Doc Type: | If docs needed, set a value | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | |||||||||
: | 1365027 1365028 1365029 1365030 (view as bug list) | Environment: | |||||||
Last Closed: | 2016-11-03 20:26:17 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 1365027 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Abhijeet Kasurde
2016-08-08 10:30:22 UTC
I submitted a patch with TLS SNI support in https://github.com/krb5/krb5/commit/4b6045adb7a044cd7ddc3987da2f26bf8a5281fe. Back then I did not notice the problem because I tested against a mod_nss version without TLS SNI support. I was neither aware that mod_nss did not support SNI yet not that Apache requires a HTTP Host header for TLS requests with SNI. I have a submitted a patch to MIT KRB5: https://github.com/krb5/krb5/pull/507. The patch also added port number to Host header so name based and port based virtual hosting works with MS-KKDCP requests. Created attachment 1189253 [details] Remove TLS SNI from MIT KRB5 The patch reverts https://github.com/tiran/krb5/commit/2d66309ef78aeff8df78c81a9d32c1a7e4857f63 and removes the call to SSL_set_tlsext_host_name(). Without the function call the Kerberos client no longer sends a TLS SNI extension in the TLS/SSL handshake for MS-KKDCP. This removes the root cause of the issue. The alternative patch is simpler and less risky than https://github.com/krb5/krb5/pull/507 because it just removes some code and doesn't introduce new code. We don't loose any functionality. Without the HTTP Host header TLS SNI is broken anyway. PS: Attachment 1189253 [details] is a workaround until PR 507 has been reviewed and landed in upstream.
Patrick and I have confirmed that my patch https://github.com/krb5/krb5/pull/507 solves the issue on Fedora 24. A scratch build is available on koji http://koji.fedoraproject.org/koji/taskinfo?taskID=15189064 Thanks Christian! Verified using IPA version :: ipa-server-4.4.0-7.el7.x86_64 There are no messages like 'Hostname <HOSTNAME> provided via SNI, but no hostname provided in HTTP request' in /var/log/httpd/error_log Attaching console.log. Marking BZ as verified. Created attachment 1190030 [details]
console.log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2591.html |