Bug 1610998
Summary: | libcurl/curl >= 7.29.0-47 breaks yum update functionality on EC2 RHEL instances (401 unauthorized) | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Derek Whatley <dwhatley> | ||||
Component: | nss-pem | Assignee: | Kamil Dudka <kdudka> | ||||
Status: | CLOSED ERRATA | QA Contact: | Pavlina Bartikova <pbartiko> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | urgent | ||||||
Version: | 7.6 | CC: | andrey.zykov, dwhatley, fsumsal, jboutaud, jmatthew, jmontleo, kdudka, pbartiko, rhack, szidek, wabouham | ||||
Target Milestone: | rc | Keywords: | Regression | ||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | nss-pem-1.0.3-5.el7 | Doc Type: | No Doc Update | ||||
Doc Text: |
undefined
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-10-30 10:40:37 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1510247 | ||||||
Attachments: |
|
Description
Derek Whatley
2018-08-01 20:40:27 UTC
Thank you for analyzing the problem and finding the cause! I am pretty sure, this is caused by the fix for bug #1510247. My guess is that it prematurely removes a key object shared by multiple connections. The fix for bug #1510247 revealed multiple hidden bugs in nss-pem. The scenario where nss-pem breaks is following: 1. load client cert #1 and the corresponding private key 2. unload private key only (because client cert is referred by session cache) 3. load client cert #2 and the corresponding private key 4. attempt to reuse cert #1 and reload the corresponding private key 5. PK11_FindPrivateKeyFromCert() fails in the SelectClientCert() callback The step 2. did not exist until bug #1510247 was fixed. The actual breakage happens in step 4. because the reused certificate still refers to the originally loaded private key, which has been removed in step 2. In order to fix this, the reference needs to be updated while reusing the certificate object such that it refers to the private key that is going to be loaded by the subsequent call to PK11_CreateManagedGenericObject(). Created attachment 1473033 [details]
proposed fix
upstream commits: https://github.com/kdudka/nss-pem/commit/1d51c233 https://github.com/kdudka/nss-pem/commit/e85b6f90 https://github.com/kdudka/nss-pem/commit/5e6d9ce0 https://github.com/kdudka/nss-pem/commit/0eafa24f https://github.com/kdudka/nss-pem/commit/e14465a1 Tested with RHEL-7.6_HVM_BETA-20180814-x86_64-0-Access2-GP2 (ami-011349ad9596eb082) AMI, eu-west-1 region. I had an instance with nss-pem-1.0.3-4.el7.x86_64. When I attached RH repositories from subscription manager, yum repolist ended with the [Errno 14] HTTPS Error 401 - Unauthorized error. After updating to nss-pem-1.0.3-5.el7.x86_64, yum repolist ended without any errors. Moving bug to VERIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3157 |