Bug 1854959

Hey Pritam, have you had a chance to re-test this? Thanks!

Tested on:

[root@pki1 ~]# rpm -qa | grep jss
tomcatjss-7.5.0-1.module+el8.3.0+7355+c59bcbd9.noarch
jss-4.7.0-1.module+el8.3.0+7355+c59bcbd9.x86_64

[root@pki1 ~]# rpm -qa | grep pki-ca
pki-ca-10.9.0-0.7.module+el8.3.0+7364+90640274.noarch

Test Procedure:
https://bugzilla.redhat.com/show_bug.cgi?id=1854959#c0

Result:
Now the custom profile with enabled Netscape extension is getting added successfully and the issue has resolved.

Cool, thanks!

This was fixed in the following commits for future reference:

commit 30162370f1e6302e5425a044067632b0a7c22bbd
Author: Alexander Scheel <ascheel>
Date:   Mon Jul 6 17:02:27 2020 -0400

    Update JSSSocketChannel to handle BUFFER_UNDERFLOW
    
    Signed-off-by: Alexander Scheel <ascheel>

commit 5ef4c22cdd83a09cca44df3389bc0b99ede1bb93
Author: Alexander Scheel <ascheel>
Date:   Mon Jul 6 16:38:48 2020 -0400

    Detect and report buffer underflow status
    
    This fixes an issue with large POST requests and Tomcat looping. Tomcat
    is expecting unwrap() to produce data, but NSS won't produce any data
    until it has the entire packet and can validate the message signatures.
    This means we need to report the status back to Tomcat, so it can add
    more data to the buffer (occasionally, increasing the size of the buffer
    when necessary).
    
    Occasionally this will report a false-positive: if we get an alert or a
    protocol-level message after the handshake (such as a re-key event or a
    post-handshake auth event in TLSv1.3), we'll report the status as
    BUFFER_UNDERFLOW. However, this should largely be fine unless our caller
    gets stuck querying more data from the socket. In the worst case, it'll
    trigger a premature close notification (and corresponding wrap call).
    
    However, from our testing, this appears to be safe.
    
    Signed-off-by: Alexander Scheel <ascheel>

Tested on:

[root@apollo test_dir]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.9.1
Release     : 1.module+el8.3.0+7594+3661a26e
Architecture: noarch
Install Date: Fri 07 Aug 2020 05:45:52 AM EDT
Group       : Unspecified
Size        : 2696306
License     : GPLv2 and LGPLv2
Signature   : RSA/SHA256, Thu 06 Aug 2020 05:10:06 PM EDT, Key ID 199e2f91fd431d51
Source RPM  : pki-core-10.9.1-1.module+el8.3.0+7594+3661a26e.src.rpm
Build Date  : Thu 06 Aug 2020 03:46:30 PM EDT
Build Host  : arm64-033.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.dogtagpki.org/

Proof of concept:
Successful pipeline -
https://gitlab.cee.redhat.com/idm/pki-pytest-ansible/-/jobs/1941531

It's working as expected in the pipeline.
Hence, Marking this Bugzilla verified.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4847