Bug 1873235
| Summary: | pki ca-user-cert-add with secure port failed with 'SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT' | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Pritam Singh <prisingh> |
| Component: | pki-core | Assignee: | Alex Scheel <ascheel> |
| Status: | CLOSED ERRATA | QA Contact: | PKI QE <bugzilla-pkiqe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.3 | CC: | aakkiang, ascheel, lmiksik, mharmsen, ovasik, rhcs-maint, sveerank |
| Target Milestone: | rc | Keywords: | TestBlocker |
| Target Release: | 8.0 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 03:15:52 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:4847 |
To clarify, there's two issues here: 1. PKI ships with TLS range bounded to TLSv1.2 by default in the CLI tools; the server supports TLSv1.3. --> There is a workaround here: Set: SSL_STREAM_VERSION_MAX="TLS_1_3" In: /usr/share/pki/etc/pki.conf 2. Once using the above workaround, we encounter another issue: Caused by: javax.net.ssl.SSLHandshakeException: Error duing SSL.ForceHandshake() :: SSL_ERROR_BAD_CERT_DOMAIN (-12276) at org.mozilla.jss.ssl.javax.JSSEngineReferenceImpl.updateHandshakeState(JSSEngineReferenceImpl.java:856) at org.mozilla.jss.ssl.javax.JSSEngineReferenceImpl.unwrap(JSSEngineReferenceImpl.java:1037) at org.mozilla.jss.ssl.javax.JSSSocketChannel.read(JSSSocketChannel.java:272) ... 28 more This is because we use the default NSS cert authentication callback, but the Java APIs (and Apache CloseableHttpClient) don't know how to set the hostname for NSS; SSLSocket doesn't expose a standard way of sharing the hostname to Java. We'd need to fix this as well if any of this is to work. In conversation with relyea, he suggests hooking BadCertHandler to override this.