Bug 1892216
Summary: | openjdk z-stream broke freeipa installation | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Michele Baldessari <michele> | |
Component: | java-1.8.0-openjdk | Assignee: | Andrew John Hughes <ahughes> | |
Status: | CLOSED ERRATA | QA Contact: | OpenJDK QA <java-qa> | |
Severity: | urgent | Docs Contact: | ||
Priority: | urgent | |||
Version: | 8.2 | CC: | abokovoy, abroy, ahughes, aph, arajendr, bbhavsar, cww, dchen, dciabrin, edewata, elicohen, fcami, ferryw, igarcia, jpazdziora, jvanek, ldelouw, lkuchlan, lmiccini, mbalao, mmillson, neugens, nweinber, orion, pmorey, rcritten, rom, sgehwolf, suwu, tmihinto, tscherf, xdong | |
Target Milestone: | rc | Keywords: | Regression, ZStream | |
Target Release: | 8.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | java-1.8.0-openjdk-1.8.0.272.b10-6.el8 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1893757 1893758 1904098 1960547 (view as bug list) | Environment: | ||
Last Closed: | 2021-05-18 15:31:11 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1895060 | |||
Bug Blocks: | 1893757, 1893758, 1960547 |
Description
Michele Baldessari
2020-10-28 08:25:59 UTC
The fix should really be in openjdk. We've seen this multiple times in Fedora as well. *** Bug 1892515 has been marked as a duplicate of this bug. *** *** Bug 1892555 has been marked as a duplicate of this bug. *** Downgrading on CentOS8 doesn't work. It produces an error: lowest version already installed, cannot downgrade it Is there some reason why this solution would work on RHEL, but not on CentOS? (In reply to Andrew John Hughes from comment #43) > > > > I don't quite understand. Is it a bug in OpenJDK or FreeIPA? > > > > It's both :-) > > The initial bug is in FreeIPA. It claims to implement the type > RSAPrivateKey, but it only returns null for the only method of that type, > getPrivateExponent(). Just to correct: there are two bugs: one in OpenJDK, one in JSS library used by Dogtag. Neither requires changes in FreeIPA itself -- Dogtag is FreeIPA's dependency but FreeIPA itself doesn't use JSS. Right. In testing, the client is requesting: "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha224, ecdsa_sha1, rsa_sha224, rsa_pkcs1_sha1, dsa_sha224, dsa_sha1, dsa_sha256, dsa_sha384, dsa_sha512] The first ones are inapplicable because an RSA key is being used ("sslserver private or public key is not of EC algorithm"). So it tries rsa_pss_pss_sha256. With the JSS bug, this crashes. If the JSS bug is fixed, the key is rejected by rsa_pss_pss_sha256 but OpenJDK does not try any of the others. With the OpenJDK bug fixed, rsa_pkcs1_sha256 will be used. *** Bug 1895677 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (java-1.8.0-openjdk bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1795 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days |