Bug 2149064

Summary: sscg should not generate dhparams.pem unless requested
Product: Red Hat Enterprise Linux 9 Reporter: Stephen Gallagher <sgallagh>
Component: sscgAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: icesalov
Severity: low Docs Contact:
Priority: unspecified    
Version: 9.1CC: csaggin, icesalov, jorton, michele, ppitonak, rhel-cs-infra-services-qe
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sscg-3.0.0-7.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2143206 Environment:
Last Closed: 2023-05-09 07:45:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2143206    
Bug Blocks:    

Description Stephen Gallagher 2022-11-28 17:53:54 UTC 
+++ This bug was initially created as a clone of Bug #2143206 +++

Description of problem:
sscg started generating "dhparams.pem" in 8.7/9.1 and I think this is arguably a regression

It looks like it is breaking the httpd containers because the cwd isn't writable when sscg is invoked 

https://github.com/sclorg/httpd-container/issues/171#issuecomment-1315446275

even outside of the containers it is creating a "/dhparams.pem" which wasn't requested. For typical use-cases apps should use the OpenSSL builtin dhparams anyway.

Version-Release number of selected component (if applicable):
sscg-3.0.0-5.el8.x86_64

How reproducible:
always

Steps to Reproduce:
1. dnf install mod_ssl
2. systemctl start httpd-init

Actual results:
/dhparams.pem exists

Expected results:
no /dhparams.pem should be created

Additional info:

--- Additional comment from Stephen Gallagher on 2022-11-16 19:37:21 UTC ---

That's easy enough to change, but I'm concerned that altering it at this point might break consumers that are relying on the current behavior. How do you feel about it if I write the file "opportunistically". If the file can be opened for writing, do so. If not, skip it (rather than treating it as an error)?

--- Additional comment from Stephen Gallagher on 2022-11-16 20:32:55 UTC ---

I have a proposed patch at https://github.com/sgallagher/sscg/pull/62 which behaves as follows:

== Scenario 1 ==
User calls `sscg` without specifying `--dhparams-file`.

SSCG will attempt to write out the default location of `./dhparams.pem`. If it cannot do so, it will log it and continue on.


== Scenario 2 ==
User calls `sscg --dhparams-file /some/path`.

SSCG will attempt to write out the parameters to `/some/path`. If it cannot do so, it will throw an error and return nonzero.

--- Additional comment from Joe Orton on 2022-11-17 08:45:01 UTC ---

Make sense to me, thanks Stephen!

--- Additional comment from Joe Orton on 2022-11-23 17:08:56 UTC ---

It looks like we can workaround the new behaviour in the container scripts which will likely be the fastest way to ship fixes. PR here for review upstream: https://github.com/sclorg/httpd-container/pull/172

I think it's right to fix the sscg behaviour as suggested in comment 2 though.

--- Additional comment from Stephen Gallagher on 2022-11-28 15:01:33 UTC ---

I have a patch ready for sscg, I just haven't had a chance to land it yet and get it built for 8.8 yet. I'll do that today or tomorrow as time permits.
Comment 18 errata-xmlrpc 2023-05-09 07:45:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sscg bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2309