Bug 742506

Summary: Please backport localizable error codes for NSS
Product: Red Hat Enterprise Linux 6 Reporter: Stephen Gallagher <sgallagh>
Component: nssAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.1CC: dpal, rmeggins, rrelyea
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-24 22:25:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Stephen Gallagher 2011-09-30 11:33:47 UTC
Description of problem:
Many customers have certificate issues when using the System Security Services Daemon. However, the debug logs are of no use because the openldap libraries do not return useful error messages explaining the cause of the failure.

This is in turn caused by the mozilla-nss libraries not returning these messages to openldap. (Note: this should be viewed as a regression in SSSD and openldap because the openldap libraries that used openssl for crypto reported this information in a useful way).

Without this information, it is very difficult for customers to identify where their problems are located.

Version-Release number of selected component (if applicable):
nss-3.12.10-11.el6

How reproducible:
Every time

Steps to Reproduce:
1. Configure SSSD to talk to an LDAP server with a server certificate issued by a private CA (that is not in the standard CA list).
2. Attempt to use SSSD over a secure channel (ldaps or ldap_id_use_start_tls = true)
3. The debug logs will report that an error occurred, whose message is "unknown".
  

Actual results:
"Unknown" error message in the logs

Expected results:
The logs should identify that the error was caused by an invalid certificate chain.

Additional info:
As mentioned above, this worked properly until openldap converted to mozilla-nss.

Related upstream ticket for openldap: http://www.openldap.org/its/index.cgi/Incoming?id=6789

Comment 2 Stephen Gallagher 2011-09-30 12:03:05 UTC
*** Bug 736866 has been marked as a duplicate of this bug. ***

Comment 3 Elio Maldonado Batiz 2011-09-30 16:38:31 UTC
It would actually be a lot easier and risk-free to rebase to NSS 3.13.

Comment 4 Rich Megginson 2011-09-30 19:26:15 UTC
Will be fixed automatically once we upgrade to a version of NSS that has the fix for https://bugzilla.mozilla.org/show_bug.cgi?id=172051

Comment 5 RHEL Program Management 2011-10-07 16:01:42 UTC
Since RHEL 6.2 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.

Comment 6 Elio Maldonado Batiz 2012-10-24 22:25:58 UTC
This bug should be closed as we updated to upstream nss-3.13 which the release that added the support for localizable error strings. That update occurred at the start of the year.