Description of problem: Installation of freeipa-server enables LDAPS (port 636), but on restart there is a failure to initialize nss and does not listen on LDAPS [02/Jun/2016:16:12:32.480224437 +0200] SSL alert: Security Initialization: Failed to disable SSLv2 on the imported socket (Netscape Portable Runtime error -8187 - security library: invalid arguments.) [02/Jun/2016:16:12:32.485622120 +0200] ERROR: SSL2 Initialization Failed. Disabling SSL2. DS LDAPS does not work, so IPA is no working It works with nss-3.23 Version-Release number of selected component (if applicable): nss-3.24.0-1.1.fc24.x86_64 How reproducible: On F24, update nss to install nss 3.24 Install freeipa-server. THe failure is in PKI component that tries to access through LDAPS that has been disabled because of nss init failure. Actual results: freeipa install fails netstat -ntulp | grep 636 --> no result Expected results: freeipa install should succeed netstat -ntulp | grep 636 --> should should ns-slapd process Additional info:
DS upstream ticket is https://fedorahosted.org/389/ticket/48866. DS tries to disable sslv2 but the access fails and so initialization of LDAPS drops
See upstream bug. I think upstream should continue to return success from the options set API when you attempt to disable SSL v2. I hope there will be a patch soon.
Proposed as a Blocker and Freeze Exception for 24-final by Fedora user sgallagh using the blocker tracking app because: Beta Criterion: "The core functional requirements for all Featured Server Roles must be met, without any workarounds being necessary." The "Domain Controller" role cannot be deployed if the offending 'nss' package is present on the system.
(In reply to Kai Engert (:kaie) from comment #2) > See upstream bug. I think upstream should continue to return success from > the options set API when you attempt to disable SSL v2. I hope there will be > a patch soon. Thanks. I think your suggestion on the upstream bug is a sound one. We need to fix nss prior to updating F24, F23, and F22 repositories.
24 is at this point frozen, so there is no possibility the offending nss will go stable unless it itself fixes a blocker or FE bug, which I don't believe it does. So I'd be +1 on this if it were in stable, but as it's in u-t and can't get out, I'm -1.
Firefox 47 requires version 24. httpd server does not start with version 24 unless one removes /etc/httpd/conf.d/nss.conf file.
The NSS 3.24 package for Fedora could locally carry an upstream patch. It should be a simple patch. If this is urgent, and nobody else is quicker, then I can try to help later today with making the patch.
Upstream patch ready and reviewed, available here: Before applying to Fedora, you might want to wait for upstream CI tests to finish, to see if the patch is good. https://bug1277569.bmoattachments.org/attachment.cgi?id=8759229
At least a one-line fix on top is required: https://bug1277569.bmoattachments.org/attachment.cgi?id=8759238
Created attachment 1164233 [details] Kai's upstream commits merged and adapted for fedora Merged https://bug1277569.bmoattachments.org/attachment.cgi?id=8759229 and https://bug1277569.bmoattachments.org/attachment.cgi?id=8759238 and adapted them to the nss-3.24.0 sources as we have them in fedora.
Koji build http://koji.fedoraproject.org/koji/buildinfo?buildID=770185 resolved the issue for FreeIPA.
(In reply to Anthony Messina from comment #11) > Koji build http://koji.fedoraproject.org/koji/buildinfo?buildID=770185 > resolved the issue for FreeIPA. The nss-3.24.0-1.2.fc23 Koji build (http://koji.fedoraproject.org/koji/buildinfo?buildID=770185) does resolve the FreeIPA issue at least on x86_64, however, anyone using ldapsearch or PHP's ldap tools on another machine running a previous version of NSS will have their connections hang (after entering the password): ldap_start_tls: Connect error (-11) additional info: Start TLS request accepted.Server willing to negotiate SSL. Enter LDAP Password: It seems that all systems must be upgraded to the nss-3.24.0-1.2 builds to avoid these failures. After I upgrade my webserver machine to nss-3.24.0-1.2.fc23, my Apache/PHP ldap operations over TLS no longer failed.
nss-3.24.0-1.2.fc24 nss-softokn-3.24.0-1.0.fc24 nss-util-3.24.0-1.0.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-fa807cca6f
nss-3.24.0-1.2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-db48cd10e9
nss-3.24.0-1.2.fc24, nss-softokn-3.24.0-1.0.fc24, nss-util-3.24.0-1.0.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-fa807cca6f
Tests of freeipa are successful with nss-3.24.0-1.2.fc24.x86_64 Test on F23 - Freeipa 4.3.1 - DS 1.3.5.4.1 Freeipa already installed upgrade nss-3.23->nss-3.24.0-1.2.fc24.x86_64 restart DS instance --> nss is correctly initialize nss, LDAPS working (636) Freeipa full install with nss-3.24.0-1.2.fc24.x86_64 Installation complete successfully restart DS instance --> nss is correctly initialize nss, LDAPS working (636)
nss-3.24.0-1.2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-db48cd10e9
I'm -1 blocker, -1 FE on this (unless some other blocker forces it to be pulled in). This can be addressed with an update and the broken code isn't in the stable branch yet. Also, I'm very concerned about comment 12. Does it only fail for other versions of 3.24.0 that don't have this fix, or is it literally every version of NSS prior. If it's the latter, this isn't an acceptable fix.
(In reply to Stephen Gallagher from comment #19) > Also, I'm very concerned about comment 12. Does it only fail for other > versions of 3.24.0 that don't have this fix, or is it literally every > version of NSS prior. If it's the latter, this isn't an acceptable fix. Upstream version 3.24 is the first and only NSS release that contains the bug. All prior versions still supported SSL v2, and didn't fail on the attempt to disable it. With version 3.24, SSL v2 was completely removed, resulting in the new failure when attempting to disable SSL v2. The fix we're backporting from (unreleased) NSS 3.25 ensures that APIs call to disable SSL v2 will report success.
Kai: OK, so if I'm reading that right, comment 12 just means that anyone who picked up nss-3.24.0-1.1 will need to be upgraded together (which is a small number, since it never got out of testing, right?) but anyone going straight from 3.23 to 3.24.0-1.2 (or mixing the two) won't have issues. Oh, hmm... a quick check of Koji says that F23 *did* get the interim change. Which is unfortunate, but I don't think it's fixable.
-1 blocker given it never went into f24 stable. Either the fixed version or 3.25 can be pushed in updates.
(In reply to Stephen Gallagher from comment #19) > I'm -1 blocker, -1 FE on this (unless some other blocker forces it to be > pulled in). This can be addressed with an update and the broken code isn't > in the stable branch yet. > > Also, I'm very concerned about comment 12. Does it only fail for other > versions of 3.24.0 that don't have this fix, or is it literally every > version of NSS prior. If it's the latter, this isn't an acceptable fix. My comments in comment 12 are only related to F23. Unfortunately, nss-3.24.0-1.1.fc23 was pushed to F23 stable which is how I encountered the FreeIPA issue. Once I saw the Koji build for nss-3.24.0-1.2.fc23, I installed it on my FreeIPA machines which resolved the issue with FreeIPA not starting. That is when I found that my other machines were unable to do ldapsearch or use Apache/PHP to complete ldap operations against my FreeIPA instances -- they were all still at nss-3.24.0-1.1.fc23. Once I upgraded the rest of my machines to nss-3.24.0-1.2.fc23, things are working properly again.
The F24 update has been edited, so there's now zero possibility of the affected build reaching stable, so I'm un-proposing this as an F24 blocker. The fact that it reached stable for F23 is unfortunate but nothing to do with the F24 blocker process.
*** Bug 1342734 has been marked as a duplicate of this bug. ***
*** Bug 1342332 has been marked as a duplicate of this bug. ***
nss-3.24.0-1.2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 1341981 has been marked as a duplicate of this bug. ***
nss-3.24.0-1.2.fc24, nss-softokn-3.24.0-1.0.fc24, nss-util-3.24.0-1.0.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 1342745 has been marked as a duplicate of this bug. ***