RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1854959 - ca-profile-add with Netscape extensions nsCertSSLClient and nsCertEmail in the profile gets stuck in processing
Summary: ca-profile-add with Netscape extensions nsCertSSLClient and nsCertEmail in th...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pki-core
Version: 8.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Alex Scheel
QA Contact: PKI QE
URL:
Whiteboard:
Depends On:
Blocks: 1842946
TreeView+ depends on / blocked
 
Reported: 2020-07-08 13:40 UTC by Pritam Singh
Modified: 2020-11-04 03:16 UTC (History)
3 users (show)

Fixed In Version: jss-4.7.0-1.module+el8.3.0+7355+c59bcbd9.x86_64
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-04 03:15:45 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Comment 3 Alex Scheel 2020-07-27 12:30:22 UTC
Hey Pritam, have you had a chance to re-test this? Thanks!

Comment 4 Pritam Singh 2020-07-28 12:30:14 UTC
Tested on:

[root@pki1 ~]# rpm -qa | grep jss
tomcatjss-7.5.0-1.module+el8.3.0+7355+c59bcbd9.noarch
jss-4.7.0-1.module+el8.3.0+7355+c59bcbd9.x86_64

[root@pki1 ~]# rpm -qa | grep pki-ca
pki-ca-10.9.0-0.7.module+el8.3.0+7364+90640274.noarch

Test Procedure:
https://bugzilla.redhat.com/show_bug.cgi?id=1854959#c0

Result:
Now the custom profile with enabled Netscape extension is getting added successfully and the issue has resolved.

Comment 5 Alex Scheel 2020-07-28 12:45:01 UTC
Cool, thanks!

This was fixed in the following commits for future reference:

commit 30162370f1e6302e5425a044067632b0a7c22bbd
Author: Alexander Scheel <ascheel>
Date:   Mon Jul 6 17:02:27 2020 -0400

    Update JSSSocketChannel to handle BUFFER_UNDERFLOW
    
    Signed-off-by: Alexander Scheel <ascheel>

commit 5ef4c22cdd83a09cca44df3389bc0b99ede1bb93
Author: Alexander Scheel <ascheel>
Date:   Mon Jul 6 16:38:48 2020 -0400

    Detect and report buffer underflow status
    
    This fixes an issue with large POST requests and Tomcat looping. Tomcat
    is expecting unwrap() to produce data, but NSS won't produce any data
    until it has the entire packet and can validate the message signatures.
    This means we need to report the status back to Tomcat, so it can add
    more data to the buffer (occasionally, increasing the size of the buffer
    when necessary).
    
    Occasionally this will report a false-positive: if we get an alert or a
    protocol-level message after the handshake (such as a re-key event or a
    post-handshake auth event in TLSv1.3), we'll report the status as
    BUFFER_UNDERFLOW. However, this should largely be fine unless our caller
    gets stuck querying more data from the socket. In the worst case, it'll
    trigger a premature close notification (and corresponding wrap call).
    
    However, from our testing, this appears to be safe.
    
    Signed-off-by: Alexander Scheel <ascheel>

Comment 8 Pritam Singh 2020-08-07 12:33:31 UTC
Tested on:

[root@apollo test_dir]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.9.1
Release     : 1.module+el8.3.0+7594+3661a26e
Architecture: noarch
Install Date: Fri 07 Aug 2020 05:45:52 AM EDT
Group       : Unspecified
Size        : 2696306
License     : GPLv2 and LGPLv2
Signature   : RSA/SHA256, Thu 06 Aug 2020 05:10:06 PM EDT, Key ID 199e2f91fd431d51
Source RPM  : pki-core-10.9.1-1.module+el8.3.0+7594+3661a26e.src.rpm
Build Date  : Thu 06 Aug 2020 03:46:30 PM EDT
Build Host  : arm64-033.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.dogtagpki.org/

Proof of concept:
Successful pipeline -
https://gitlab.cee.redhat.com/idm/pki-pytest-ansible/-/jobs/1941531

It's working as expected in the pipeline.
Hence, Marking this Bugzilla verified.

Comment 11 errata-xmlrpc 2020-11-04 03:15:45 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4847


Note You need to log in before you can comment on or make changes to this bug.