Bug 1916594 - Regression in `X509_verify_cert` in openssl 1.1.1i
Summary: Regression in `X509_verify_cert` in openssl 1.1.1i
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: openssl
Version: 33
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Sahana Prasad
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1929208
TreeView+ depends on / blocked
 
Reported: 2021-01-15 08:25 UTC by Florence Blanc-Renaud
Modified: 2021-03-08 18:58 UTC (History)
4 users (show)

Fixed In Version: openssl-1.1.1i-3.fc33
Clone Of:
: 1929208 (view as bug list)
Environment:
Last Closed: 2021-03-08 18:58:05 UTC
Type: Bug
Embargoed:
fedora-admin-xmlrpc: mirror+


Attachments (Terms of Use)

Description Florence Blanc-Renaud 2021-01-15 08:25:51 UTC
Description of problem:
Fedora rawhide, 33 and 32 are now shipping openssl 1.1.1i that contains a regression in X509_verify_cert. The regression causes verification of a self-signed certificate to fail, and that prevents WebUI authentication in FreeIPA (see freeipa issue https://pagure.io/freeipa/issue/8632).

The regression has already been reported upstream as https://github.com/openssl/openssl/issues/13739 and a fix is available upstream (PR https://github.com/openssl/openssl/pull/13749 merged in commit https://github.com/openssl/openssl/commit/76ed0c0ad119569f6e6f6c96b27b76d3b110413b).

FreeIPA now needs the fix in Fedora rawhide, 33 and 32.

Version-Release number of selected component (if applicable):
openssl-1.1.1i-1.fc34 / openssl-1.1.1i-1.fc33 / openssl-1.1.1i-1.fc32 

How reproducible:
Always

Steps to Reproduce:
1. configure a freeipa server CA less with --no-pkinit option
2. login to webui https://host.ipa.test/ipa/ui

Actual results:
the login fails

Expected results:
login should be successful

Comment 1 Sahana Prasad 2021-01-15 18:09:53 UTC
I will update the Fedora builds shortly.


Note You need to log in before you can comment on or make changes to this bug.