Fedora Account System
Red Hat Associate
Red Hat Customer
Description of problem: Fedora rawhide, 33 and 32 are now shipping openssl 1.1.1i that contains a regression in X509_verify_cert. The regression causes verification of a self-signed certificate to fail, and that prevents WebUI authentication in FreeIPA (see freeipa issue https://pagure.io/freeipa/issue/8632). The regression has already been reported upstream as https://github.com/openssl/openssl/issues/13739 and a fix is available upstream (PR https://github.com/openssl/openssl/pull/13749 merged in commit https://github.com/openssl/openssl/commit/76ed0c0ad119569f6e6f6c96b27b76d3b110413b). FreeIPA now needs the fix in Fedora rawhide, 33 and 32. Version-Release number of selected component (if applicable): openssl-1.1.1i-1.fc34 / openssl-1.1.1i-1.fc33 / openssl-1.1.1i-1.fc32 How reproducible: Always Steps to Reproduce: 1. configure a freeipa server CA less with --no-pkinit option 2. login to webui https://host.ipa.test/ipa/ui Actual results: the login fails Expected results: login should be successful
I will update the Fedora builds shortly.