Description of problem: ESC can communicate with TPS over SSL for operations such as the Format and Enroll token operations. We have found a case where the TPS's certificate expired and had to be renewed. In this case, ESC can have trouble communicating with TPS for thse operations. As of now, there is workaround involving the manipulation of the user's profile data. The goal is to have ESC take care of this situation automatically without user interaction.
*** Bug 479335 has been marked as a duplicate of this bug. ***
Created attachment 348593 [details] Proposed fix for this issue. This fix involved allowing the user to set security exceptions much like in Firefox. Also, the separate HTTP library that contacts the TPS to perform token operations has been given a Bad Cert handler that can recognize previously created exceptions.
attachment (id=348593) +mharmsen CAVEATS: In "src/app/xpcom/rhCoolKey.cpp": CHANGE: if(!certCBLock) { PR_DestroyLock(certCBLock); } TO: if(certCBLock) { PR_DestroyLock(certCBLock); } MOVE this "err" initialization code above the "err" switches: // Retrieve callback data from NssHttpClient // Caller cleans up this data BadCertData *data = (BadCertData *) arg; data->error = err = PORT_GetError(); REMOVE unused variable "PRNetAddr addr;" Add LOG messages on "false" cases.
Changes suggested Done: cvs -d :ext:jmagne.redhat.com/cvs/dirsec commit -m "Bugzilla# 479722 ESC to TPS SSL communication problem with renewed TPS cert." cvs trace lost. Fixed in the next build of ESC.
Verified. With the renewed tps server cert able to enroll/format tokens.