Bug 479722 - ESC to TPS SSL communication problem with renewed TPS cert
ESC to TPS SSL communication problem with renewed TPS cert
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: ESC (Show other bugs)
1.0
All All
high Severity medium
: ---
: ---
Assigned To: Jack Magne
Chandrasekar Kannan
:
: 479335 (view as bug list)
Depends On: 496410
Blocks: 443788
  Show dependency treegraph
 
Reported: 2009-01-12 12:48 EST by Jack Magne
Modified: 2015-01-04 18:35 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:30:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed fix for this issue. (14.09 KB, patch)
2009-06-18 22:58 EDT, Jack Magne
no flags Details | Diff

  None (edit)
Description Jack Magne 2009-01-12 12:48:31 EST
Description of problem:

ESC can communicate with TPS over SSL for operations such as the Format and Enroll token operations. 

We have found a case where the TPS's certificate expired and had to be renewed.  In this case, ESC can have trouble communicating with TPS for thse operations.

As of now, there is  workaround involving the manipulation of the user's profile data.

The goal is to have ESC take care of this situation automatically without user interaction.
Comment 1 Jack Magne 2009-05-09 14:39:24 EDT
*** Bug 479335 has been marked as a duplicate of this bug. ***
Comment 2 Jack Magne 2009-06-18 22:58:43 EDT
Created attachment 348593 [details]
Proposed fix for this issue.

This fix involved allowing the user to set security exceptions much like in Firefox. Also, the separate HTTP library that contacts the TPS to perform token operations has been given a Bad Cert handler that can recognize previously created exceptions.
Comment 3 Matthew Harmsen 2009-06-19 15:34:57 EDT
attachment (id=348593) +mharmsen

CAVEATS:

In "src/app/xpcom/rhCoolKey.cpp":

CHANGE:  if(!certCBLock) {
             PR_DestroyLock(certCBLock);
         }

TO:      if(certCBLock) {
             PR_DestroyLock(certCBLock);
         }


MOVE this "err" initialization code above the "err" switches:

    // Retrieve callback data from NssHttpClient
    // Caller cleans up this data
    BadCertData *data = (BadCertData *) arg;
    data->error = err = PORT_GetError();

REMOVE unused variable "PRNetAddr addr;"

Add LOG messages on "false" cases.
Comment 4 Jack Magne 2009-06-19 17:13:19 EDT
Changes suggested Done:

cvs -d :ext:jmagne@cvs.fedora.redhat.com/cvs/dirsec  commit -m "Bugzilla#
479722 ESC to TPS SSL communication problem with renewed TPS cert."

cvs trace lost.

Fixed in the next build of ESC.
Comment 5 Asha Akkiangady 2009-07-07 22:02:03 EDT
Verified.

With the renewed tps server cert able to enroll/format tokens.

Note You need to log in before you can comment on or make changes to this bug.