Bug 742506 - Please backport localizable error codes for NSS
Summary: Please backport localizable error codes for NSS
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: nss
Version: 6.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Elio Maldonado Batiz
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-30 11:33 UTC by Stephen Gallagher
Modified: 2012-10-24 22:25 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-10-24 22:25:58 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Mozilla Foundation 172051 0 None None None Never

Description Stephen Gallagher 2011-09-30 11:33:47 UTC 
Description of problem:
Many customers have certificate issues when using the System Security Services Daemon. However, the debug logs are of no use because the openldap libraries do not return useful error messages explaining the cause of the failure.

This is in turn caused by the mozilla-nss libraries not returning these messages to openldap. (Note: this should be viewed as a regression in SSSD and openldap because the openldap libraries that used openssl for crypto reported this information in a useful way).

Without this information, it is very difficult for customers to identify where their problems are located.

Version-Release number of selected component (if applicable):
nss-3.12.10-11.el6

How reproducible:
Every time

Steps to Reproduce:
1. Configure SSSD to talk to an LDAP server with a server certificate issued by a private CA (that is not in the standard CA list).
2. Attempt to use SSSD over a secure channel (ldaps or ldap_id_use_start_tls = true)
3. The debug logs will report that an error occurred, whose message is "unknown".
  

Actual results:
"Unknown" error message in the logs

Expected results:
The logs should identify that the error was caused by an invalid certificate chain.

Additional info:
As mentioned above, this worked properly until openldap converted to mozilla-nss.

Related upstream ticket for openldap: http://www.openldap.org/its/index.cgi/Incoming?id=6789
Comment 2 Stephen Gallagher 2011-09-30 12:03:05 UTC 
*** Bug 736866 has been marked as a duplicate of this bug. ***
Comment 3 Elio Maldonado Batiz 2011-09-30 16:38:31 UTC 
It would actually be a lot easier and risk-free to rebase to NSS 3.13.
Comment 4 Rich Megginson 2011-09-30 19:26:15 UTC 
Will be fixed automatically once we upgrade to a version of NSS that has the fix for https://bugzilla.mozilla.org/show_bug.cgi?id=172051
Comment 5 RHEL Program Management 2011-10-07 16:01:42 UTC 
Since RHEL 6.2 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 6 Elio Maldonado Batiz 2012-10-24 22:25:58 UTC 
This bug should be closed as we updated to upstream nss-3.13 which the release that added the support for localizable error strings. That update occurred at the start of the year.
Note You need to log in before you can comment on or make changes to this bug.