Created attachment 550420 [details] strace of PKI CA server process during the sslget request Description of problem: When installing FreeIPA, the installer uses 'sslget' to communicate with PKI CA. As can be seen in the attached strace logs, the server sends out full response to the sslget client (9906 bytes) but the client receives only 5 bytes of the encrypted stream. Both server and client are running on the same machine. Version-Release number of selected component (if applicable): nss 3.13.1-9 How reproducible: always Steps to Reproduce: 1. Install freeipa-server from updates-testing (2.1.4-3) 2. attempt to install FreeIPA. Installation will fail and show the command that failed 3. Run that command separately to verify the issue 4. Notice that the only symbol 'received' is 'H' Actual results: /usr/bin/sslget -v -n ipa-ca-agent -p Test1234 -d /tmp/tmp-VkkNUN/ -r /ca/agent/ca/profileReview?requestId=7 vm-047:9443 GET /ca/agent/ca/profileReview?requestId=7 HTTP/1.0 port: 9443 addr='vm-047.idm.lab.bos.redhat.com' family='2' Subject: CN=vm-047.idm.lab.bos.redhat.com,O=IPA.LOCAL Issuer : CN=Certificate Authority,O=IPA.LOCAL Called mygetclientauthdata - nickname = ipa-ca-agent mygetclientauthdata - cert = 11a47c0 mygetclientauthdata - privkey = 11e95e0 PR_Write wrote 55 bytes from bigBuf bytes: [GET /ca/agent/ca/profileReview?requestId=7 HTTP/1.0 ] do_writes shutting down send socket do_writes exiting with (failure = 0) bulk cipher AES-256, 256 secret key bits, 256 key bits, status: 1 connection 1 read 1 bytes (1 total). these bytes read: Hexit after not enough bytes read in first read with error 0: Expected results: sslget prints returned XML form from PKI CA Additional info:
Created attachment 550421 [details] strace of sslget process during the sslget request Also a strace of the sslget process.
https://bugzilla.mozilla.org/show_bug.cgi?id=665814#c126
Kamil, with NSS_SSL_CBC_RANDOM_IV=0 in pki-cad execution environments it goes through. Please suggest how the issue should be fixed.
Simply speaking, you need to repeat the call of read() more times and concatenate the blocks given until you get all you expect to get from the socket. My first patch for curl's test-suite looked like this: http://curl.haxx.se/mail/lib-2011-12/0291.html I do not know FreeIPA enough to suggest a more specific solution for this bug.
That's utility from pki-native-tools. As both solutions outlined in comment 3 and comment 4 are both on Dogtag side, I'd suggest moving the bug to the PKI team.
moving to pki-native-tools after discussing a bit with Ade Lee.
In Fedora, the 'pki-native-tools' component is now part of 'pki-core'.
Created attachment 551068 [details] pki-vakwetu-0005-1-BZ-771357-sslget-does-not-work-after-FEDORA-2011-174.patch
Committed to trunk. commit d5a1c6dfcbe1b1ab7ffe711996f970f1c410b919 Author: Ade Lee <alee> Date: Wed Jan 4 00:08:03 2012 -0500 BZ 771357 - sslget does not work after FEDORA-2011-17400 update, breaking FreeIPA install Modified sslget doIO() function to be able to handle small reads.
Committed to dogtag 9 branch: commit 8ebf890b913ffbf4cb40c09ebc9e229989303095 Author: Ade Lee <alee> Date: Wed Jan 4 00:08:03 2012 -0500 BZ 771357 - sslget does not work after FEDORA-2011-17400 update, breaking FreeIPA install Modified sslget doIO() function to be able to handle small reads.
DOGTAG_9_BRANCH: (SVN) # cd pki # svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^? M base/native-tools/src/sslget/sslget.c # svn commit Sending base/native-tools/src/sslget/sslget.c Transmitting file data . Committed revision 2356.
dogtag-pki-9.0.0-9.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/dogtag-pki-9.0.0-9.fc15
dogtag-pki-9.0.0-9.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/dogtag-pki-9.0.0-9.fc16
Package dogtag-pki-9.0.0-9.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing dogtag-pki-9.0.0-9.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-0273/dogtag-pki-9.0.0-9.fc16 then log in and leave karma (feedback).
dogtag-pki-9.0.0-9.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
dogtag-pki-9.0.0-9.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.