Bug 771357 - sslget does not work after FEDORA-2011-17400 update, breaking FreeIPA install
Summary: sslget does not work after FEDORA-2011-17400 update, breaking FreeIPA install
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pki-core
Version: 16
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Ade Lee
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 771790 771797
TreeView+ depends on / blocked
 
Reported: 2012-01-03 13:50 UTC by Alexander Bokovoy
Modified: 2012-01-19 01:40 UTC (History)
10 users (show)

Fixed In Version: dogtag-pki-9.0.0-9.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 771790 771797 (view as bug list)
Environment:
Last Closed: 2012-01-19 01:27:03 UTC


Attachments (Terms of Use)
strace of PKI CA server process during the sslget request (337.77 KB, text/x-log)
2012-01-03 13:50 UTC, Alexander Bokovoy
no flags Details
strace of sslget process during the sslget request (255.63 KB, text/x-log)
2012-01-03 13:51 UTC, Alexander Bokovoy
no flags Details
pki-vakwetu-0005-1-BZ-771357-sslget-does-not-work-after-FEDORA-2011-174.patch (3.18 KB, patch)
2012-01-06 03:51 UTC, Ade Lee
no flags Details | Diff

Description Alexander Bokovoy 2012-01-03 13:50:28 UTC
Created attachment 550420 [details]
strace of PKI CA server process during the sslget request

Description of problem:
When installing FreeIPA, the installer uses 'sslget' to communicate with PKI CA. As can be seen in the attached strace logs, the server sends out full response to the sslget client (9906 bytes) but the client receives only 5 bytes of the encrypted stream.

Both server and client are running on the same machine.

Version-Release number of selected component (if applicable):
nss 3.13.1-9

How reproducible:
always

Steps to Reproduce:
1. Install freeipa-server from updates-testing (2.1.4-3)
2. attempt to install FreeIPA. Installation will fail and show the command that failed
3. Run that command separately to verify the issue
4. Notice that the only symbol 'received' is 'H'

Actual results:
/usr/bin/sslget -v -n ipa-ca-agent -p Test1234 -d /tmp/tmp-VkkNUN/ -r /ca/agent/ca/profileReview?requestId=7 vm-047:9443
GET /ca/agent/ca/profileReview?requestId=7 HTTP/1.0

port: 9443
addr='vm-047.idm.lab.bos.redhat.com'
family='2'
Subject: CN=vm-047.idm.lab.bos.redhat.com,O=IPA.LOCAL
Issuer : CN=Certificate Authority,O=IPA.LOCAL
Called mygetclientauthdata - nickname = ipa-ca-agent
   mygetclientauthdata - cert = 11a47c0
   mygetclientauthdata - privkey = 11e95e0
PR_Write wrote 55 bytes from bigBuf
bytes: [GET /ca/agent/ca/profileReview?requestId=7 HTTP/1.0

]
do_writes shutting down send socket
do_writes exiting with (failure = 0)
bulk cipher AES-256, 256 secret key bits, 256 key bits, status: 1
connection 1 read 1 bytes (1 total).
these bytes read:
Hexit after not enough bytes read in first read with error 0:

Expected results:
sslget prints returned XML form from PKI CA

Additional info:

Comment 1 Alexander Bokovoy 2012-01-03 13:51:39 UTC
Created attachment 550421 [details]
strace of sslget process during the sslget request

Also a strace of the sslget process.

Comment 3 Alexander Bokovoy 2012-01-03 14:14:54 UTC
Kamil, with  NSS_SSL_CBC_RANDOM_IV=0 in pki-cad execution environments it goes through.

Please suggest how the issue should be fixed.

Comment 4 Kamil Dudka 2012-01-03 14:27:49 UTC
Simply speaking, you need to repeat the call of read() more times and concatenate the blocks given until you get all you expect to get from the socket.  My first patch for curl's test-suite looked like this:

http://curl.haxx.se/mail/lib-2011-12/0291.html

I do not know FreeIPA enough to suggest a more specific solution for this bug.

Comment 5 Alexander Bokovoy 2012-01-03 14:38:05 UTC
That's utility from pki-native-tools. As both solutions outlined in comment 3 and comment 4 are both on Dogtag side, I'd suggest moving the bug to the PKI team.

Comment 6 Alexander Bokovoy 2012-01-03 16:00:02 UTC
moving to pki-native-tools after discussing a bit with Ade Lee.

Comment 7 Matthew Harmsen 2012-01-05 00:23:50 UTC
In Fedora, the 'pki-native-tools' component is now part of 'pki-core'.

Comment 8 Ade Lee 2012-01-06 03:51:57 UTC
Created attachment 551068 [details]
pki-vakwetu-0005-1-BZ-771357-sslget-does-not-work-after-FEDORA-2011-174.patch

Comment 9 Ade Lee 2012-01-06 03:52:59 UTC
Committed to trunk.

commit d5a1c6dfcbe1b1ab7ffe711996f970f1c410b919
Author: Ade Lee <alee@redhat.com>
Date:   Wed Jan 4 00:08:03 2012 -0500

    BZ 771357 - sslget does not work after FEDORA-2011-17400 update,
    breaking FreeIPA install
    
    Modified sslget doIO() function to be able to handle small reads.

Comment 10 Ade Lee 2012-01-06 03:57:34 UTC
Committed to dogtag 9 branch:

commit 8ebf890b913ffbf4cb40c09ebc9e229989303095
Author: Ade Lee <alee@redhat.com>
Date:   Wed Jan 4 00:08:03 2012 -0500

    BZ 771357 - sslget does not work after FEDORA-2011-17400 update, breaking FreeIPA install
    
    Modified sslget doIO() function to be able to handle small reads.

Comment 12 Matthew Harmsen 2012-01-06 04:23:44 UTC
DOGTAG_9_BRANCH: (SVN)

# cd pki

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       base/native-tools/src/sslget/sslget.c

# svn commit
Sending        base/native-tools/src/sslget/sslget.c
Transmitting file data .
Committed revision 2356.

Comment 13 Fedora Update System 2012-01-07 04:11:27 UTC
dogtag-pki-9.0.0-9.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/dogtag-pki-9.0.0-9.fc15

Comment 14 Fedora Update System 2012-01-07 04:17:54 UTC
dogtag-pki-9.0.0-9.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/dogtag-pki-9.0.0-9.fc16

Comment 15 Fedora Update System 2012-01-11 06:00:06 UTC
Package dogtag-pki-9.0.0-9.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing dogtag-pki-9.0.0-9.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-0273/dogtag-pki-9.0.0-9.fc16
then log in and leave karma (feedback).

Comment 16 Fedora Update System 2012-01-19 01:27:03 UTC
dogtag-pki-9.0.0-9.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2012-01-19 01:40:24 UTC
dogtag-pki-9.0.0-9.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.