On to, 29 syys 2016, Martin Babinsky wrote:
Hi list,

today I noticed the following exceptions in my VMs when installing/using FreeIPA:

"""
# ipa ping
exception in SSLSocket.handshake_callback
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipapython/nsslib.py", line 258, in handshake_callback
   channel = sock.get_ssl_channel_info()
nss.error.NSPRError: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments.
--------------------------------------------
IPA server version 4.4.90. API version 2.215
--------------------------------------------
"""

This was caused by python-nss-1.0.0-2.fc24.x86_64 which was pushed to updates-testing. Reverting the package to previous versions fixed the problem.
python-nss-1.0.0-1.fc25 (note fc25) works fine. There is no 1.0.0-2.fc25
which is a packaging bug, but that's should not be bringing any
difference as the tarball (1.0.0) is the same and no additional patches
were applied.

Also, we didn't have any changes between 4.4.1 and git master that could
have affected ipapython/nsslib.py other than 
0f88f8fe889ae4801fc8d5ece1ad51c5246718ac,
which is this chunk of changes:

diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index 1573de9..f9f64c1 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -234,7 +234,7 @@ class NSSConnection(httplib.HTTPConnection,
NSSAddressFamilyFallback):
        self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
        try:
            self.sock.set_ssl_version_range(self.tls_version_min, 
self.tls_version_max)
-        except NSPRError as e:
+        except NSPRError:
            root_logger.error('Failed to set TLS range to %s, %s' % 
(self.tls_version_min, self.tls_version_max))
            raise
        self.sock.set_ssl_option(ssl_require_safe_negotiation, False)

e.g. nothing that is relevant to the trace you provided.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to