On 29.09.2016 10:14, Alexander Bokovoy wrote:
On to, 29 syys 2016, Martin Babinsky wrote:
Hi list,

today I noticed the following exceptions in my VMs when installing/using FreeIPA:

# ipa ping
exception in SSLSocket.handshake_callback
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipapython/nsslib.py", line 258, in handshake_callback
   channel = sock.get_ssl_channel_info()
nss.error.NSPRError: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments.
IPA server version 4.4.90. API version 2.215

This was caused by python-nss-1.0.0-2.fc24.x86_64 which was pushed to updates-testing. Reverting the package to previous versions fixed the problem.
python-nss-1.0.0-1.fc25 (note fc25) works fine. There is no 1.0.0-2.fc25
which is a packaging bug, but that's should not be bringing any
difference as the tarball (1.0.0) is the same and no additional patches
were applied.

Also, we didn't have any changes between 4.4.1 and git master that could
have affected ipapython/nsslib.py other than 0f88f8fe889ae4801fc8d5ece1ad51c5246718ac,
which is this chunk of changes:

diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index 1573de9..f9f64c1 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -234,7 +234,7 @@ class NSSConnection(httplib.HTTPConnection,
        self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
self.sock.set_ssl_version_range(self.tls_version_min, self.tls_version_max)
-        except NSPRError as e:
+        except NSPRError:
root_logger.error('Failed to set TLS range to %s, %s' % (self.tls_version_min, self.tls_version_max))
        self.sock.set_ssl_option(ssl_require_safe_negotiation, False)

e.g. nothing that is relevant to the trace you provided.

Sorry I cannot reproduce it as well

[root@vm-058-017 ~]# ipa ping
IPA server version 4.4.90. API version 2.215

[root@vm-058-017 ~]# dnf upgrade python-nss ...
Running transaction
  Upgrading   : python-nss-1.0.0-2.fc24.x86_64 1/4
  Upgrading   : python3-nss-1.0.0-2.fc24.x86_64 2/4
  Cleanup     : python3-nss-1.0.0-beta1.2.fc24.1.x86_64 3/4
  Cleanup     : python-nss-1.0.0-beta1.2.fc24.1.x86_64 4/4
  Verifying   : python3-nss-1.0.0-2.fc24.x86_64 1/4
  Verifying   : python-nss-1.0.0-2.fc24.x86_64 2/4
  Verifying   : python-nss-1.0.0-beta1.2.fc24.1.x86_64 3/4
  Verifying   : python3-nss-1.0.0-beta1.2.fc24.1.x86_64

[root@vm-058-017 ~]# ipa ping
IPA server version 4.4.90. API version 2.215

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to