On 09/29/2016 04:14 AM, Alexander Bokovoy wrote:
On to, 29 syys 2016, Martin Babinsky wrote:
Hi list,

today I noticed the following exceptions in my VMs when
installing/using FreeIPA:

# ipa ping
exception in SSLSocket.handshake_callback
Traceback (most recent call last):
 File "/usr/lib/python2.7/site-packages/ipapython/nsslib.py", line
258, in handshake_callback
   channel = sock.get_ssl_channel_info()
nss.error.NSPRError: (SEC_ERROR_INVALID_ARGS) security library:
invalid arguments.
IPA server version 4.4.90. API version 2.215

This was caused by python-nss-1.0.0-2.fc24.x86_64 which was pushed to
updates-testing. Reverting the package to previous versions fixed the
python-nss-1.0.0-1.fc25 (note fc25) works fine. There is no 1.0.0-2.fc25
which is a packaging bug, but that's should not be bringing any
difference as the tarball (1.0.0) is the same and no additional patches
were applied.

Alexander is correct, there were no changes between the f24 and f25 versions. Martin Basti added later he could not reproduce the problem either. So I'm not sure what is going on but lets keep an eye on it, at the moment I don't think it's a regression in python-nss, but who knows.

As for whether python-nss-1.0.0-2.fc24 vs python-nss-1.0.0-1.fc25 is a packaging bug, my understanding is that is permissible for distributions to have independent release numbers. Yes, if you upgraded from f24 to f25 at this moment it wouldn't update the f25 version but in this case it's OK because the difference between the 1 and 2 releases is only in the spec file which removed an unused reference to a patch. However, I'll push an update to f25 to keep things consistent.

Also, we didn't have any changes between 4.4.1 and git master that could
have affected ipapython/nsslib.py other than
which is this chunk of changes:

diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index 1573de9..f9f64c1 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -234,7 +234,7 @@ class NSSConnection(httplib.HTTPConnection,
        self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
-        except NSPRError as e:
+        except NSPRError:
            root_logger.error('Failed to set TLS range to %s, %s' %
(self.tls_version_min, self.tls_version_max))
        self.sock.set_ssl_option(ssl_require_safe_negotiation, False)

e.g. nothing that is relevant to the trace you provided.


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to