> My memory is a bit fuzzy on this but IIRC there were issues with TLS > 1.3 and java (or JSS) in this release. I thought that 1.3 was > disabled by default, apparently not.
Thanks. I guess we ran into < https://bz.apache.org/bugzilla/show_bug.cgi?id=62975> and the IPA api hasn't enabled < https://docs.python.org/3/library/ssl.html#ssl.SSLContext.post_handshake_auth > (which was backported to Python 3.6 despite what the documentation says, per <https://bugs.python.org/issue34670#msg327932>). But I've not delved in to the code to confirm whether this is the case. > If there is no SSLProtocol line then Apache will use the default > crypto policy, which is apparently 1.2 and 1.3. I suspect the > subtraction doesn't work because there is no explicit policy to > subtract from and since there is an SSLProtocol the fallback to > default policy isn't triggered. You could open a bug against Apache > on that but it might be impossible or very difficult to implement > because the crypto policy is opaque. I'll deal with explicitly enable TLSv1.2 for now. :) -- Sam Morris <https://robots.org.uk/> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 On Wed, 2020-03-18 at 08:50 -0400, Rob Crittenden wrote: > Sam Morris via FreeIPA-users wrote: > > I noticed that one of my FreeIPA servers is missing the Vault tab > > in > > the web UI. > > > > I've got a workaround but it seems a bit fishy and I wondered if > > someone else could suggest a better fix. > > > > The server in question is the only one that runs CentOS 8 (ipa- > > server > > 4.8.0-13.module_el8.1.0+265+e1e65be4). My other servers are running > > CentOS 7 and work fine. > > > > The command 'ipa vaultconfig-show' fails when run against the bad > > server with: > > > > [admin@client ~]$ ipa -vv vaultconfig-show > > [...] > > ipa: INFO: Request: { > > "id": 0, > > "method": "vaultconfig_show/1", > > "params": [ > > [], > > { > > "version": "2.233" > > } > > ] > > } > > ipa: INFO: Response: { > > "error": { > > "code": 903, > > "data": {}, > > "message": "an internal error has occurred", > > "name": "InternalError" > > }, > > "id": 0, > > "principal": "[email protected]", > > "result": null, > > "version": "4.8.0" > > } > > ipa: ERROR: an internal error has occurred > > > > The corresponding httpd logs on the server (192.0.2.1 is my > > client, the > > server is [2001:db8::1]) contain: > > > > ==> /var/log/httpd/access_log <== > > 192.0.2.1 - [email protected] [18/Mar/2020:08:31:50 +0000] > > "POST /ipa/json HTTP/1.1" 200 210 > > > > ==> /var/log/httpd/error_log <== > > [Wed Mar 18 08:31:51.760354 2020] [:warn] [pid 22279:tid > > 139671875061504] [client 192.0.2.1:62546] failed to set perms > > (3140) on file (/run/ipa/ccaches/[email protected])!, referer: > > https://ipa2.ipa.example.com/ipa/xml > > [Wed Mar 18 08:31:51.807084 2020] [wsgi:error] [pid 22274:tid > > 139672253028096] [remote 192.0.2.1:62546] ipa: INFO: > > [jsonserver_session] [email protected]: ping(): SUCCESS > > > > ==> /var/log/httpd/access_log <== > > 192.0.2.1 - [email protected] [18/Mar/2020:08:31:51 +0000] > > "POST /ipa/session/json HTTP/1.1" 200 276 > > > > ==> /var/log/httpd/error_log <== > > [Wed Mar 18 08:31:51.917275 2020] [:warn] [pid 22279:tid > > 139671891846912] [client 192.0.2.1:62546] failed to set perms > > (3140) on file (/run/ipa/ccaches/[email protected])!, referer: > > https://ipa2.ipa.example.com/ipa/xml > > > > ==> /var/log/httpd/access_log <== > > 2001:db8::1 - - [18/Mar/2020:08:31:52 +0000] "GET /pki/rest/info > > HTTP/1.1" 404 211 > > > > ==> /var/log/httpd/error_log <== > > [Wed Mar 18 08:31:52.582003 2020] [ssl:error] [pid 23219:tid > > 139671598266112] [client 2001:db8::1:44620] AH: verify client post > > handshake > > [Wed Mar 18 08:31:52.582101 2020] [ssl:error] [pid 23219:tid > > 139671598266112] [client 2001:db8::1:44620] AH10158: cannot perform > > post-handshake authentication > > [Wed Mar 18 08:31:52.582207 2020] [ssl:error] [pid 23219:tid > > 139671598266112] SSL Library Error: error:14268117:SSL > > routines:SSL_verify_client_post_handshake:extension not received > > > > ==> /var/log/httpd/access_log <== > > 2001:db8::1 - - [18/Mar/2020:08:31:52 +0000] "GET > > /kra/rest/config/cert/transport HTTP/1.1" 403 298 > > > > ==> /var/log/httpd/error_log <== > > [Wed Mar 18 08:31:52.586053 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] ipa: ERROR: non-public: > > HTTPError: 403 Client Error: Forbidden for url: > > https://ipa2.ipa.example.com:443/kra/rest/config/cert/transport > > [Wed Mar 18 08:31:52.586100 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] Traceback (most recent > > call last): > > [Wed Mar 18 08:31:52.586106 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] File > > "/usr/lib/python3.6/site-packages/pki/__init__.py", line 429, in > > handler > > [Wed Mar 18 08:31:52.586112 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] json = > > exc_val.response.json() > > [Wed Mar 18 08:31:52.586116 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] File > > "/usr/lib/python3.6/site-packages/requests/models.py", line 897, in > > json > > [Wed Mar 18 08:31:52.586121 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] return > > complexjson.loads(self.text, **kwargs) > > [Wed Mar 18 08:31:52.586127 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] File > > "/usr/lib64/python3.6/json/__init__.py", line 354, in loads > > [Wed Mar 18 08:31:52.586133 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] return > > _default_decoder.decode(s) > > [Wed Mar 18 08:31:52.586137 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] File > > "/usr/lib64/python3.6/json/decoder.py", line 339, in decode > > [Wed Mar 18 08:31:52.586142 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] obj, end = > > self.raw_decode(s, idx=_w(s, 0).end()) > > [Wed Mar 18 08:31:52.586146 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] File > > "/usr/lib64/python3.6/json/decoder.py", line 357, in raw_decode > > [Wed Mar 18 08:31:52.586151 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] raise > > JSONDecodeError("Expecting value", s, err.value) from None > > [Wed Mar 18 08:31:52.586156 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] > > json.decoder.JSONDecodeError: Expecting value: line 1 column 1 > > (char 0) > > [Wed Mar 18 08:31:52.586160 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] > > [Wed Mar 18 08:31:52.586165 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] During handling of the > > above exception, another exception occurred: > > [Wed Mar 18 08:31:52.586169 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] > > [Wed Mar 18 08:31:52.586174 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] Traceback (most recent > > call last): > > [Wed Mar 18 08:31:52.586179 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] File > > "/usr/lib/python3.6/site-packages/ipaserver/rpcserver.py", line > > 368, in wsgi_execute > > [Wed Mar 18 08:31:52.586184 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] result = > > command(*args, **options) > > [Wed Mar 18 08:31:52.586189 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] File > > "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 450, in > > __call__ > > [Wed Mar 18 08:31:52.586194 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] return > > self.__do_call(*args, **options) > > [Wed Mar 18 08:31:52.586199 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] File > > "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 478, in > > __do_call > > [Wed Mar 18 08:31:52.586204 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] ret = self.run(*args, > > **options) > > [Wed Mar 18 08:31:52.586209 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] File > > "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 800, in > > run > > [Wed Mar 18 08:31:52.586214 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] return > > self.execute(*args, **options) > > [Wed Mar 18 08:31:52.586252 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] File > > "/usr/lib/python3.6/site-packages/ipaserver/plugins/vault.py", line > > 1003, in execute > > [Wed Mar 18 08:31:52.586258 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] transport_cert = > > kra_client.system_certs.get_transport_cert() > > [Wed Mar 18 08:31:52.586263 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] File > > "/usr/lib/python3.6/site-packages/pki/__init__.py", line 434, in > > handler > > [Wed Mar 18 08:31:52.586267 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] six.reraise(exc_type, > > exc_val, exc_tb) > > [Wed Mar 18 08:31:52.586272 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] File > > "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise > > [Wed Mar 18 08:31:52.586277 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] raise value > > [Wed Mar 18 08:31:52.586281 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] File > > "/usr/lib/python3.6/site-packages/pki/__init__.py", line 423, in > > handler > > [Wed Mar 18 08:31:52.586286 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] return fn_call(inst, > > *args, **kwargs) > > [Wed Mar 18 08:31:52.586290 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] File > > "/usr/lib/python3.6/site-packages/pki/systemcert.py", line 54, in > > get_transport_cert > > [Wed Mar 18 08:31:52.586295 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] response = > > self.connection.get(url, self.headers) > > [Wed Mar 18 08:31:52.586300 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] File > > "/usr/lib/python3.6/site-packages/pki/client.py", line 46, in > > wrapper > > [Wed Mar 18 08:31:52.586305 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] return func(self, > > *args, **kwargs) > > [Wed Mar 18 08:31:52.586309 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] File > > "/usr/lib/python3.6/site-packages/pki/client.py", line 165, in get > > [Wed Mar 18 08:31:52.586314 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] r.raise_for_status() > > [Wed Mar 18 08:31:52.586319 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] File > > "/usr/lib/python3.6/site-packages/requests/models.py", line 940, in > > raise_for_status > > [Wed Mar 18 08:31:52.586324 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] raise > > HTTPError(http_error_msg, response=self) > > [Wed Mar 18 08:31:52.586330 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] > > requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: > > https://ipa2.ipa.example.com:443/kra/rest/config/cert/transport > > [Wed Mar 18 08:31:52.586340 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] > > [Wed Mar 18 08:31:52.586647 2020] [wsgi:error] [pid 22275:tid > > 139672253028096] [remote 192.0.2.1:62546] ipa: INFO: > > [jsonserver_session] [email protected]: > > vaultconfig_show/1(version='2.235'): InternalError > > > > ==> /var/log/httpd/access_log <== > > 192.0.2.1 - [email protected] [18/Mar/2020:08:31:51 +0000] > > "POST /ipa/session/json HTTP/1.1" 200 173 > > > > It looks like the ipa api server requests > > /kra/rest/config/cert/transport, which httpd normally proxies > > through > > to tomcat; but there's something about the request that causes > > mod_ssl > > to reject it ("cannot perform post-handshake authentication"). > > > > Unauthenticated requests to that URL work fine: > > > > # curl -s > > https://ipa2.ipa.example.com/kra/rest/config/cert/transport | head > > -n1 > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?><CertData > > xmlns:ns2="http://www.w3.org/2005/Atom"; id="0xb"><Encoded>----- > > BEGIN CERTIFICATE----- > > > > If I reconfigure httpd with "SSLProtocol +TLSv1.2 -TLSv1.3" then > > the > > problem goes away. As far as I know, the default in RHEL 8 is to > > _not_ > > include an SSLProtocol line so that the system-wide crypto- > > policies(5) > > will be used. Hence this feels like the wrong solution to me. > > > > Interestingly, "SSLProtocol -TLSv1.3" causes httpd to fail to > > start > > with "AH02231: No SSL protocols available [hint: > > SSLProtocol]"... even > > though (testing with sslyze), no SSLProtocol directive leaves > > only > > TLSv1.2 and TLSv1.3 enabled... > >
signature.asc
Description: This is a digitally signed message part
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
