Re: ssl/libssl certificate validation broken?
On 22 Oct 22:59, Daniel Jakots wrote: > On Thu, 22 Oct 2020 21:49:20 -0500, "Rafael Possamai" > wrote: > > > >Hi Bob, it was in the middle of the night and I got quite kinda > > >stressed because all services depending on our ldap proxy stopped > > >working after the upgrade and it took me a while to figure the > > >problem out. > > > > Perhaps this is unsolicited advice, but maybe you can setup a test > > system first, perform major upgrade on it to make sure everything > > works. If so, then do it in production. > > > > Even better, try -current a few weeks before release (a possible hint > is -beta). This way you can get any encountered bug fixed in time for > -release. Your prod but also every one else will benefit from it. > > Cheers, > Daniel > That's a very good advice. I have for most services a very similiar setup at home (even with ldap). I run always -current at my workstations - one workstation is updated more or less daily and if that works I upgrade the 2nd one (important for ports too). At home I regularly install snapshots (~ every 2nd week) - because before I implement something at work I usually try and test that also at home - often with "cutting edge" features. When upgrading at work I always upgrade dev first. And all infrastructure critical services are "carped" so even when upgrading prod then node by node***. But exactly in this ssl case this failed for me with this bug. At home I use letsencrypt certs so that means ssl used /etc/ssl/cert.pem. The same for my dev landscape where I stored the L2 ca also in /etc/ssl/cert.pem (without remembering that I did that once). So unfortunately dev and prod were not 100% identical :( But lesson learned. I did already tons of automatization (salt/git) so I will focus more on that again (when I have the time ...). ***Also the latest bug in carp load balancing couldn't be properly detected in this way because in a mixed setup 6.7/6.8 it worked :/ -- wq: ~uw
Re: ssl/libssl certificate validation broken?
On 22 Oct 21:49, Rafael Possamai wrote: > >Hi Bob, it was in the middle of the night and I got quite kinda stressed > >because all services depending on our ldap proxy stopped working after the > >upgrade and it took me a while to figure the problem out. > > Perhaps this is unsolicited advice, but maybe you can setup a test system > first, perform major upgrade on it to make sure everything works. If so, then > do it in production. > That's a very good advice and I have such a setup. But unfortunately exactly in this case this didn't work because in my dev/test landscape I have other ssl certs (different domain name) which were stored in /etc/ssl/cert.pem :/ -- wq: ~uw
Re: ssl/libssl certificate validation broken?
Daniel Jakots wrote: > On Thu, 22 Oct 2020 21:49:20 -0500, "Rafael Possamai" > wrote: > > > >Hi Bob, it was in the middle of the night and I got quite kinda > > >stressed because all services depending on our ldap proxy stopped > > >working after the upgrade and it took me a while to figure the > > >problem out. > > > > Perhaps this is unsolicited advice, but maybe you can setup a test > > system first, perform major upgrade on it to make sure everything > > works. If so, then do it in production. > > > > Even better, try -current a few weeks before release (a possible hint > is -beta). This way you can get any encountered bug fixed in time for > -release. Your prod but also every one else will benefit from it. It's very good advice. I can't speak for Bob, but I've been unable to sleep during this outage.
Re: ssl/libssl certificate validation broken?
On Thu, 22 Oct 2020 21:49:20 -0500, "Rafael Possamai" wrote: > >Hi Bob, it was in the middle of the night and I got quite kinda > >stressed because all services depending on our ldap proxy stopped > >working after the upgrade and it took me a while to figure the > >problem out. > > Perhaps this is unsolicited advice, but maybe you can setup a test > system first, perform major upgrade on it to make sure everything > works. If so, then do it in production. > Even better, try -current a few weeks before release (a possible hint is -beta). This way you can get any encountered bug fixed in time for -release. Your prod but also every one else will benefit from it. Cheers, Daniel
Re: ssl/libssl certificate validation broken?
>Hi Bob, it was in the middle of the night and I got quite kinda stressed >because all services depending on our ldap proxy stopped working after the >upgrade and it took me a while to figure the problem out. Perhaps this is unsolicited advice, but maybe you can setup a test system first, perform major upgrade on it to make sure everything works. If so, then do it in production.
Re: ssl/libssl certificate validation broken?
On 20 Oct 20:21, Bob Beck wrote: > On 20 Oct 21:01, Uwe Werler wrote: > > Hi folks, > > > > before opening a bug report I'll ask here because I want to make sure that I > > have not missed something. > > You should probably submit a real bug report instead of jumping to > conclusions on misc@ Hi Bob, it was in the middle of the night and I got quite kinda stressed because all services depending on our ldap proxy stopped working after the upgrade and it took me a while to figure the problem out. But as in 99.9% of the cases I wanted to be sure that the problem sits not between screen and keyboard because I missed or misconfigured something. Will open a proper bug report now. > > > > > With the upgrade to 6.8 my cert validation seems to be broken because the > > hashed certs in /etc/ssl/certs are not honored anymore. I usually stored our > > L1 and L2 ca certs in /etc/ssl/certs and hashed them with "openssl > > certhash". > > That worked for all my machines until 6.7 but broke with 6.8. Adding the ca > > certs to /etc/ssl/cert.pem works. > > > > Did I miss something? I guess something changed during k2k20 in "certificate > > chain validation in libcrypto"? > > > > Thanks and with kind regards. > > > > Uwe > > > ... > >Mmh, it seems to me that libssl is broken. After the upgrade to 6.8 my > >openldap proxies were screwed too. I configured explicitely > > > >olcTLSCACertificatePath: /etc/ssl/certs > > > >But that broke so I had to change to: > > "Broke".. how? The certificate chain can't be verified anymore so ldap connections (server - server and client - server) can't be established anymore. > > > >olcTLSCACertificateFile: /etc/ssl/cert.pem > > > >... and I had to change also /etc/openldap/ldap.conf from: > > > >TLS_CACERTDIR /etc/ssl/certs > > > >to > > > >TLS_CACERT /etc/ssl/cert.pem > > > >to keep syncrepl running. > > You are a little bit thin on details here. The changes in the validator > should not affect the loading of your certificates. slapd acts as a ldap client for syncreplication to work and is therefore configured via /etc/openldap/ldap.conf. But because the validation stopped working syncrepl also stopped working. > > Are you using openldap from packages or something else? Yes, always from ports. > > So please pass on some details and perhaps a succint way to reproduce > and include the error messages you see. Probably as a real bug report > instead of misc discussions. > Yes, I open now a bug report. mbk Uwe
Re: ssl/libssl certificate validation broken?
On 20 Oct 21:01, Uwe Werler wrote: > Hi folks, > > before opening a bug report I'll ask here because I want to make sure that I > have not missed something. > > With the upgrade to 6.8 my cert validation seems to be broken because the > hashed certs in /etc/ssl/certs are not honored anymore. I usually stored our > L1 and L2 ca certs in /etc/ssl/certs and hashed them with "openssl certhash". > That worked for all my machines until 6.7 but broke with 6.8. Adding the ca > certs to /etc/ssl/cert.pem works. > > Did I miss something? I guess something changed during k2k20 in "certificate > chain validation in libcrypto"? > > Thanks and with kind regards. > > Uwe > Mmh, it seems to me that libssl is broken. After the upgrade to 6.8 my openldap proxies were screwed too. I configured explicitely olcTLSCACertificatePath: /etc/ssl/certs But that broke so I had to change to: olcTLSCACertificateFile: /etc/ssl/cert.pem ... and I had to change also /etc/openldap/ldap.conf from: TLS_CACERTDIR /etc/ssl/certs to TLS_CACERT /etc/ssl/cert.pem to keep syncrepl running. -- wq: ~uw
Re: ssl/libssl certificate validation broken?
On 20 Oct 21:01, Uwe Werler wrote: > Hi folks, > > before opening a bug report I'll ask here because I want to make sure that I > have not missed something. You should probably submit a real bug report instead of jumping to conclusions on misc@ > > With the upgrade to 6.8 my cert validation seems to be broken because the > hashed certs in /etc/ssl/certs are not honored anymore. I usually stored our > L1 and L2 ca certs in /etc/ssl/certs and hashed them with "openssl certhash". > That worked for all my machines until 6.7 but broke with 6.8. Adding the ca > certs to /etc/ssl/cert.pem works. > > Did I miss something? I guess something changed during k2k20 in "certificate > chain validation in libcrypto"? > > Thanks and with kind regards. > > Uwe > ... >Mmh, it seems to me that libssl is broken. After the upgrade to 6.8 my >openldap proxies were screwed too. I configured explicitely > >olcTLSCACertificatePath: /etc/ssl/certs > >But that broke so I had to change to: "Broke".. how? >olcTLSCACertificateFile: /etc/ssl/cert.pem > >... and I had to change also /etc/openldap/ldap.conf from: > >TLS_CACERTDIR /etc/ssl/certs > >to > >TLS_CACERT /etc/ssl/cert.pem > >to keep syncrepl running. You are a little bit thin on details here. The changes in the validator should not affect the loading of your certificates. Are you using openldap from packages or something else? So please pass on some details and perhaps a succint way to reproduce and include the error messages you see. Probably as a real bug report instead of misc discussions.
ssl/libssl certificate validation broken?
Hi folks, before opening a bug report I'll ask here because I want to make sure that I have not missed something. With the upgrade to 6.8 my cert validation seems to be broken because the hashed certs in /etc/ssl/certs are not honored anymore. I usually stored our L1 and L2 ca certs in /etc/ssl/certs and hashed them with "openssl certhash". That worked for all my machines until 6.7 but broke with 6.8. Adding the ca certs to /etc/ssl/cert.pem works. Did I miss something? I guess something changed during k2k20 in "certificate chain validation in libcrypto"? Thanks and with kind regards. Uwe