I don't know of a great way to test this without pulling apart
p11_child, or using it as part of a pre-flight check somehow during the
package update. The problem here is you'd need a PKI cert to test that
preflight.
As a failsafe, a dialog during upgrade with a preflight check of
I've opened this as a new bug here.
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1919563
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1905790
Title:
Make SSSD in 20.04 using OpenSSL and
Karl,
The script (https://github.com/3v1n0/nss-database-pem-exporter) can be
definitely adjusted to handle that, that meant to be simple as this
requirement wasn't considered.
Any help is appreciated though.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
This change had created a denial of service configuration bug for an
untold number of smart card configured (and smart card requires)
systems.
p11_child requires with the OpenSSL PEM full cert chain to function.
the NSSDB version does not.
So for folks that have configured the minimum in the
** No longer affects: ca-certificates (Ubuntu Focal)
** No longer affects: ca-certificates (Ubuntu)
** Bug watch removed: github.com/SSSD/sssd/issues #1041
https://github.com/SSSD/sssd/issues/1041
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Ah, and of course the SSSD pem file is properly populated:
$ sudo openssl crl2pkcs7 -nocrl -certfile /etc/sssd/pki/sssd_auth_ca_db.pem |
openssl pkcs7 -print_certs -noout | grep subject | wc -l
421
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Thanks Valters for your verification!
It's always better when someone that didn't commit the fix can help with
it.
I've also done further verification to ensure that the migration happens
as expected, so my sssd.conf was:
[sssd]
enable_files_domain = True
services = pam
certificate_verification
This bug was fixed in the package sssd - 2.2.3-3ubuntu0.4
---
sssd (2.2.3-3ubuntu0.4) focal; urgency=medium
[ Marco Trevisan ]
* debian/control:
- Add missing (test) dependencies as per libcrypto usage (LP: #1905790)
- Update Maintainer to Ubuntu devs
* debian/rules:
LP appears to have stripped spaces from the `grep` command.
There was filtering on output to reduce verbosity.
Instead of what is seen in previous comment:
# p11-kit list-modules | grep -Eve '^ '
The actual executed verification command there is:
# p11-kit list-modules | grep -Eve '^ {5}'
--
Performing verification on Focal (20.04) as described in test steps.
Local test system has a 4th generation Yubikey attached.
The Yubikey is a smartcard reader with an integrated card.
There's a certificate on card, issued from internal non-default CA.
# # Install `p11-kit` for test case use.
Hello Marco, or anyone else affected,
Accepted sssd into focal-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/sssd/2.2.3-3ubuntu0.4
in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See
OK, new package (with the same version) uploaded now, which addresses
the comments made by Robie. Let me know what you think. Thanks!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1905790
Title:
Ok I was quite sure that CERT_LIST_HEAD was already guarding us from
NULL pointers (as in many NSS places i didn't see the check) but it's
not the case [1], so thanks!
[1] https://searchfox.org/mozilla-
central/source/security/nss/lib/certdb/certt.h#361
--
You received this bug notification
On Thursday, February 18 2021, Robie Basak wrote:
>> + certs = CERT_CreateSubjectCertList (NULL, handle,
> >derSubject,
>
> Doesn't this need a return value test? AFAICT,
> CERT_CreateSubjectCertList might return NULL, and CERTLIST_HEAD (certs)
> will unconditionally look up a member? There's a
> + certs = CERT_CreateSubjectCertList (NULL, handle,
>derSubject,
Doesn't this need a return value test? AFAICT,
CERT_CreateSubjectCertList might return NULL, and CERTLIST_HEAD (certs)
will unconditionally look up a member? There's a second instance of this
pattern in
** Changed in: sssd (Ubuntu Focal)
Assignee: Sergio Durigan Junior (sergiodj) => Marco Trevisan (Treviño)
(3v1n0)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1905790
Title:
Make SSSD in
** Description changed:
[ Impact ]
SSSD supports in 20.04 two security backends: NSS and OpenSSL
(speaking in past tense as upstream dropped NSS support completely).
Those two backends are used for various generic crypto features (so they
are interchangeable), but also for the
** Merge proposal linked:
https://code.launchpad.net/~3v1n0/ubuntu/+source/sssd/+git/sssd/+merge/395411
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1905790
Title:
Make SSSD in 20.04 using
** Merge proposal linked:
https://code.launchpad.net/~3v1n0/ubuntu/+source/sssd/+git/sssd/+merge/395410
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1905790
Title:
Make SSSD in 20.04 using
+1 to Timo to not go for "system nssdb" for the cause of this case here.
Also system-wide-trust would be bug 1647285 and is quite a different scope.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
re: system nssdb; let's not go there anymore, Fedora already moved to
openssl system-wide
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1905790
Title:
Make SSSD in 20.04 using OpenSSL and p11-kit
** Description changed:
[ Impact ]
SSSD supports in 20.04 two security backends: NSS and OpenSSL
(speaking in past tense as upstream dropped NSS support completely).
Those two backends are used for various generic crypto features (so they
are interchangeable), but also for the
> This does raise a question as to why we don't provide a system nssdb. I
> think we should. I wonder if libnss or libnss3-tools could ship ca-
> certificates hook to provide a system nssdb certificate store.
I don't think it makes much sense at this point as most of the tools
that were depending
Actually, I don't see sssd at all using TLS connections, does it? It
seems that to perform ldaps connections, it uses libldap from openldap
which in turn uses GnuTLS. And any and all TLS LDAPS options are simply
passed through to the libldap.
Inspecting all sssd binary packages I can see that
If we want to change the main sssd backend from nss to openssl, imho it
would be prudent enough to use
http://manpages.ubuntu.com/manpages/hirsute/en/man3/SSL_set_security_level.3ssl.html
APIs to set_security_level to 1.
--
You received this bug notification because you are a member of Ubuntu
This does raise a question as to why we don't provide a system nssdb. I
think we should. I wonder if libnss or libnss3-tools could ship ca-
certificates hook to provide a system nssdb certificate store.
If we are changing backends, and certs were provided for the nss
backend, imho we should
** Also affects: ca-certificates (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1905790
Title:
Make SSSD in 20.04 using OpenSSL and p11-kit
** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1905790
Title:
Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for
p11_child
To manage notifications about this
** Description changed:
[ Impact ]
SSSD supports in 20.04 two security backends: NSS and OpenSSL
(speaking in past tense as upstream dropped NSS support completely).
Those two backends are used for various generic crypto features (so they
are interchangeable), but also for the
29 matches
Mail list logo
