[Freeipa-devel] python-nss-1.0.0-2.fc24.x86_64 from updates-testing breaks FreeIPA client API
Martin Basti
mbasti at redhat.com
Thu Sep 29 10:23:41 UTC 2016
On 29.09.2016 10:14, Alexander Bokovoy wrote:
> On to, 29 syys 2016, Martin Babinsky wrote:
>> Hi list,
>>
>> today I noticed the following exceptions in my VMs when
>> installing/using FreeIPA:
>>
>> """
>> # ipa ping
>> exception in SSLSocket.handshake_callback
>> Traceback (most recent call last):
>> File "/usr/lib/python2.7/site-packages/ipapython/nsslib.py", line
>> 258, in handshake_callback
>> channel = sock.get_ssl_channel_info()
>> nss.error.NSPRError: (SEC_ERROR_INVALID_ARGS) security library:
>> invalid arguments.
>> --------------------------------------------
>> IPA server version 4.4.90. API version 2.215
>> --------------------------------------------
>> """
>>
>> This was caused by python-nss-1.0.0-2.fc24.x86_64 which was pushed to
>> updates-testing. Reverting the package to previous versions fixed the
>> problem.
> python-nss-1.0.0-1.fc25 (note fc25) works fine. There is no 1.0.0-2.fc25
> which is a packaging bug, but that's should not be bringing any
> difference as the tarball (1.0.0) is the same and no additional patches
> were applied.
>
> Also, we didn't have any changes between 4.4.1 and git master that could
> have affected ipapython/nsslib.py other than
> 0f88f8fe889ae4801fc8d5ece1ad51c5246718ac,
> which is this chunk of changes:
>
> diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
> index 1573de9..f9f64c1 100644
> --- a/ipapython/nsslib.py
> +++ b/ipapython/nsslib.py
> @@ -234,7 +234,7 @@ class NSSConnection(httplib.HTTPConnection,
> NSSAddressFamilyFallback):
> self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
> try:
> self.sock.set_ssl_version_range(self.tls_version_min,
> self.tls_version_max)
> - except NSPRError as e:
> + except NSPRError:
> root_logger.error('Failed to set TLS range to %s, %s' %
> (self.tls_version_min, self.tls_version_max))
> raise
> self.sock.set_ssl_option(ssl_require_safe_negotiation, False)
>
> e.g. nothing that is relevant to the trace you provided.
>
>
Sorry I cannot reproduce it as well
[root at vm-058-017 ~]# ipa ping
--------------------------------------------
IPA server version 4.4.90. API version 2.215
--------------------------------------------
[root at vm-058-017 ~]# dnf upgrade python-nss ...
Running transaction
Upgrading : python-nss-1.0.0-2.fc24.x86_64 1/4
Upgrading : python3-nss-1.0.0-2.fc24.x86_64 2/4
Cleanup : python3-nss-1.0.0-beta1.2.fc24.1.x86_64 3/4
Cleanup : python-nss-1.0.0-beta1.2.fc24.1.x86_64 4/4
Verifying : python3-nss-1.0.0-2.fc24.x86_64 1/4
Verifying : python-nss-1.0.0-2.fc24.x86_64 2/4
Verifying : python-nss-1.0.0-beta1.2.fc24.1.x86_64 3/4
Verifying : python3-nss-1.0.0-beta1.2.fc24.1.x86_64
[root at vm-058-017 ~]# ipa ping
--------------------------------------------
IPA server version 4.4.90. API version 2.215
--------------------------------------------
More information about the Freeipa-devel
mailing list