[389-devel] Re: Urgent review: 49041 ssl fails to start on f24
William Brown wrote: > Any advice would be greatly appreciated... >>> My curiosity is only around how William found this bug in the first >>> place and what makes it so urgent. >> Ok. Thanks, Rob! Yes, I'm curious, too. :) > > Please see > > https://fedorahosted.org/389/ticket/49041#comment:3 > > The issue is *clearly* a DS behavioural bug where we do NOT detect the > presence of the sqlite formatted DB correctly. We then incorrectly > create invalid BDB files, and it "masks" the SQL format from the server > start up. > > As a result, after a server restart your certificates "vanish" and SSL > fails to start. (They are still in key4/cert9, but key3/cert8 are broken > and used preferentially). > > That's why it's urgent ;) I still don't get it but I'll move the discussion to the ticket. rob ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
[389-devel] Re: Urgent review: 49041 ssl fails to start on f24
> >> > >> Any advice would be greatly appreciated... > > My curiosity is only around how William found this bug in the first > > place and what makes it so urgent. > Ok. Thanks, Rob! Yes, I'm curious, too. :) Please see https://fedorahosted.org/389/ticket/49041#comment:3 The issue is *clearly* a DS behavioural bug where we do NOT detect the presence of the sqlite formatted DB correctly. We then incorrectly create invalid BDB files, and it "masks" the SQL format from the server start up. As a result, after a server restart your certificates "vanish" and SSL fails to start. (They are still in key4/cert9, but key3/cert8 are broken and used preferentially). That's why it's urgent ;) -- Sincerely, William Brown Software Engineer Red Hat, Brisbane signature.asc Description: This is a digitally signed message part ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
[389-devel] Re: Urgent review: 49041 ssl fails to start on f24
On 11/17/2016 12:25 PM, Rob Crittenden wrote: Noriko Hosoi wrote: On 11/17/2016 11:22 AM, Rob Crittenden wrote: Noriko Hosoi wrote: On 11/17/2016 06:36 AM, Rob Crittenden wrote: William Brown wrote: https://fedorahosted.org/389/ticket/49041 https://fedorahosted.org/389/attachment/ticket/49041/0001-Ticket-49041-SSL-fails-to-start-due-to-NSS-db-versio.patch I think this should be reviewed urgently and backported. This can cause SSL to fail to start on F24 and higher without explanation. key4.db and cert9.db are the sqlite databases. Does 389-ds support specifying sql:/path/to/database/dir? rob ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org We have a plan to switch [1] but when we discussed in the team, we concluded it was not urgent. I don't think NSS stops supporting the old BDB format very soon? Hi Rob, I'm also not sure if we should migrate to sqlite format or not. And if we do when we should... When I worked on it 8 months ago, it was deferred since it was not urgent. :) My question revolves around how likely this is to happen to make it urgent. If 389-ds doesn't support sqlite databases then how are key4/cert9 files going to end up being created? The current version does not support sqlite format (as William reported). Once we apply the patch in [1], it generates sqlite format cert db's. (Test case is also attached.) Or is sqlite now the default format for the NSS utilities so merely using certutil would generate them? In terms of the upgrade, NSS provides the method, doesn't it? Like once opening the old format by, e.g., certutil with some option, it automatically updates the format? Then, we could rename the files to the new names? I guess we should prepare an upgrade script to do the task which is executed in the rpm -U? Any advice would be greatly appreciated... My curiosity is only around how William found this bug in the first place and what makes it so urgent. Ok. Thanks, Rob! Yes, I'm curious, too. :) --noriko rob ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
[389-devel] Re: Urgent review: 49041 ssl fails to start on f24
On 11/17/2016 11:22 AM, Rob Crittenden wrote: Noriko Hosoi wrote: On 11/17/2016 06:36 AM, Rob Crittenden wrote: William Brown wrote: https://fedorahosted.org/389/ticket/49041 https://fedorahosted.org/389/attachment/ticket/49041/0001-Ticket-49041-SSL-fails-to-start-due-to-NSS-db-versio.patch I think this should be reviewed urgently and backported. This can cause SSL to fail to start on F24 and higher without explanation. key4.db and cert9.db are the sqlite databases. Does 389-ds support specifying sql:/path/to/database/dir? rob ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org We have a plan to switch [1] but when we discussed in the team, we concluded it was not urgent. I don't think NSS stops supporting the old BDB format very soon? Hi Rob, I'm also not sure if we should migrate to sqlite format or not. And if we do when we should... When I worked on it 8 months ago, it was deferred since it was not urgent. :) My question revolves around how likely this is to happen to make it urgent. If 389-ds doesn't support sqlite databases then how are key4/cert9 files going to end up being created? The current version does not support sqlite format (as William reported). Once we apply the patch in [1], it generates sqlite format cert db's. (Test case is also attached.) Or is sqlite now the default format for the NSS utilities so merely using certutil would generate them? In terms of the upgrade, NSS provides the method, doesn't it? Like once opening the old format by, e.g., certutil with some option, it automatically updates the format? Then, we could rename the files to the new names? I guess we should prepare an upgrade script to do the task which is executed in the rpm -U? Any advice would be greatly appreciated... Thanks! --noriko rob ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
[389-devel] Re: Urgent review: 49041 ssl fails to start on f24
Noriko Hosoi wrote: > On 11/17/2016 06:36 AM, Rob Crittenden wrote: >> William Brown wrote: >>> https://fedorahosted.org/389/ticket/49041 >>> >>> https://fedorahosted.org/389/attachment/ticket/49041/0001-Ticket-49041-SSL-fails-to-start-due-to-NSS-db-versio.patch >>> >>> >>> I think this should be reviewed urgently and backported. This can cause >>> SSL to fail to start on F24 and higher without explanation. >> key4.db and cert9.db are the sqlite databases. Does 389-ds support >> specifying sql:/path/to/database/dir? >> >> rob >> ___ >> 389-devel mailing list -- 389-devel@lists.fedoraproject.org >> To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org > > We have a plan to switch [1] but when we discussed in the team, we > concluded it was not urgent. I don't think NSS stops supporting the old > BDB format very soon? My question revolves around how likely this is to happen to make it urgent. If 389-ds doesn't support sqlite databases then how are key4/cert9 files going to end up being created? Or is sqlite now the default format for the NSS utilities so merely using certutil would generate them? rob ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
[389-devel] Re: Urgent review: 49041 ssl fails to start on f24
On 11/17/2016 06:36 AM, Rob Crittenden wrote: William Brown wrote: https://fedorahosted.org/389/ticket/49041 https://fedorahosted.org/389/attachment/ticket/49041/0001-Ticket-49041-SSL-fails-to-start-due-to-NSS-db-versio.patch I think this should be reviewed urgently and backported. This can cause SSL to fail to start on F24 and higher without explanation. key4.db and cert9.db are the sqlite databases. Does 389-ds support specifying sql:/path/to/database/dir? rob ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org We have a plan to switch [1] but when we discussed in the team, we concluded it was not urgent. I don't think NSS stops supporting the old BDB format very soon? [1] - https://fedorahosted.org/389/ticket/48760 Thanks, --noriko ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
[389-devel] Re: Urgent review: 49041 ssl fails to start on f24
William Brown wrote: > https://fedorahosted.org/389/ticket/49041 > > https://fedorahosted.org/389/attachment/ticket/49041/0001-Ticket-49041-SSL-fails-to-start-due-to-NSS-db-versio.patch > > I think this should be reviewed urgently and backported. This can cause > SSL to fail to start on F24 and higher without explanation. key4.db and cert9.db are the sqlite databases. Does 389-ds support specifying sql:/path/to/database/dir? rob ___ 389-devel mailing list -- 389-devel@lists.fedoraproject.org To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org