[SSSD] Re: [PATCHES] p11: add no_verification option
On Mon, Sep 19, 2016 at 12:06:23PM +0200, Jakub Hrozek wrote: > The backport was trivial, I'm just waiting for sssd-1-13 CI results. CI: http://sssd-ci.duckdns.org/logs/job/53/56/summary.html * sssd-1-13: * b76a0026a115a8a0362b1693404830fa3c68418b * 6e0e5c73873990ef2d3069fff178323718d5bed4 * 40963b7d11bae39dfb94fb6d0233eb2e216de03e ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: [PATCHES] p11: add no_verification option
On Mon, Sep 19, 2016 at 11:48:54AM +0200, Sumit Bose wrote: > On Mon, Sep 19, 2016 at 10:14:57AM +0200, Jakub Hrozek wrote: > > On Thu, Jun 09, 2016 at 12:00:06PM +0200, Lukas Slebodnik wrote: > > > On (07/06/16 15:13), Jakub Hrozek wrote: > > > >On Tue, Jun 07, 2016 at 03:11:49PM +0200, Sumit Bose wrote: > > > >> On Tue, Jun 07, 2016 at 02:42:56PM +0200, Jakub Hrozek wrote: > > > >> > On Mon, May 30, 2016 at 04:32:20PM +0200, Sumit Bose wrote: > > > >> > > > oops, yes I guess this would be a good idea. I'll send a new > > > >> > > > patch. > > > >> > > > > > > >> > > > > > >> > > new version attached. > > > >> > > > > > >> > > bye, > > > >> > > Sumit > > > >> > > > > >> > One last question, do we want to add the ocsp_default_responder and > > > >> > ocsp_default_responder_signing_cert options to configAPI? > > > >> > > > >> No, because I think the configAPI is currently not capable of this > > > >> because both are only allowed options to certificate_verification as > > > >> e.g. no_ocsp or no_verification. > > > > > > > >OK, makes sense. > > > > > > > >Thank you, ACK. > > > master: > > > * 53ef8f81b60929a6c866efdd133627e7d7d61705 > > > * aa35995ef056aa8ae052a47c62c6750b7adf065e > > > * 875c90d531e6869a92da4b515db729ffce7c4244 > > > > > > LS > > > > I would like to backport these patches to sssd-1-13, because without > > them, the patches for upstream #2977 do not apply cleanly and I think > > it's better to apply more upstream patches than to backport and fork. > > fine by me, shall I send patches for sssd-1-13 or will you do the > backport of the three patches? The backport was trivial, I'm just waiting for sssd-1-13 CI results. ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: [PATCHES] p11: add no_verification option
On Mon, Sep 19, 2016 at 10:14:57AM +0200, Jakub Hrozek wrote: > On Thu, Jun 09, 2016 at 12:00:06PM +0200, Lukas Slebodnik wrote: > > On (07/06/16 15:13), Jakub Hrozek wrote: > > >On Tue, Jun 07, 2016 at 03:11:49PM +0200, Sumit Bose wrote: > > >> On Tue, Jun 07, 2016 at 02:42:56PM +0200, Jakub Hrozek wrote: > > >> > On Mon, May 30, 2016 at 04:32:20PM +0200, Sumit Bose wrote: > > >> > > > oops, yes I guess this would be a good idea. I'll send a new patch. > > >> > > > > > >> > > > > >> > > new version attached. > > >> > > > > >> > > bye, > > >> > > Sumit > > >> > > > >> > One last question, do we want to add the ocsp_default_responder and > > >> > ocsp_default_responder_signing_cert options to configAPI? > > >> > > >> No, because I think the configAPI is currently not capable of this > > >> because both are only allowed options to certificate_verification as > > >> e.g. no_ocsp or no_verification. > > > > > >OK, makes sense. > > > > > >Thank you, ACK. > > master: > > * 53ef8f81b60929a6c866efdd133627e7d7d61705 > > * aa35995ef056aa8ae052a47c62c6750b7adf065e > > * 875c90d531e6869a92da4b515db729ffce7c4244 > > > > LS > > I would like to backport these patches to sssd-1-13, because without > them, the patches for upstream #2977 do not apply cleanly and I think > it's better to apply more upstream patches than to backport and fork. fine by me, shall I send patches for sssd-1-13 or will you do the backport of the three patches? bye, Sumit > ___ > sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org > To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: [PATCHES] p11: add no_verification option
On Thu, Jun 09, 2016 at 12:00:06PM +0200, Lukas Slebodnik wrote: > On (07/06/16 15:13), Jakub Hrozek wrote: > >On Tue, Jun 07, 2016 at 03:11:49PM +0200, Sumit Bose wrote: > >> On Tue, Jun 07, 2016 at 02:42:56PM +0200, Jakub Hrozek wrote: > >> > On Mon, May 30, 2016 at 04:32:20PM +0200, Sumit Bose wrote: > >> > > > oops, yes I guess this would be a good idea. I'll send a new patch. > >> > > > > >> > > > >> > > new version attached. > >> > > > >> > > bye, > >> > > Sumit > >> > > >> > One last question, do we want to add the ocsp_default_responder and > >> > ocsp_default_responder_signing_cert options to configAPI? > >> > >> No, because I think the configAPI is currently not capable of this > >> because both are only allowed options to certificate_verification as > >> e.g. no_ocsp or no_verification. > > > >OK, makes sense. > > > >Thank you, ACK. > master: > * 53ef8f81b60929a6c866efdd133627e7d7d61705 > * aa35995ef056aa8ae052a47c62c6750b7adf065e > * 875c90d531e6869a92da4b515db729ffce7c4244 > > LS I would like to backport these patches to sssd-1-13, because without them, the patches for upstream #2977 do not apply cleanly and I think it's better to apply more upstream patches than to backport and fork. ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: [PATCHES] p11: add no_verification option
On (07/06/16 15:13), Jakub Hrozek wrote: >On Tue, Jun 07, 2016 at 03:11:49PM +0200, Sumit Bose wrote: >> On Tue, Jun 07, 2016 at 02:42:56PM +0200, Jakub Hrozek wrote: >> > On Mon, May 30, 2016 at 04:32:20PM +0200, Sumit Bose wrote: >> > > > oops, yes I guess this would be a good idea. I'll send a new patch. >> > > > >> > > >> > > new version attached. >> > > >> > > bye, >> > > Sumit >> > >> > One last question, do we want to add the ocsp_default_responder and >> > ocsp_default_responder_signing_cert options to configAPI? >> >> No, because I think the configAPI is currently not capable of this >> because both are only allowed options to certificate_verification as >> e.g. no_ocsp or no_verification. > >OK, makes sense. > >Thank you, ACK. master: * 53ef8f81b60929a6c866efdd133627e7d7d61705 * aa35995ef056aa8ae052a47c62c6750b7adf065e * 875c90d531e6869a92da4b515db729ffce7c4244 LS ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
[SSSD] Re: [PATCHES] p11: add no_verification option
On Tue, Jun 07, 2016 at 03:11:49PM +0200, Sumit Bose wrote: > On Tue, Jun 07, 2016 at 02:42:56PM +0200, Jakub Hrozek wrote: > > On Mon, May 30, 2016 at 04:32:20PM +0200, Sumit Bose wrote: > > > > oops, yes I guess this would be a good idea. I'll send a new patch. > > > > > > > > > > new version attached. > > > > > > bye, > > > Sumit > > > > One last question, do we want to add the ocsp_default_responder and > > ocsp_default_responder_signing_cert options to configAPI? > > No, because I think the configAPI is currently not capable of this > because both are only allowed options to certificate_verification as > e.g. no_ocsp or no_verification. OK, makes sense. Thank you, ACK. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
[SSSD] Re: [PATCHES] p11: add no_verification option
On Tue, Jun 07, 2016 at 02:42:56PM +0200, Jakub Hrozek wrote: > On Mon, May 30, 2016 at 04:32:20PM +0200, Sumit Bose wrote: > > > oops, yes I guess this would be a good idea. I'll send a new patch. > > > > > > > new version attached. > > > > bye, > > Sumit > > One last question, do we want to add the ocsp_default_responder and > ocsp_default_responder_signing_cert options to configAPI? No, because I think the configAPI is currently not capable of this because both are only allowed options to certificate_verification as e.g. no_ocsp or no_verification. bye, Sumit > ___ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
[SSSD] Re: [PATCHES] p11: add no_verification option
On Mon, May 30, 2016 at 04:32:20PM +0200, Sumit Bose wrote: > > oops, yes I guess this would be a good idea. I'll send a new patch. > > > > new version attached. > > bye, > Sumit One last question, do we want to add the ocsp_default_responder and ocsp_default_responder_signing_cert options to configAPI? ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
[SSSD] Re: [PATCHES] p11: add no_verification option
On Tue, May 10, 2016 at 06:10:15PM +0200, Sumit Bose wrote: > On Tue, May 10, 2016 at 04:42:17PM +0200, Jakub Hrozek wrote: > > On Thu, Apr 14, 2016 at 01:48:50PM +0200, Sumit Bose wrote: > > > Hi, > > > > > > the following 3 patches are related to the Smartcard authentication > > > feature but imo can be tested even without having one. > > > > > > The first patch just adds some missing pieces. The second adds a new > > > 'no_verification' switch to the 'certificate_verification' option, which > > > is already tested by the unit tests. > > > > > > The third adds two new OCSP related switches. With OCSP a certificate > > > can be validates online by talking to a server which is listed in the > > > certificate. Of course it might not always be possible to directly talk > > > to this server. We already have the 'no_ocsp' switch to disable OCSP > > > completely. The two new switches allow SSSD to talk to a different > > > server or a proxy. To see how it is working you can do to following: > > > > > > - call 'make check' to build and rung all the tests > > > - call './pam-srv-tests' to run the PAM responder tests but do not let > > > it complete but stop it with CTRL-C. This is needed to create the test > > > nss database in /dev/shm/tp_pam_srv_tests-test_pam_srv/, it can be > > > created differently but this way it is most easy :-) > > > - add a OCSP signing cert with > > > > > > echo > > > "MIIDaTCCAlGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEuREVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA5MjMxMTI2MjBaFw0xNzA5MTIxMTI2MjBaMC0xEjAQBgNVBAoMCUlQQS5ERVZFTDEXMBUGA1UEAwwOT0NTUCBTdWJzeXN0ZW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDEXVzkTN9R03+hvAbkiCYqdKKe7Nr0YDlchny+IsJl5cYiFBtWqiVJK5N0L6uCS9bVBtuG7y9Vv1TJrv2U8hqjXYZFM6HzYwwmbE2tv1Yyx0dQyYiYTT0nVyXPrXDJe0PFdYTsAlw7C54wZuBsdDADUTA1ThAP22Z6Zy+UyQFtlqEfCErvHK+VolCfkTJ4dYlQb5x7Gs6fEmLbnaGpJXW1JnRzMZ4hM+/mV3xSsjFuYwwoFCHG6GQu/LJgosBX9M+OMavMOO/AzeUlHfUoyMUNn0iNeiDqeYPBCNf4czK0CpeJdE4qBBgu0vSfC0mzjKRuFQEAUuBGxGE+2BP09uXAgMBAAGjgYwwgYkwHwYDVR0jBBgwFoAU0aLh2me2OKzMbu3zckJNNu3Hd1swDgYDVR0PAQH/BAQDAgHGMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAYYlaHR0cDovL2lwYS1kZXZlbC5pcGEuZGV2ZWw6ODAvY2Evb2NzcDATBgNVHSUEDDAKBggrBgEFBQcDCTANBgkqhkiG9w0BAQsFAAOCAQEAAJzUjm39nsMlxc0ivEm77PN9ZFFWIfY6fOteNpJnOADlOatkXKq6PTFS0lRo/53HjYvmvrjnUTYHK3hmRlDvwr+49UqhSkKai8v6PSS4jYJplETME032OwGL17qCjoX2yU55Ovm3CIamUNNOSIvMBbS7HB0EBe/KHMhme5+Uhtfgjql9B9ihuwT1U3vXQP+cavxe37PJOCUuuATLyd0GX+Islkq2v1pEKX0dsXhMpDwLOYLqckBZHOoAKEo2VYZN0P1KZZkJd4kQHGsADYfuIrLACwzLxlEWmCIq4AOwpYtkMSx85DgT6lW3ECgfbFYVVUzqHUuTiogEsgJ0kouCJw==" > > > | base64 -d | certutil -A -d sql:/dev/shm/tp_pam_srv_tests-test_pam_srv > > > -t TC,TC,TC -n ocsp_cert > > > > > > the NSS library call check this certificate first before trying to > > > connect to > > > the OCSP responder, so a valid one with the right key usage must be > > > added to > > > make NSS try to reach the new OCSP responder > > > > > > - call > > > > > > strace -s 128 -f -esend .libs/lt-p11_child --debug-microseconds=1 > > > --debug-timestamps=1 --debug-to-stderr --debug-level=10 --pre --nssdb > > > sql:/dev/shm/tp_pam_srv_tests-test_pam_srv > > > > > > where you should see lines like > > > > > > send(7, "\313D\1\0\0\1\0\0\0\0\0\0\6ipa-ca\3ipa\5devel\0\0\1\0\1", > > > 34, MSG_NOSIGNAL) = 34 > > > > > > from the DNS lookups for ipa-ca.ipa.devel which is the OCSP server from > > > the > > > ticket > > > > > > - call > > > > > > strace -s 128 -f -esend ./p11_child --debug-microseconds=1 > > > --debug-timestamps=1 --debug-to-stderr --debug-level=10 --pre --nssdb > > > sql:/dev/shm/tp_pam_srv_tests-test_pam_srv --verify > > > 'ocsp_default_responder=http://...:80,ocsp_default_responder_signing_cert=ocsp_cert' > > > > > > where you should now see lines like > > > > > > send(7, "yO\1\0\0\1\0\0\0\0\0\0\4\4\4\4\0\0\1\0\1", > > > 37, MSG_NOSIGNAL) = 37 > > > > > > from the DNS lookups for the OCSP responder from the command line. > > > > > > Of course all the validations will fail with "Certificate [SSSD Test > > > Token:Server-Cert][CN=ipa-devel.ipa.devel,O=IPA.DEVEL] not valid [-8071], > > > skipping" because none of the OCSP responders are available but I think > > > this > > > test is sufficient to see that the patch is working as expected. > > > > Thank you for the patches and the tests. I only have one question about > > the first patch.. > > > > > From c2eccab2c12b58a74cdc6fd10efe775dbcd8c1e1 Mon Sep 17 00:00:00 2001 > > > From: Sumit Bose > > > Date: Fri, 18 Mar 2016 16:24:18 +0100 > > > Subject: [PATCH 1/3] p11: add missing man page entry and config API > > > > > > The pam_cert_auth and pam_cert_db_path option where missing in the > > > config API and had no man page entries. > > > > Did you also want to document the pam_cert_auth option? > > oops, yes I guess this would be a good idea. I'll send a new patch. > new version attached. bye, Sumit
[SSSD] Re: [PATCHES] p11: add no_verification option
On Tue, May 10, 2016 at 04:42:17PM +0200, Jakub Hrozek wrote: > On Thu, Apr 14, 2016 at 01:48:50PM +0200, Sumit Bose wrote: > > Hi, > > > > the following 3 patches are related to the Smartcard authentication > > feature but imo can be tested even without having one. > > > > The first patch just adds some missing pieces. The second adds a new > > 'no_verification' switch to the 'certificate_verification' option, which > > is already tested by the unit tests. > > > > The third adds two new OCSP related switches. With OCSP a certificate > > can be validates online by talking to a server which is listed in the > > certificate. Of course it might not always be possible to directly talk > > to this server. We already have the 'no_ocsp' switch to disable OCSP > > completely. The two new switches allow SSSD to talk to a different > > server or a proxy. To see how it is working you can do to following: > > > > - call 'make check' to build and rung all the tests > > - call './pam-srv-tests' to run the PAM responder tests but do not let > > it complete but stop it with CTRL-C. This is needed to create the test > > nss database in /dev/shm/tp_pam_srv_tests-test_pam_srv/, it can be > > created differently but this way it is most easy :-) > > - add a OCSP signing cert with > > > > echo > > "MIIDaTCCAlGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEuREVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA5MjMxMTI2MjBaFw0xNzA5MTIxMTI2MjBaMC0xEjAQBgNVBAoMCUlQQS5ERVZFTDEXMBUGA1UEAwwOT0NTUCBTdWJzeXN0ZW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDEXVzkTN9R03+hvAbkiCYqdKKe7Nr0YDlchny+IsJl5cYiFBtWqiVJK5N0L6uCS9bVBtuG7y9Vv1TJrv2U8hqjXYZFM6HzYwwmbE2tv1Yyx0dQyYiYTT0nVyXPrXDJe0PFdYTsAlw7C54wZuBsdDADUTA1ThAP22Z6Zy+UyQFtlqEfCErvHK+VolCfkTJ4dYlQb5x7Gs6fEmLbnaGpJXW1JnRzMZ4hM+/mV3xSsjFuYwwoFCHG6GQu/LJgosBX9M+OMavMOO/AzeUlHfUoyMUNn0iNeiDqeYPBCNf4czK0CpeJdE4qBBgu0vSfC0mzjKRuFQEAUuBGxGE+2BP09uXAgMBAAGjgYwwgYkwHwYDVR0jBBgwFoAU0aLh2me2OKzMbu3zckJNNu3Hd1swDgYDVR0PAQH/BAQDAgHGMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAYYlaHR0cDovL2lwYS1kZXZlbC5pcGEuZGV2ZWw6ODAvY2Evb2NzcDATBgNVHSUEDDAKBggrBgEFBQcDCTANBgkqhkiG9w0BAQsFAAOCAQEAAJzUjm39nsMlxc0ivEm77PN9ZFFWIfY6fOteNpJnOADlOatkXKq6PTFS0lRo/53HjYvmvrjnUTYHK3hmRlDvwr+49UqhSkKai8v6PSS4jYJplETME032OwGL17qCjoX2yU55Ovm3CIamUNNOSIvMBbS7HB0EBe/KHMhme5+Uhtfgjql9B9ihuwT1U3vXQP+cavxe37PJOCUuuATLyd0GX+Islkq2v1pEKX0dsXhMpDwLOYLqckBZHOoAKEo2VYZN0P1KZZkJd4kQHGsADYfuIrLACwzLxlEWmCIq4AOwpYtkMSx85DgT6lW3ECgfbFYVVUzqHUuTiogEsgJ0kouCJw==" > > | base64 -d | certutil -A -d sql:/dev/shm/tp_pam_srv_tests-test_pam_srv -t > > TC,TC,TC -n ocsp_cert > > > > the NSS library call check this certificate first before trying to > > connect to > > the OCSP responder, so a valid one with the right key usage must be added > > to > > make NSS try to reach the new OCSP responder > > > > - call > > > > strace -s 128 -f -esend .libs/lt-p11_child --debug-microseconds=1 > > --debug-timestamps=1 --debug-to-stderr --debug-level=10 --pre --nssdb > > sql:/dev/shm/tp_pam_srv_tests-test_pam_srv > > > > where you should see lines like > > > > send(7, "\313D\1\0\0\1\0\0\0\0\0\0\6ipa-ca\3ipa\5devel\0\0\1\0\1", 34, > > MSG_NOSIGNAL) = 34 > > > > from the DNS lookups for ipa-ca.ipa.devel which is the OCSP server from > > the > > ticket > > > > - call > > > > strace -s 128 -f -esend ./p11_child --debug-microseconds=1 > > --debug-timestamps=1 --debug-to-stderr --debug-level=10 --pre --nssdb > > sql:/dev/shm/tp_pam_srv_tests-test_pam_srv --verify > > 'ocsp_default_responder=http://...:80,ocsp_default_responder_signing_cert=ocsp_cert' > > > > where you should now see lines like > > > > send(7, "yO\1\0\0\1\0\0\0\0\0\0\4\4\4\4\0\0\1\0\1", 37, > > MSG_NOSIGNAL) = 37 > > > > from the DNS lookups for the OCSP responder from the command line. > > > > Of course all the validations will fail with "Certificate [SSSD Test > > Token:Server-Cert][CN=ipa-devel.ipa.devel,O=IPA.DEVEL] not valid [-8071], > > skipping" because none of the OCSP responders are available but I think this > > test is sufficient to see that the patch is working as expected. > > Thank you for the patches and the tests. I only have one question about > the first patch.. > > > From c2eccab2c12b58a74cdc6fd10efe775dbcd8c1e1 Mon Sep 17 00:00:00 2001 > > From: Sumit Bose > > Date: Fri, 18 Mar 2016 16:24:18 +0100 > > Subject: [PATCH 1/3] p11: add missing man page entry and config API > > > > The pam_cert_auth and pam_cert_db_path option where missing in the > > config API and had no man page entries. > > Did you also want to document the pam_cert_auth option? oops, yes I guess this would be a good idea. I'll send a new patch. bye, Sumit > ___ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org ___ sssd-devel mailing li
[SSSD] Re: [PATCHES] p11: add no_verification option
On Thu, Apr 14, 2016 at 01:48:50PM +0200, Sumit Bose wrote: > Hi, > > the following 3 patches are related to the Smartcard authentication > feature but imo can be tested even without having one. > > The first patch just adds some missing pieces. The second adds a new > 'no_verification' switch to the 'certificate_verification' option, which > is already tested by the unit tests. > > The third adds two new OCSP related switches. With OCSP a certificate > can be validates online by talking to a server which is listed in the > certificate. Of course it might not always be possible to directly talk > to this server. We already have the 'no_ocsp' switch to disable OCSP > completely. The two new switches allow SSSD to talk to a different > server or a proxy. To see how it is working you can do to following: > > - call 'make check' to build and rung all the tests > - call './pam-srv-tests' to run the PAM responder tests but do not let > it complete but stop it with CTRL-C. This is needed to create the test > nss database in /dev/shm/tp_pam_srv_tests-test_pam_srv/, it can be > created differently but this way it is most easy :-) > - add a OCSP signing cert with > > echo > "MIIDaTCCAlGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEuREVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA5MjMxMTI2MjBaFw0xNzA5MTIxMTI2MjBaMC0xEjAQBgNVBAoMCUlQQS5ERVZFTDEXMBUGA1UEAwwOT0NTUCBTdWJzeXN0ZW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDEXVzkTN9R03+hvAbkiCYqdKKe7Nr0YDlchny+IsJl5cYiFBtWqiVJK5N0L6uCS9bVBtuG7y9Vv1TJrv2U8hqjXYZFM6HzYwwmbE2tv1Yyx0dQyYiYTT0nVyXPrXDJe0PFdYTsAlw7C54wZuBsdDADUTA1ThAP22Z6Zy+UyQFtlqEfCErvHK+VolCfkTJ4dYlQb5x7Gs6fEmLbnaGpJXW1JnRzMZ4hM+/mV3xSsjFuYwwoFCHG6GQu/LJgosBX9M+OMavMOO/AzeUlHfUoyMUNn0iNeiDqeYPBCNf4czK0CpeJdE4qBBgu0vSfC0mzjKRuFQEAUuBGxGE+2BP09uXAgMBAAGjgYwwgYkwHwYDVR0jBBgwFoAU0aLh2me2OKzMbu3zckJNNu3Hd1swDgYDVR0PAQH/BAQDAgHGMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAYYlaHR0cDovL2lwYS1kZXZlbC5pcGEuZGV2ZWw6ODAvY2Evb2NzcDATBgNVHSUEDDAKBggrBgEFBQcDCTANBgkqhkiG9w0BAQsFAAOCAQEAAJzUjm39nsMlxc0ivEm77PN9ZFFWIfY6fOteNpJnOADlOatkXKq6PTFS0lRo/53HjYvmvrjnUTYHK3hmRlDvwr+49UqhSkKai8v6PSS4jYJplETME032OwGL17qCjoX2yU55Ovm3CIamUNNOSIvMBbS7HB0EBe/KHMhme5+Uhtfgjql9B9ihuwT1U3vXQP+cavxe37PJOCUuuATLyd0GX+Islkq2v1pEKX0dsXhMpDwLOYLqckBZHOoAKEo2VYZN0P1KZZkJd4kQHGsADYfuIrLACwzLxlEWmCIq4AOwpYtkMSx85DgT6lW3ECgfbFYVVUzqHUuTiogEsgJ0kouCJw==" > | base64 -d | certutil -A -d sql:/dev/shm/tp_pam_srv_tests-test_pam_srv -t > TC,TC,TC -n ocsp_cert > > the NSS library call check this certificate first before trying to connect > to > the OCSP responder, so a valid one with the right key usage must be added to > make NSS try to reach the new OCSP responder > > - call > > strace -s 128 -f -esend .libs/lt-p11_child --debug-microseconds=1 > --debug-timestamps=1 --debug-to-stderr --debug-level=10 --pre --nssdb > sql:/dev/shm/tp_pam_srv_tests-test_pam_srv > > where you should see lines like > > send(7, "\313D\1\0\0\1\0\0\0\0\0\0\6ipa-ca\3ipa\5devel\0\0\1\0\1", 34, > MSG_NOSIGNAL) = 34 > > from the DNS lookups for ipa-ca.ipa.devel which is the OCSP server from the > ticket > > - call > > strace -s 128 -f -esend ./p11_child --debug-microseconds=1 > --debug-timestamps=1 --debug-to-stderr --debug-level=10 --pre --nssdb > sql:/dev/shm/tp_pam_srv_tests-test_pam_srv --verify > 'ocsp_default_responder=http://...:80,ocsp_default_responder_signing_cert=ocsp_cert' > > where you should now see lines like > > send(7, "yO\1\0\0\1\0\0\0\0\0\0\4\4\4\4\0\0\1\0\1", 37, > MSG_NOSIGNAL) = 37 > > from the DNS lookups for the OCSP responder from the command line. > > Of course all the validations will fail with "Certificate [SSSD Test > Token:Server-Cert][CN=ipa-devel.ipa.devel,O=IPA.DEVEL] not valid [-8071], > skipping" because none of the OCSP responders are available but I think this > test is sufficient to see that the patch is working as expected. Thank you for the patches and the tests. I only have one question about the first patch.. > From c2eccab2c12b58a74cdc6fd10efe775dbcd8c1e1 Mon Sep 17 00:00:00 2001 > From: Sumit Bose > Date: Fri, 18 Mar 2016 16:24:18 +0100 > Subject: [PATCH 1/3] p11: add missing man page entry and config API > > The pam_cert_auth and pam_cert_db_path option where missing in the > config API and had no man page entries. Did you also want to document the pam_cert_auth option? ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org